Skip to main content

Overview

The Chainguard integration allows Backline to scan container images stored in your Chainguard registry (cgr.dev) for security vulnerabilities. Chainguard images are minimal, hardened container images with a strong security posture — connecting them to Backline ensures any remaining vulnerabilities are tracked and remediated.

What You Can Do

With the Chainguard integration, Backline can:
  • Scan container images for vulnerabilities
  • Analyze image layers and dependencies
  • Detect outdated base images
  • Track vulnerabilities across image versions
  • Monitor container security compliance

Prerequisites

Before connecting Chainguard, ensure you have:
  • A Chainguard account with access to your organization
  • chainctl installed (installation guide)
  • A Chainguard pull token (see below)

Creating a Pull Token

Chainguard pull tokens are long-lived credentials used to authenticate non-interactive environments (such as Backline) against cgr.dev.
1

Install chainctl

Install the Chainguard CLI if you haven’t already:
curl -o chainctl "https://dl.enforce.dev/chainctl/latest/chainctl_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/aarch64/arm64/')"
sudo install -o $UID -g $(id -g) -m 0755 chainctl /usr/local/bin/
2

Log in to Chainguard

chainctl auth login
3

Generate a pull token

chainctl auth configure-docker --pull-token
This command outputs the pull token credentials:
Username: <pull-token-id>
Password: <pull-token-password>
Copy both values — you will need them when connecting the integration.
Pull tokens expire after 30 days by default. Use the --ttl flag to extend the expiry (maximum 365 days). Example: chainctl auth configure-docker --pull-token --ttl=8760h
For more details on pull tokens, refer to the Chainguard documentation.

Connecting Chainguard

1

Go to Integration Hub

Navigate to Integrations from the main menu.
2

Select Chainguard

Find and click on the Chainguard integration card.
3

Enter Pull Token Credentials

Enter the Username (pull token ID) and Password (pull token password) from the chainctl auth configure-docker --pull-token command output.
4

Test Connection

Click Test Connection to verify the credentials are valid against cgr.dev.
5

Save

Click Save to complete the integration.

After Connection

Once Chainguard is connected, Backline will:
  1. Begin scanning container images
  2. Identify vulnerabilities in image layers
  3. Generate remediation recommendations

Managing the Integration

Rotating Pull Tokens

Pull tokens expire and must be rotated periodically. To update credentials:
  1. Generate a new pull token with chainctl auth configure-docker --pull-token
  2. Open the Integration Hub and click on the Chainguard integration
  3. Update the Username and Password fields with the new token
  4. Test and save changes