Chainguard VMs are minimal Linux virtual machine images based on Chainguard OS designed to reduce attack surface for containerized workloads. The product offers three types of VMs: Container Host VMs for running containers on cloud platforms, Base VMs for customizable general-purpose use cases, and Application VMs with pre-packaged services. The VMs include only essential components required for ephemeral workloads such as systemd, glibc, and the Linux kernel, while removing unnecessary packages found in traditional distributions. Images are continuously rebuilt from source with automated updates to maintain zero known CVEs. The product provides a CVE remediation SLA of 7 days for critical vulnerabilities and 14 days for high, medium, and low severity issues. VMs are optimized for deployment across multiple cloud environments including AWS (ECS, EKS, EC2), Google Cloud (GCE), and Azure, as well as on-premise infrastructure. Each VM includes full provenance tracking for software components and end-to-end integrity verification. The images support customization to meet organization-specific requirements without creating additional maintenance overhead. The continuous rebuild process delivers upstream features, security updates, and performance optimizations without requiring major version upgrades.