Chainguard Libraries for Python on

Chainguard Libraries for Python overview

Wed, 09 Apr 2025 04:00:00 +0000

Introduction

Chainguard Libraries for Python provides enhanced security for the vast Python ecosystem by rebuilding PyPI packages with comprehensive supply chain protection and automated patching. With over 600,000 packages on the Python Package Index (PyPI) serving application development, machine learning, and data science needs, Chainguard addresses the critical security challenges of depending on packages from untrusted sources by rebuilding them within the controlled Chainguard Factory environment. In addition, Chainguard eliminates security risk by remediating High and Critical vulnerabilities across older package versions where upstream maintainers are not able to prioritize fixes.

Global configuration

Tue, 25 Mar 2025 08:04:00 +0000

Python library consumption in a large organization is typically managed by a repository manager. Commonly used repository manager applications are Cloudsmith, JFrog Artifactory, and Sonatype Nexus Repository. The repository manager acts as a single point of access for developers and development tools to retrieve the required libraries.

The recommended approach is to use the upstream fallback feature of Chainguard Repository, which allows you to configure your repository manager with a single upstream pointed at https://libraries.cgr.dev/python/. The Chainguard Repository handles fallback and policy enforcement; your repository manager handles local caching and access control. Chainguard also retrieves packages from the public PyPI repository on your behalf when upstream fallback is enabled. This includes protections such as malware detection and a cooldown period for newly published packages.

Build configuration

Tue, 25 Mar 2025 08:04:00 +0000

The configuration for the use of Chainguard Libraries depends on how you’ve set up your build tools and CI/CD workflows. At a high level, adopting the use of Chainguard Libraries in your development, build, and deployment workflows involves the following steps:

If you or an administrator have not done so already, set up your organization’s repository manager to use Chainguard Libraries for Python.
Log into your organization’s repository manager and retrieve credentials for the build tool you are configuring.
Configure your development or build tool with this information.
Remove local caches on workstations and CI/CD pipelines. This step ensures that dependencies are preferentially sourced from Chainguard Libraries.
Finally, confirm that your development tools and CI/CD workflows are correctly ingesting dependencies from Chainguard Libraries.

These changes must be performed on all workstations of individual developers and other engineers running relevant application builds. They must also be performed on any build tool such as Jenkins, TeamCity, GitHub Actions, or other infrastructure that draws in dependencies.

Management and maintenance

Tue, 25 Mar 2025 08:04:00 +0000

Chainguard Libraries for Python operates transparently after completing the global configuration and build configuration, automatically providing security-enhanced versions of your PyPI dependencies. New packages and versions are retrieved from Chainguard’s hardened repository when available, while PyPI and other configured repositories provide fallback access to ensure continuous development workflow without interruption.

The following sections detail optional management, maintenance, and auditing steps on the repository manager and the build tool.

Source verification

You can verify what artifacts are retrieved from the Chainguard Libraries repository on a global level: