Chainguard Libraries on

Chainguard Libraries overview

Tue, 25 Mar 2025 08:04:00 +0000

Chainguard Libraries provide enhanced security for open source dependencies in the Java, JavaScript, and Python ecosystems, addressing critical supply chain vulnerabilities through automated patching and continuous monitoring. Modern applications rely heavily on libraries from public repositories like Maven Central, npm Registry, and PyPI, but using these repositories introduces supply chain risks that could expose your applications and system to compromise.

Background

Open source libraries distributed through public repositories face several security challenges: maintainers may not promptly address vulnerabilities, binary artifacts can be compromised, and the sheer volume of transitive dependencies makes manual security management impractical. While these repositories enable rapid development, they also introduce supply chain risks that traditional security approaches struggle to address.

Quick start for Chainguard Libraries

Tue, 25 Mar 2025 00:08:04 +0000

Most supply chain attacks succeed the same way: malicious code is injected into a package after the source is written — either as a backdoored binary with no verifiable source, or as a malicious install-time script that runs the moment a dependency is pulled. Recent attacks on LiteLLM, Telnyx, and Axios all followed this pattern.

Chainguard Libraries are rebuilt from verified source in an isolated build environment, making them malware-resistant by design. If the source can’t be verified, the package doesn’t appear in the Chainguard Libraries repository. They are drop-in replacements for the Python, Java, and JavaScript packages your engineers already use, with no breaking changes.

Chainguard Libraries access

Tue, 25 Mar 2025 00:08:04 +0000

Chainguard Libraries provide controlled access to security-enhanced Java and Python dependencies through the unified Chainguard platform authentication system. This guide explains how to access (download) Chainguard library artifacts for your organization.

Getting started

Prerequisites

Ensure you have access to Chainguard Libraries.
- If you are not a Chainguard user yet, a new Chainguard account must be created and configured for access to Chainguard Libraries.
- If you are already a Chainguard user, the Chainguard account owner in your organization can grant access to Chainguard Libraries.
Confirm the name of your organization so you can use it with the --parent parameter to specify your organization when running commands with chainctl.

Direct access vs. artifact manager

There are two approaches to access: Using an artifact manager or direct access.

Chainguard Libraries network requirements

Wed, 04 Jun 2025 09:30:00 +0000

Chainguard Libraries require specific network access to ensure secure delivery of hardened dependencies to your development environment. This guide details the domains and ports needed for authentication, package downloads, and verification tools.

Access for chainctl and other tools

For initial configuration with chainctl as well as for verification of downloaded libraries with cosign and other tools, you must allow HTTPS access to the following domains:

Chainguard Libraries verification

Thu, 03 Jul 2025 12:00:00 +0000

Overview

Chainguard’s chainctl tool with the command libraries verify verifies that your language ecosystem dependencies come from Chainguard Libraries, providing critical visibility into your software supply chain security. By verifying binary artifacts across your projects and repositories, you can ensure dependencies are sourced from Chainguard’s hardened build environment rather than potentially compromised public repositories, identify opportunities to improve security posture, and maintain compliance with supply chain security policies.

CVE remediation for Chainguard Libraries

Thu, 11 Sep 2025 00:00:00 +0000

CVE remediation for Chainguard Libraries provides protection against critical and high CVEs. Applications often rely on older versions of libraries, but upstream maintainers may not apply and release patches for those versions. Chainguard addresses this gap by backporting vulnerability fixes from newer releases to older releases, particularly in cases where maintainers are no longer able to support and provide fixes.

CVE remediation helps reduce risk for organizations that cannot always upgrade quickly, especially when moving to a newer version would introduce disruptive changes. Remediated artifacts are published as incremental patch versions, allowing teams to take a targeted fix for a CVE without taking on a broader upgrade at the same time.

Vulnerability scanners and Chainguard Libraries

Sat, 04 Oct 2025 12:00:00 +0000

Vulnerability scanners enable you to understand the potential security risks from libraries used within your applications.

Chainguard Libraries provides a trusted source for libraries typically downloaded from public repositories. Chainguard Libraries are rebuilt from the upstream open source project code repository content only. This prevents malware without published source code and reduces almost all risk for software supply chain attacks. In addition, some library versions are available with CVE fixes applied. These fixes are backported from newer versions of the open source project by Chainguard to create new libraries of older versions containing these newer changes. Find more details in CVE Remediation.

Browsing Chainguard Libraries

Thu, 03 Jul 2025 14:00:00 +0000

Chainguard Libraries includes thousands of libraries and many more individual library versions and artifacts. Through the Chainguard Console, you can browse all available libraries and their versions, and inspect their characteristics before using them in your application development.

Access libraries in the Chainguard Console

Chainguard Libraries for Python overview

Wed, 09 Apr 2025 04:00:00 +0000

Introduction

Chainguard Libraries for Python provides enhanced security for the vast Python ecosystem by rebuilding PyPI packages with comprehensive supply chain protection and automated patching. With over 600,000 packages on the Python Package Index (PyPI) serving application development, machine learning, and data science needs, Chainguard addresses the critical security challenges of depending on packages from untrusted sources by rebuilding them within the controlled Chainguard Factory environment. In addition, Chainguard eliminates security risk by remediating High and Critical vulnerabilities across older package versions where upstream maintainers are not able to prioritize fixes.

Chainguard Libraries FAQ

Tue, 25 Mar 2025 08:04:00 +0000

What security issues can Chainguard Libraries prevent?

As detailed on the background and introduction pages, Chainguard Libraries are built directly from source in the Chainguard Factory and the resulting binaries are directly provided to you by Chainguard. Chainguard operates the whole supply chain for the package lifecycle as one reliable, secure partner. You can therefore avoid issues from the following software supply chain attack surface points:

Chainguard Libraries for JavaScript overview

Thu, 05 Jun 2025 09:00:00 +0000

Chainguard Libraries for JavaScript is a major ecosystem supported by Chainguard Libraries. The JavaScript ecosystem consists of thousands of open source projects from the communities around JavaScript, TypeScript, Node.js, React, Vue.js, Angular, Svelte, Next.js, Express, and many others.

Chainguard Libraries for JavaScript provides access to a growing collection of popular Javascript packages rebuilt from source. New releases of packages requested by customers are built and added to the index by an automated system. These libraries can also be consumed through the Chainguard Repository, which provides a single endpoint for package retrieval and supports configurable security policies for both Chainguard-built and upstream packages.

Chainguard Libraries for Java overview

Tue, 25 Mar 2025 08:04:00 +0000

Introduction

Chainguard Libraries for Java provides enhanced security for the Java ecosystem by rebuilding popular Maven dependencies with the latest patches and comprehensive supply chain protection. As the first supported ecosystem in Chainguard Libraries, this service addresses critical vulnerabilities in the vast Java/JVM ecosystem that spans hundreds of projects from organizations like the Apache Software Foundation, Eclipse Foundation, and numerous independent maintainers.

Global configuration

Thu, 05 Jun 2025 09:00:00 +0000

JavaScript and npm package consumption in a large organization is typically managed by a repository manager. Commonly used repository manager applications are JFrog Artifactory, Sonatype Nexus Repository, and others. The repository manager acts as a single point of access for developers and development tools to retrieve the required libraries.

If your organization uses the upstream fallback feature of Chainguard Repository, you can configure your repository manager with a single upstream pointed at https://libraries.cgr.dev/javascript/. This is the recommended setup. The Chainguard Repository handles fallback and policy enforcement; your repository manager handles local caching and access control. Chainguard also retrieves packages from the public npm Registry on your behalf when upstream fallback is enabled. This includes protections such as malware detection and a cooldown period for newly published packages.

Global configuration

Tue, 25 Mar 2025 08:04:00 +0000

Java and JVM library consumption in a large organization is typically managed by a repository manager. Commonly used repository manager applications are Cloudsmith, Google Artifact Registry, JFrog Artifactory, and Sonatype Nexus Repository. The repository manager acts as a single point of access for developers and development tools to retrieve the required libraries.

At a high level, adopting the use of Chainguard Libraries consists of the following steps:

Add Chainguard Libraries as a remote repository for library retrieval.
Configure the Chainguard Libraries repository as the first choice for any library access. This ensures that any future requests of new libraries access the version supplied by Chainguard. Typically this is accomplished by creating a group repository or virtual repository that combines the repository with other external and internal repositories.

Additional steps depend on the desired insights and can include the following optional measures:

Global configuration

Tue, 25 Mar 2025 08:04:00 +0000

Python library consumption in a large organization is typically managed by a repository manager. Commonly used repository manager applications are Cloudsmith, JFrog Artifactory, and Sonatype Nexus Repository. The repository manager acts as a single point of access for developers and development tools to retrieve the required libraries.

The recommended approach is to use the upstream fallback feature of Chainguard Repository, which allows you to configure your repository manager with a single upstream pointed at https://libraries.cgr.dev/python/. The Chainguard Repository handles fallback and policy enforcement; your repository manager handles local caching and access control. Chainguard also retrieves packages from the public PyPI repository on your behalf when upstream fallback is enabled. This includes protections such as malware detection and a cooldown period for newly published packages.

Build configuration

Thu, 05 Jun 2025 09:00:00 +0000

The configuration for the use of Chainguard Libraries depends on your build tools, continuous integration, and continuous deployment setups. This page is a configuration reference for each supported JavaScript build tool. It covers registry configuration, authentication, cache clearning, and minimal example projects for npm, pnpm, Yarn, and Bun. The changes described on this page must be performed on all workstations of individual developers and other engineers running relevant application builds. They must also be performed on any build server such as Jenkins, TeamCity, GitHub or other infrastructure that builds the applications or otherwise downloads and uses relevant libraries.

Build configuration

Tue, 25 Mar 2025 08:04:00 +0000

The configuration for the use of Chainguard Libraries depends on your build tools, continuous integration, and continuous deployment setups

At a high level adopting the use of Chainguard Libraries consists of the following steps:

Remove local caches on workstations and CI/CD pipelines. This step ensures that any libraries that were already sourced from other repositories are requested again and the version from Chainguard Libraries is used instead of other binaries.
Change configuration to access Chainguard Libraries via your repository manager after the changes from the global configuration are implemented.

These changes must be performed on all workstations of individual developers and other engineers running relevant application builds. They must also be performed on any build server such as Jenkins, TeamCity, GitHub or other infrastructure that builds the applications or otherwise downloads and uses relevant libraries.

Build configuration

Tue, 25 Mar 2025 08:04:00 +0000

The configuration for the use of Chainguard Libraries depends on how you’ve set up your build tools and CI/CD workflows. At a high level, adopting the use of Chainguard Libraries in your development, build, and deployment workflows involves the following steps:

If you or an administrator have not done so already, set up your organization’s repository manager to use Chainguard Libraries for Python.
Log into your organization’s repository manager and retrieve credentials for the build tool you are configuring.
Configure your development or build tool with this information.
Remove local caches on workstations and CI/CD pipelines. This step ensures that dependencies are preferentially sourced from Chainguard Libraries.
Finally, confirm that your development tools and CI/CD workflows are correctly ingesting dependencies from Chainguard Libraries.

These changes must be performed on all workstations of individual developers and other engineers running relevant application builds. They must also be performed on any build tool such as Jenkins, TeamCity, GitHub Actions, or other infrastructure that draws in dependencies.

Management and maintenance

Tue, 25 Mar 2025 08:04:00 +0000

Chainguard Libraries for Java operates transparently after completing the global configuration and build configuration, automatically providing security-enhanced versions of your Maven dependencies. New artifacts and versions are retrieved from Chainguard’s hardened repository when available, while Maven Central and other configured repositories provide fallback access to ensure continuous development workflow without interruption.

The following sections detail optional management, maintenance, and auditing steps on the repository manager and the build tool.

Source verification

Use chainver to verify that a specific library or file originates from Chainguard in an automated fashion or follow the steps in this section for manual verification.

Management and maintenance

Tue, 25 Mar 2025 08:04:00 +0000

Chainguard Libraries for Python operates transparently after completing the global configuration and build configuration, automatically providing security-enhanced versions of your PyPI dependencies. New packages and versions are retrieved from Chainguard’s hardened repository when available, while PyPI and other configured repositories provide fallback access to ensure continuous development workflow without interruption.

The following sections detail optional management, maintenance, and auditing steps on the repository manager and the build tool.

Source verification

You can verify what artifacts are retrieved from the Chainguard Libraries repository on a global level:

Migrating a JavaScript Project to Chainguard Libraries

Mon, 01 Jun 2026 00:00:00 +0000

Chainguard Libraries for JavaScript provides a curated registry of npm packages rebuilt from source, scanned for malware, and verified against the OSV database. Because Chainguard Libraries uses the standard npm registry protocol, switching an existing project requires only a registry configuration change — no changes to your application code, package.json, or dependency versions.

This guide walks through migrating an existing JavaScript project to Chainguard Libraries, covering the two most common setups:

How does Chainguard Libraries plug into a developer's workflow?

Sat, 02 Aug 2025 16:00:00 +0000

Transcript

Interviewer: So Dustin, how does Libraries actually plug into a developer workflow?

How does Chainguard Libraries help developers?

Sat, 02 Aug 2025 16:00:00 +0000

Transcript

Interviewer: So how does Chainguard Libraries help developers?

Build Safely with AI

Thu, 28 May 2026 12:00:00 +0000

The May 2026 Learning Lab with Erika Heidi explores AI-native threat models and how to mitigate risks involved with AI-assisted coding, leveraging Cursor and Chainguard for a secure AI SLDC.

Sections

0:00 Introduction and agenda
3:35 “This Changes Everything”
4:19 How the threat model changed with AI
8:17 Your local dev environment at risk
9:49 AI-native attack vectors
12:30 Closing the trust gap
14:14 Two principles for a safe SLDC with AI assistance
23:06 Vibecoding with trusted sources
27:26 The Chainguard plugin for Cursor
29:03 Demo - building an SBOM visualizer
31:27 The initial prompt
33:50 The resulting vibecoded app
34:20 Migrating to Chainguard Libraries
36:43 Verifying coverage
38:26 Recap of what we neutralized
40:15 Other Chainguard skills to try out on Cursor
48:45 Wrapping Up

Resources

Software supply chain attacks and Chainguard Libraries

Mon, 30 Mar 2026 12:00:00 +0000

The March 2026 Learning Lab with Manfred Moser focuses on the history, trends, and future developments around software supply chain attacks. Manfred talks about the role libraries for application developers and demonstrates numerous new features and use cases for Chainguard Libraries.

Sections

0:00 Introduction and agenda
1:45 Software supply chain overview
7:25 History of attacks and overview of different methods
17:59 Future threads and trends
21:37 Statistics about intensifying attacks
22:54 Incidents and fire drills
25:05 Impact from Minecraft and log4j on Maven Central
26:42 Chainguard Libraries overview
32:21 Chainguard Libraries for Python, Java, and JavaScript
35:17 Demo - Browsing libraries in the console UI
40:38 Demo - Pull token creation in console UI and with chainctl
42:13 Demo - Browsing Python simple index
45:50 Demo - Browsing Java repository
49:25 Demo - Example projects for JavaScript and Python
56:35 Demo - Verification with chainctl
58:47 Chainguard Repository
1:01:16 Upcoming events

Resources

Chainguard Libraries for JavaScript and CVE remediation for Python libraries

Thu, 30 Oct 2025 12:00:00 +0000

The October 2025 Learning Lab with Manfred Moser covers Chainguard Libraries for JavaScript and CVE remediation with Chainguard Libraries for Python. It starts with an overview about libraries and the JavaScript ecosystem and moves on to a demo with npm and pnpm. In the second section Manfred explains the approach for CVE remediation and shows an example project with remediation and scanning with grype.

Sections

0:00 Introduction
1:55 Agenda
2:54 Secure container and the role of libraries
5:20 Software supply chain for libraries and security
6:51 Chainguard Libraries and the JavaScript ecosystem
14:33 Malware in the npm ecosystem
18:39 Chainguard Libraries for JavaScript
25:57 Demoes with npm and pnpm
33:50 Troubleshooting results and additional demos
41:34 Chainguard Libraries for Python
43:39 CVE remediation process and examples
52:03 Demoes with uv and grype
56:25 Further resources
57:35 Next up
58:18 Questions
1:06:00 Wrapping up

JavaScript demo

The demonstration of Chainguard Libraries for JavaScript walks through the minimal example for pnpm with direct access to the registry and with access to a local repository manager, and shows an equivalent project with npm as well.

Chainguard Libraries for Python

Sun, 22 Jun 2025 17:00:00 +0000

The June 2025 Learning Lab with Patrick Smyth covers Chainguard Libraries for Python. Open source libraries help you move fast, but pulling in external dependencies can introduce supply chain risk. This session covers fundamental concepts of Chainguard Libraries, package managers and dependencies, PyPI and build tools, configuring repository managers, and running example application builds.

Sections

0:00 Introduction and welcome
0:54 Patrick Smyth introduction and background
1:47 Chainguard! Who are we?
2:47 Chainguard Containers and the “boss assigned me to fix Ubuntu” problem
4:12 Introduction to Chainguard Libraries for Python
5:04 Python libraries fundamentals - modules, packages, and libraries
6:34 The dependency graph problem and modern ecosystem challenges
8:57 PyPI (Python Package Index) overview and infrastructure
10:53 Supply chain attacks on the rise and threats to the Python ecosystem
11:39 Supply chain meme calendar - an attack every month this year
13:54 Anatomy of supply chain attacks and attack vectors
17:43 Chainguard Libraries!
19:34 Chainguard Factory overview and operational security
21:33 Case study: Ultralytics YOLO December 2024 attack
23:22 Technical caveats and requirements for Chainguard Libraries
25:06 Demo introduction and Flask project overview
27:48 Accessing demo materials on Chainguard Academy
29:00 Demo: Cloning and setting up the Flask project
31:17 Demo: Creating virtual environment and installing from PyPI
33:06 Demo: Running Flask application and testing with libCheck tool
34:28 Demo: Configuring pip for Chainguard Libraries via repository manager
36:19 Demo: Installing dependencies from Chainguard Libraries
37:02 Demo: Verification with libCheck
38:22 Demo: Containerizing the demo application
40:25 Demo: Building and running containerized Flask application
41:41 Additional configuration options and documentation resources
42:19 Q&A: Repository manager setup and configuration
43:26 Q&A: Architecture support and glibc requirements
44:34 Q&A: libCheck tool open source plans and detailed output
46:05 Q&A: CVE scanning with Grype and vulnerability management

Demo

In the demo, Patrick switches a Flask application to use Chainguard Libraries for Python, sourcing dependencies from a repository manager (Artifactory) set up to pull first from the Chainguard Libraries for Python index with a fallback to the Python Package Index (PyPI).

Chainguard Libraries for Java

Wed, 18 Jun 2025 21:00:00 +0000

The May 2025 Learning Lab with Manfred Moser covers Chainguard Libraries for Java. It starts with an overview about libraries and the Java ecosystem and progresses to a demo with Apache Maven and Sonatype Nexus.

Sections

0:00 Introduction and agenda
2:38 Chainguard and containers
3:47 Chainguard Factory
4:57 Concepts - from containers to libraries
9:00 Java and Java libraries
12:45 Software supply chain of libraries and attacks
19:27 Dependency supply in Java
20:30 Repository concept and Maven Central
24:32 Chainguard Libraries for Java and repository manager intro
28:17 Developer tools
29:21 Demo start and setup with chainctl
32:55 Sonatype Nexus configuration
37:30 Maven configuration
40:41 Example project setup, build, and results
44:57 Dependency list and tree
47:00 Results and verification
49:37 Summary
50:43 Up next
52:55 Questions

Demo

Following are some of the commands used in the demo. More information can be found in the slide deck, the linked resources, and the video.