Python on

Chainguard Libraries for Python overview

Wed, 09 Apr 2025 04:00:00 +0000

Introduction

Chainguard Libraries for Python provides enhanced security for the vast Python ecosystem by rebuilding PyPI packages with comprehensive supply chain protection and automated patching. With over 600,000 packages on the Python Package Index (PyPI) serving application development, machine learning, and data science needs, Chainguard addresses the critical security challenges of depending on packages from untrusted sources by rebuilding them within the controlled Chainguard Factory environment. In addition, Chainguard eliminates security risk by remediating High and Critical vulnerabilities across older package versions where upstream maintainers are not able to prioritize fixes.

Global configuration

Tue, 25 Mar 2025 08:04:00 +0000

Python library consumption in a large organization is typically managed by a repository manager. Commonly used repository manager applications are Cloudsmith, JFrog Artifactory, and Sonatype Nexus Repository. The repository manager acts as a single point of access for developers and development tools to retrieve the required libraries.

The recommended approach is to use the upstream fallback feature of Chainguard Repository, which allows you to configure your repository manager with a single upstream pointed at https://libraries.cgr.dev/python/. The Chainguard Repository handles fallback and policy enforcement; your repository manager handles local caching and access control. Chainguard also retrieves packages from the public PyPI repository on your behalf when upstream fallback is enabled. This includes protections such as malware detection and a cooldown period for newly published packages.

Build configuration

Tue, 25 Mar 2025 08:04:00 +0000

The configuration for the use of Chainguard Libraries depends on how you’ve set up your build tools and CI/CD workflows. At a high level, adopting the use of Chainguard Libraries in your development, build, and deployment workflows involves the following steps:

If you or an administrator have not done so already, set up your organization’s repository manager to use Chainguard Libraries for Python.
Log into your organization’s repository manager and retrieve credentials for the build tool you are configuring.
Configure your development or build tool with this information.
Remove local caches on workstations and CI/CD pipelines. This step ensures that dependencies are preferentially sourced from Chainguard Libraries.
Finally, confirm that your development tools and CI/CD workflows are correctly ingesting dependencies from Chainguard Libraries.

These changes must be performed on all workstations of individual developers and other engineers running relevant application builds. They must also be performed on any build tool such as Jenkins, TeamCity, GitHub Actions, or other infrastructure that draws in dependencies.

Management and maintenance

Tue, 25 Mar 2025 08:04:00 +0000

Chainguard Libraries for Python operates transparently after completing the global configuration and build configuration, automatically providing security-enhanced versions of your PyPI dependencies. New packages and versions are retrieved from Chainguard’s hardened repository when available, while PyPI and other configured repositories provide fallback access to ensure continuous development workflow without interruption.

The following sections detail optional management, maintenance, and auditing steps on the repository manager and the build tool.

Source verification

You can verify what artifacts are retrieved from the Chainguard Libraries repository on a global level:

Chainguard Libraries for Python

Sun, 22 Jun 2025 17:00:00 +0000

The June 2025 Learning Lab with Patrick Smyth covers Chainguard Libraries for Python. Open source libraries help you move fast, but pulling in external dependencies can introduce supply chain risk. This session covers fundamental concepts of Chainguard Libraries, package managers and dependencies, PyPI and build tools, configuring repository managers, and running example application builds.

Sections

0:00 Introduction and welcome
0:54 Patrick Smyth introduction and background
1:47 Chainguard! Who are we?
2:47 Chainguard Containers and the “boss assigned me to fix Ubuntu” problem
4:12 Introduction to Chainguard Libraries for Python
5:04 Python libraries fundamentals - modules, packages, and libraries
6:34 The dependency graph problem and modern ecosystem challenges
8:57 PyPI (Python Package Index) overview and infrastructure
10:53 Supply chain attacks on the rise and threats to the Python ecosystem
11:39 Supply chain meme calendar - an attack every month this year
13:54 Anatomy of supply chain attacks and attack vectors
17:43 Chainguard Libraries!
19:34 Chainguard Factory overview and operational security
21:33 Case study: Ultralytics YOLO December 2024 attack
23:22 Technical caveats and requirements for Chainguard Libraries
25:06 Demo introduction and Flask project overview
27:48 Accessing demo materials on Chainguard Academy
29:00 Demo: Cloning and setting up the Flask project
31:17 Demo: Creating virtual environment and installing from PyPI
33:06 Demo: Running Flask application and testing with libCheck tool
34:28 Demo: Configuring pip for Chainguard Libraries via repository manager
36:19 Demo: Installing dependencies from Chainguard Libraries
37:02 Demo: Verification with libCheck
38:22 Demo: Containerizing the demo application
40:25 Demo: Building and running containerized Flask application
41:41 Additional configuration options and documentation resources
42:19 Q&A: Repository manager setup and configuration
43:26 Q&A: Architecture support and glibc requirements
44:34 Q&A: libCheck tool open source plans and detailed output
46:05 Q&A: CVE scanning with Grype and vulnerability management

Demo

In the demo, Patrick switches a Flask application to use Chainguard Libraries for Python, sourcing dependencies from a repository manager (Artifactory) set up to pull first from the Chainguard Libraries for Python index with a fallback to the Python Package Index (PyPI).