Chainguard Libraries is a SaaS solution providing a catalog of secure, malware-resistant open source language libraries—primarily for Java and Python—built directly from source using hardened, SLSA Level 2-compliant infrastructure. It delivers a single, standardized, and verifiable endpoint for developers to safely consume language dependencies, reducing the risk of supply chain attacks and eliminating the need for manual curation or policy-based vetting of open source packages.

Key Features

Malware-Resistant Libraries Continuously rebuilt from source in a hardened environment.

• Protects against malware, hijacked packages, and compromised build systems.
• Covers 20,000+ Java and 10,000+ Python projects, with more ecosystems planned.

End-to-End Integrity and Provenance Full traceability and open attestations for every package.

• Ensures package integrity with verifiable build provenance.
• Eliminates “dark matter” and untrusted binaries in dependencies.

Seamless Developer Integration Works with standard artifact managers and existing workflows.

• Natively integrates with Maven, PyPI, and common repository managers.
• No added friction for developers—just change the endpoint.

Dynamic Dependency Simplification Handles shared system libraries for dynamically linked languages.

• Offloads vendoring and management of native dependencies.

Broad Platform Support Compatible with any container stack or Linux distribution.

• Works independently or alongside Chainguard Containers and VMs for full-stack protection.

Benefits

Eliminate Supply Chain Risks Reduces exposure to malware and CVE risks in open source dependencies.

• Mitigates attacks at both build and distribution stages.
• Avoids unvetted, potentially malicious packages from public registries.

Accelerate Developer Velocity Removes manual curation and policy enforcement overhead.

• Lets developers focus on shipping code, not managing dependency risks.
• Reduces downtime from supply chain incidents and package hijacks.