DEVOPSdigest

Chainguard announced Chainguard Libraries, a catalog of guarded language libraries for Java built securely from source on SLSA L2 infrastructure.

Built with end-to-end integrity and native protection at package build and distribution, Chainguard Libraries delivers one standardized source for developers to consume Java dependencies safely and securely, without introducing malware and other supply chain security risks into their environment. Chainguard Libraries also mitigates the need for friction-heavy package curation and integrates seamlessly into developer workflows, empowering enterprises to ship software faster, without sacrificing security.

Securing the modern software development lifecycle requires locking down every layer of the stack, including the operating system (OS), runtime environment, language libraries, and application code. While Chainguard Containers helps organizations secure their OS and application runtime environment, enterprise coverage for language dependencies, such as Java libraries, has been a critical gap. Malicious open source packages grew more than three times in 2024, with over 700,000 malicious packages detected. Today, Java developers rely on libraries from public registries like Maven Central, which had over 1.5 trillion downloads of libraries in 2023, but prioritizes publisher convenience over enterprise safety and security. Because public registries are low friction by design, they have minimal vetting for the artifacts uploaded to their repositories and no requirements for digital attestations to ensure package integrity and build security. Attackers frequently exploit these weaknesses at the build and distribution stages of the package lifecycle, injecting malware into seemingly safe software. High-profile supply chain attacks like SolarWinds, XZ Utils, MavenGate, and the growing stream of malicious package attacks underscore the risks of consuming unverified dependencies.

"Developers need a better way to consume open source language dependencies that unites ease of use with trusted security. Chainguard Libraries provides a secure, trusted source for Java dependencies, built entirely from source in Chainguard's hardened environment," said Dan Lorenc, CEO and Co-founder, Chainguard. "By eliminating the supply chain security risks associated with traditional public registries, we're helping enterprises lock down a critical attack vector in their environments. At the same time, we're making developers' lives easier by removing the friction of manual or policy-based package curation and giving them one trusted source for dependencies that integrates seamlessly into their existing workflows. With Chainguard Libraries, organizations can build faster and safer, without any compromises."

The introduction of Chainguard Libraries accelerates Chainguard's mission to build the safe source for open source. Up until this point, Chainguard has made its customers successful with minimal, zero-CVE container images, which help organizations deploy applications more efficiently and securely. Now, Chainguard Libraries provides a single, standardized source for developers to consume the 20,000 most popular Java dependencies safely and securely, with five years of version coverage, eliminating the risk of malware and other supply chain security threats in their environment. With Chainguard Libraries, Chainguard is expanding beyond containerized application deployments and delivering safe open source across compute modalities and the software development lifecycle. By meeting developers how and where they work, Chainguard enables engineering teams to ship products faster and with more confidence, ultimately driving business value for their organizations.

Chainguard Libraries is available in Beta.