New product line provides a catalog of the 20,000 most popular Java projects with end-to-end integrity, furthering Chainguard’s mission to be the safe source for open source
Chainguard, the secure foundation for software development and deployment, today announced Chainguard Libraries, a catalog of guarded language libraries for Java built securely from source on SLSA L2 infrastructure. Built with end-to-end integrity and native protection at package build and distribution, Chainguard Libraries delivers one standardized source for developers to consume Java dependencies safely and securely, without introducing malware and other supply chain security risks into their environment. Chainguard Libraries also mitigates the need for friction-heavy package curation and integrates seamlessly into developer workflows, empowering enterprises to ship software faster, without sacrificing security.
Also Read: CIO Influence Interview with Jason Merrick, Senior VP of Product at Tenable
The growing threat of untrusted open source dependencies
Securing the modern software development lifecycle requires locking down every layer of the stack, including the operating system (OS), runtime environment, language libraries, and application code. While Chainguard Containers helps organizations secure their OS and application runtime environment, enterprise coverage for language dependencies, such as Java libraries, has been a critical gap. Malicious open source packages grew more than three times in 2024, with over 700,000 malicious packages detected. Today, Java developers rely on libraries from public registries like Maven Central, which had over 1.5 trillion downloads of libraries in 2023, but prioritizes publisher convenience over enterprise safety and security. Because public registries are low friction by design, they have minimal vetting for the artifacts uploaded to their repositories and no requirements for digital attestations to ensure package integrity and build security. Attackers frequently exploit these weaknesses at the build and distribution stages of the package lifecycle, injecting malware into seemingly safe software. High-profile supply chain attacks like SolarWinds, XZ Utils, MavenGate, and the growing stream of malicious package attacks underscore the risks of consuming unverified dependencies.
“Developers need a better way to consume open source language dependencies that unites ease of use with trusted security. Chainguard Libraries provides a secure, trusted source for Java dependencies, built entirely from source in Chainguard’s hardened environment,” said Dan Lorenc, CEO and Co-founder, Chainguard. “By eliminating the supply chain security risks associated with traditional public registries, we’re helping enterprises lock down a critical attack vector in their environments. At the same time, we’re making developers’ lives easier by removing the friction of manual or policy-based package curation and giving them one trusted source for dependencies that integrates seamlessly into their existing workflows. With Chainguard Libraries, organizations can build faster and safer, without any compromises.”
Also Read: Quantum Computing In The Now
Securely ship products faster without supply chain security threats
The introduction of Chainguard Libraries accelerates Chainguard’s mission to build the safe source for open source. Up until this point, Chainguard has made its customers successful with minimal, zero-CVE container images, which help organizations deploy applications more efficiently and securely. Now, Chainguard Libraries provides a single, standardized source for developers to consume the 20,000 most popular Java dependencies safely and securely, with five years of version coverage, eliminating the risk of malware and other supply chain security threats in their environment. With Chainguard Libraries, Chainguard is expanding beyond containerized application deployments and delivering safe open source across compute modalities and the software development lifecycle. By meeting developers how and where they work, Chainguard enables engineering teams to ship products faster and with more confidence, ultimately driving business value for their organizations.
“As software supply chain attacks continue to pose a challenge, organizations seek greater assurance in the security and integrity of their open-source dependencies,” said Katie Norton, Research Manager for DevSecOps and Software Supply Chain Security, IDC. “Approaches that enhance the verifiability and trustworthiness of software components — such as building Java packages directly from source with end-to-end integrity, as seen in solutions like Chainguard Libraries — can help organizations strengthen their software supply chain while enabling developers to build and deploy software more efficiently without compromising security.”
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
