Announcing Chainguard Libraries: Guarded Java Language Dependencies Built from Source

Now in Beta.

We’re excited to announce the Beta release of Chainguard Libraries, a catalog of guarded Java dependencies built securely from source in Chainguard’s SLSA-certified infrastructure. Purpose-built for secure and frictionless enterprise consumption, Chainguard Libraries marks a departure from the publisher-oriented approach of popular public package registries, which only apply minimal vetting for their hosted artifacts.

With Libraries, Chainguard will deliver customers one standardized source for their developers to safely consume language libraries without compromising supply chain security, while also eliminating the toil associated with package curation and preserving existing developer workflows to minimize friction. Chainguard Libraries protect against supply chain attacks at the build and distribution stages of the library lifecycle. Ultimately, Chainguard Libraries empowers enterprises to build products faster and better without sacrificing security. In this blog post, we’ll dive into the motivations behind building Chainguard Libraries and the value we deliver to customers.

Challenges with Status Quo Consumption of Language Libraries 

Customers come to Chainguard looking to secure their applications at every layer of the stack – the operating system, application runtime, language libraries, and their code. With Chainguard Containers, Chainguard has long offered a solution for the OS and specialized application runtime. But our enterprise customers have repeatedly asked us to build a secure, easy mechanism for their developers to consume language libraries as well. That’s because under the status quo, developers are pulling libraries from popular public registries like Maven, PyPI, and NPM, which have long optimized for publisher convenience and do not vet uploaded artifacts to enterprise security standards. In optimizing for publishers, these public registries introduce real costs for enterprises. This is evident in the growing number of supply chain attacks at build and distribution stages of the dependency lifecycle (illustrated in Figures 1 and 2 below).

The attack surface of untrusted libraries isn’t theoretical – the threats are real and growing rapidly. At the build stage, many releases in Maven aren’t automated, which means that these libraries are being built on a local laptop that simply can’t guarantee artifact security or integrity. And even when releases are automated, supply chain security is minimal. Take the recent attack on the Ultralytics python project, a library with 60M+ annual downloads, for example. Attackers compromised a build pipeline to extract CI/CD credentials and then injected a malicious module that deploys a cryptominer to steal user cryptocurrency.

The industry has also seen notable attacks at the distribution stage of the package lifecycle. In January 2024, attackers exploited abandoned Java project domains and utilized this entry point to execute unauthorized package replacements in Maven Central. The “MavenGate” attack allowed bad actors to upload malicious packages to Maven Central and impact a wide array of popular Java build tools like Gradle.

While the public registries are working to implement security best practices to mitigate some of these challenges, enterprises lack the luxury of time. The problems facing package builds and distributions are impacting our customers today. And it’s clear that the status quo for consumption of language dependencies is broken, as enterprises have a complete lack of end-to-end integrity for how, where, and by whom these libraries were built.

Chainguard’s Solution: Chainguard Libraries 

To address these challenges in enterprise application development and deployment, we built Chainguard Libraries, a catalog of guarded language dependencies built entirely from source in our hardened build environments to eliminate supply chain attacks at package build and distribution. Chainguard Libraries allows engineering organizations to eliminate supply chain security threats from language dependencies, without compromising developer productivity or a friction-less experience.

Java is one of the most important open source ecosystems for enterprise developers globally, frequently ranking in the top 3 most used languages. Maven Central alone saw over 1.5 trillion pull requests in 2024, growing over 36% YoY. Chainguard customers have repeatedly emphasized that their Java footprint is huge and growing. That’s why Chainguard is building over 20,000 of the most popular Java projects with 5 years of version coverage. And we plan to expand our product portfolio to cover other ecosystems based on customer feedback.

There are a few key pillars of value that we will deliver with Chainguard Libraries for Java:

1. Hardening Against Supply Chain Attacks: Supply chain attacks resulting from compromised build systems and package distribution mechanisms have been proliferating quickly. These attacks are a direct result of developers consuming language libraries that lack sufficient vetting, provenance, and build security. Chainguard Libraries will guard enterprises against these forms of attacks by building libraries entirely from source in our hardened environment with end-to-end integrity for builds, tests, and distributions.

2. Frictionless Developer Experience: To address the problem of insecure language libraries, enterprises often adopt manual or policy-based curation programs. But these approaches can slow down development cycles because they block existing developer workflows and introduce friction. For example, requiring developers to open an IT ticket when they want to use a new Java project for development and making them wait for weeks-long approval flows is untenable and self-defeating. Chainguard Libraries integrate with common artifact managers to preserve frictionless developer workflows and eliminate toil associated with in-house curation without compromising supply chain security. This balance helps enterprises ship software quickly while remaining secure. 

3. Standardization of Open Source: Chainguard’s ambition is to build one standardized endpoint for all language ecosystem libraries. By standardizing developer usage of open source libraries to one safe source, enterprises get deeper visibility in what open source is being used and where, and eliminate shadow IT.

Getting Started with Chainguard Libraries for Java

We’re excited to hear your feedback as you begin building with Chainguard Libraries. Your feedback will play a key role in shaping Chainguard’s future plans to incorporate additional customization capabilities that deliver even more value.

If you’d like to learn more about how Chainguard Libraries can transform your software supply chain, reach out today. Existing Chainguard Containers customers can get started with Chainguard Libraries by reaching out to your account teams and exploring our docs.