Introducing Chainguard Libraries: Guarded Java Language Dependencies Built from Source

New product line provides a catalog of the 20,000 most popular Java projects with end-to-end integrity, furthering Chainguard's mission to be the safe source for open source

KIRKLAND, Wash., March 25, 2025 /PRNewswire/ -- Chainguard, the secure foundation for software development and deployment, today announced Chainguard Libraries, a catalog of guarded language libraries for Java built securely from source on SLSA L2 infrastructure. Built with end-to-end integrity and native protection at package build and distribution, Chainguard Libraries delivers one standardized source for developers to consume Java dependencies safely and securely, without introducing malware and other supply chain security risks into their environment. Chainguard Libraries also mitigates the need for friction-heavy package curation and integrates seamlessly into developer workflows, empowering enterprises to ship software faster, without sacrificing security.

The growing threat of untrusted open source dependencies

Securing the modern software development lifecycle requires locking down every layer of the stack, including the operating system (OS), runtime environment, language libraries, and application code. While Chainguard Containers helps organizations secure their OS and application runtime environment, enterprise coverage for language dependencies, such as Java libraries, has been a critical gap. Malicious open source packages grew more than three times in 2024, with over 700,000 malicious packages detected. Today, Java developers rely on libraries from public registries like Maven Central, which had over 1.5 trillion downloads of libraries in 2023, but prioritizes publisher convenience over enterprise safety and security. Because public registries are low friction by design, they have minimal vetting for the artifacts uploaded to their repositories and no requirements for digital attestations to ensure package integrity and build security. Attackers frequently exploit these weaknesses at the build and distribution stages of the package lifecycle, injecting malware into seemingly safe software. High-profile supply chain attacks like SolarWinds, XZ Utils, MavenGate, and the growing stream of malicious package attacks underscore the risks of consuming unverified dependencies.

"Developers need a better way to consume open source language dependencies that unites ease of use with trusted security. Chainguard Libraries provides a secure, trusted source for Java dependencies, built entirely from source in Chainguard's hardened environment," said Dan Lorenc, CEO and Co-founder, Chainguard. "By eliminating the supply chain security risks associated with traditional public registries, we're helping enterprises lock down a critical attack vector in their environments. At the same time, we're making developers' lives easier by removing the friction of manual or policy-based package curation and giving them one trusted source for dependencies that integrates seamlessly into their existing workflows. With Chainguard Libraries, organizations can build faster and safer, without any compromises."

Securely ship products faster without supply chain security threats

The introduction of Chainguard Libraries accelerates Chainguard's mission to build the safe source for open source. Up until this point, Chainguard has made its customers successful with minimal, zero-CVE container images, which help organizations deploy applications more efficiently and securely. Now, Chainguard Libraries provides a single, standardized source for developers to consume the 20,000 most popular Java dependencies safely and securely, with five years of version coverage, eliminating the risk of malware and other supply chain security threats in their environment. With Chainguard Libraries, Chainguard is expanding beyond containerized application deployments and delivering safe open source across compute modalities and the software development lifecycle. By meeting developers how and where they work, Chainguard enables engineering teams to ship products faster and with more confidence, ultimately driving business value for their organizations.

"As software supply chain attacks continue to pose a challenge, organizations seek greater assurance in the security and integrity of their open-source dependencies," said Katie Norton, Research Manager for DevSecOps and Software Supply Chain Security, IDC. "Approaches that enhance the verifiability and trustworthiness of software components — such as building Java packages directly from source with end-to-end integrity, as seen in solutions like Chainguard Libraries — can help organizations strengthen their software supply chain while enabling developers to build and deploy software more efficiently without compromising security."

Chainguard Libraries is available in Beta. To be among the first to try Chainguard Libraries, visit https://chainguard.dev/libraries.

About Chainguard

Chainguard is the secure foundation for software development and deployment. By providing guarded open source software, built from source and updated continuously, Chainguard helps organizations eliminate threats in their software supply chains. Its customers include Fortune 500 enterprises and leading technology companies, including Anduril, Canva, Checkmarx, HPE, GitLab, Snowflake, and Wiz. Chainguard is venture-backed by leading investors, including Amplify, IVP, Lightspeed Venture Partners, Redpoint Ventures, Sequoia Capital, and Spark Capital. For more information, visit: https://www.chainguard.dev/

MEDIA CONTACT:
Brittany Hendrickson
[email protected] 

View original content to download multimedia:https://www.prnewswire.com/news-releases/introducing-chainguard-libraries-guarded-java-language-dependencies-built-from-source-302409971.html

SOURCE Chainguard