Fewer CVEs, more accurate findings: Wiz now scans Chainguard Libraries for Python and Java

The most effective engineering and security teams don’t choose between speed and security. They start with trusted software that eliminates vulnerabilities and supply chain risk,  and focus their energy on other high-priority issues.

Today, we are expanding our partnership with Wiz. Customers can now use Wiz to scan Chainguard Libraries for Python and Java, a trusted source of open source dependencies built to reduce software supply chain risk.

By combining Chainguard Libraries with the context and visibility provided by the Wiz Security Graph, organizations gain a clearer understanding of real-world risk, reduce vulnerability noise, prioritize remediation efforts more effectively, and stay safe from the next malware campaign. Now, organizations can prove that their pinned dependencies are safe while they plan their next major version upgrade.

Verifiable remediation, not just fewer findings 

Wiz customers can now extend their existing security workflows to Chainguard Libraries for Python and Java, and ship with confidence that their environments are shielded from both the CVEs they can see and the malware they can't.

Pairing Chainguard Libraries with Wiz gives security and engineering teams a cleaner foundation for application development and a clearer view of the risks that require action. Chainguard Libraries helps reduce exposure to malware and known vulnerabilities before dependencies enter the development lifecycle with verifiable proof that the artifact in use has a working backported fix. Wiz brings the context and visibility teams need to understand how those risks relate to their cloud environments.

Open source dependencies pulled from public registries often lack verifiable build provenance. Some solutions provide patches that sit on top of a package sourced from public registries, making it difficult to prove whether a fix was actually incorporated into the artifact running in production. In these cases, an auditor may be able to review a patch file, but there is no cryptographic chain proving the fix was actually applied to the artifact. 

Chainguard Libraries takes a different approach. CVE fixes are backported, and the entire package is rebuilt from source. This ensures the patch, the build, and the resulting artifact are all linked through SLSA provenance, providing verifiable proof to auditors that the CVE was remediated.

Chainguard Libraries replace live access to PyPI and npm with a dedicated, trusted source, so malicious packages never reach your environment in the first place. For both Python and Java, critical and high CVEs are backported directly into the artifacts you’re already using, buying your team time while you plan your next version upgrade. And because you’re scanning artifacts that are already patched and malware-free, Wiz surfaces findings that actually require action, not noise from vulns that never made it in your environment in the first place.

How it works 

The Wiz and Chainguard Libraries integration works by scanning packages wherever they appear, whether in build artifacts, container images, or production workloads, and checking them against Chainguard's VEX feed to show accurate vulnerability remediation status. 

When Wiz encounters a Java or Python dependency sourced from Chainguard Libraries, it identifies the version suffix Chainguard adds to patched releases. That suffix signals that a dependency carries a specific CVE remediation, rather than the original upstream version.

To identify which CVEs are resolved, Wiz pulls Chainguard's OpenVEX feed and matches each detected package against the corresponding VEX statements. When a CVE is marked as "fixed" in a given version, Wiz removes it from scan results, so teams only see vulnerabilities that are unresolved. The result is fewer false positives without manual triage, giving security teams a clean, accurate picture of their actual risk. For full technical details, see the scanning implementation guide.

Get in touch with our team to learn more about this partnership and how to get started.