Chainguard Repository adds new policies, Chainguard Libraries for JavaScript is GA
While AI offers everyone new opportunities to build products faster than ever, it can also lead to security risks and compliance infractions growing just as fast. If the only impact of AI was increased developer productivity, we wouldn’t also be reading about a new malware attack every week. “AI readiness” is about gaining newfound velocity without sacrificing security. That means installing the right preventative security guardrails without inhibiting developer experiences.
Today, we’re introducing three important additions to Chainguard Repository that allow you and your agents to consume secure-by-default open source in ways that are compliant with the unique standards of your organization. We’re adding malware and greyware scanning across more artifacts, releasing new enhancements to our policy engine, and providing new visibility features to Chainguard Repository.
We’re also announcing that Chainguard Libraries for JavaScript is now generally available. This brings all three of our library ecosystems to GA.
Teams currently layer scanners, artifact managers, and policy engines across their stacks. These tools add visibility, but they act too late in your stack or require constant tinkering. Platform teams can go further, mirroring registries or building internal tooling to enforce standards. Those approaches can work, but they introduce ongoing operational overhead. Above all, it slows your team down at a moment when speed is a competitive advantage.
When security and platform teams define open source artifacts once for their entire organization, it ensures that any artifact developers or agents pull already meets the bar.
Here’s what’s new in Chainguard Repository
Malware and greyware scanning
We are expanding the surface area of our source code and maintainer behavior scanner from just analyzing upstream JavaScript packages to also include upstream Python packages, Java packages, and container images. Our proprietary malware scanner sits at the repository level. This ensures that your organization is never susceptible to an exposure window, as your team can access only artifacts that have been checked for malicious behavior.
Unlike other firewalls, our scanner also monitors for greyware, a term we’ve coined for packages that do exactly what they say, except what they do is malicious in nature, like harvesting credentials or storing your LLM prompts to a third-party server. We are the only platform identifying and blocking these packages and catching 70+ greyware projects every week that would never pass a CISO security review, but elude traditional malware scanners.
Bringing our policy engine to more artifacts
Chainguard Repository’s built-in policy engine now applies to more artifacts. We’ve expanded beyond JavaScript packages to container images, Python packages, and Java packages. Now, consumption of all these artifacts can be controlled through policies. This guarantees that your organization’s strict security and compliance standards are met whenever a developer or agent is pulling in open source artifacts for their next project.
This also means that an upstream fallback is now available for Java and Python, just like it is for JavaScript. Now, for all packages that Chainguard has not yet built from source, you’re able to pull in upstream packages that have been scanned for any malicious behavior and passed a cooldown.
Expanding the types of policies in our policy engine
We’ve expanded the types of policies available to govern these artifacts, providing your team with more flexibility and control. These policies are in Open Beta as of today.
For Chainguard Containers, we’ve added three policies that govern how your team builds its applications. You can now:
Block images that reach end of life: This ensures your team never ships an image that no longer receives updates.
Restrict images to those that have long-term support: This narrows your image catalog to versions that carry an extended maintenance commitment.
Set cooldowns: This gives your team a buffer between when a new version is published and when it’s eligible to be pulled, preventing your team from being caught off guard by upstream changes.
For Chainguard Libraries, we’ve added custom blocking, which lets you prevent developers from pulling any specific project or version if it doesn’t meet your organization’s standards for a predetermined reason.
Across Chainguard Containers and Chainguard Libraries, overrides are also available. This allows you to manually override any active policy to gain access to the desired artifact. This is especially relevant if your team wants to, for example, override a cooldown policy to access the latest version of a project that remediates a vulnerability. If there is malware or greyware that Chainguard has blocked but your organization deems safe, an admin can override that package, too.
Improving policy enforcement visibility
All of these policies can be managed with simple controls. Before activating a new policy, you'll likely want to assess its impact on your organization. Chainguard Repository now allows you to preview how the policy would impact current consumption of your open source. Once you’re comfortable with how the policy operates, you can enable it in enforce mode.
Policies are only as strong as your ability to understand their use and efficacy. Chainguard Repository now offers greater visibility into which artifacts were blocked, which policies triggered the block, and on what day it happened. This data allows you to identify patterns in artifact usage, such as reliance on outdated or unsupported versions.
Security and speed meet compliance
Today’s policy upgrades for Chainguard Repository give security and platform teams peace of mind that the open source artifacts engineers and agents pull adhere to the unique standards of their organization. They will be rolling out to all customers in the coming days. With Chainguard Repository, you can set policies once and enforce them automatically across all machines and pipelines. This shifts responsibility from individual developers to your enterprise’s security and platform teams, ensuring standards are applied consistently and at scale.
Going forward, we plan to expand the types of policies and artifacts available in Chainguard Repository to continue providing the granular controls you need to govern your supply chain. If you’d like to learn more about Chainguard Containers or Chainguard Libraries, you can learn more on their corresponding landing pages.
Share this article
Related articles
- product
Fewer CVEs, more accurate findings: Wiz now scans Chainguard Libraries for Python and Java
Matt Stead, Product Marketing Manager
- product
Everything we announced during AI Readiness Innovation Week
Patrick Donahue, SVP, Product
- product
Secure your pipelines with Chainguard Actions, now available in Open Beta
Elsie Phillips, Staff Product Marketing Manager
- product
Chainguard plug-in now available on Cursor Marketplace
Matt Stead, Product Marketing Manager
- product
Securing the AI coding ecosystem: Chainguard and the AI tools developers use
Matt Stead, Product Marketing Manager
- product
Adopt hardened containers without changing your pipelines, tooling, or environment
Mandy Hubbard, Sr. Technical Product Marketing Manager