Chainguard has expanded the number of secure open source libraries it makes available to include Java and JavaScript components based on code it has reworked to better secure software supply chains. Additionally, an expanded set of secure Python libraries, first introduced last year, is now generally available.
Bria Giordano, libraries lead for Chainguard, said the overall goal is to better secure software supply chains by making available a repository that organizations pay to access, from which developers can download software artifacts and components that adhere to Level 2 of the Supply-chain Levels for Software Artifacts (SLSA) framework defined by the Open Source Security Foundation (OpenSSF).
In total, Chainguard has rebuilt nearly one million unique versions of Java dependencies, including enterprise essentials such as Spring Boot, Jackson, Apache Commons, and Log4j, using the Chainguard Factory, an automated platform for creating software builds based on code originally found in open source software repositories.
Chainguard also covers 88% of the top 500 highest-impact JavaScript libraries, along with tens of thousands of additional libraries. Finally, Chainguard now covers 94% of Python dependencies typically found in applications.
In the last year, security researchers discovered more than 450,000 malicious packages. Chainguard provides DevOps teams with an alternative repository for downloading secure libraries and containers, constructed by developers that are augmented by artificial intelligence (AI) agents, to create libraries in a way that adheres to best DevSecOps practices.
That approach eliminates the need to rely on individual application developers to test every component they use for known vulnerabilities, noted Giordano. It’s simply not realistic to expect developers to keep track of millions of open source libraries that are found in repositories all across the web, she added. Instead, Chainguard researchers continuously monitor open source software projects for updates to ensure the libraries made available are based on the latest version of the code made available by maintainers, noted Giordano.
It’s not clear to what degree DevOps teams are adopting repositories that provide access to inherently more secure software than what might be found on GitHub or Maven. A recent Futurum Group survey finds that about 35% said they also plan to make some type of investment in application security, with well over a third of respondents expecting their organization to increase spending on software security testing (39%) and application programming interface (API) security (36%) over the next 12 to 18 months.
Chainguard, however, is making a case for resolving application security issues at the root cause by ensuring that the code that is often reused to build applications is fundamentally secure.
Mitch Ashley, vice president and practice lead for software lifecycle engineering at The Futurum Group, said Chainguard’s expansion of its repository service shifts supply chain security from perimeter defense to source control. Rebuilding at the dependency layer targets the unverified libraries where most of the issues that led to an application security incident really began, he said.
Hopefully, there will come a time when AI tools generate open source code that has fewer vulnerabilities than what is being seen today, but in the meantime, DevOps teams would be well-advised to always consider the source when downloading any type of software component.
