DEVOPSdigest

Chainguard announced Chainguard Repository, a single Chainguard-managed experience for pulling secure-by-default open source containers, dependencies, OS packages, virtual machine images, CI/CD workflows, and agent skills that have built-in, intelligent policies to enforce enterprise security standards.

"AI is dramatically increasing the speed of software development for defenders and attackers alike. AI coding tools and autonomous agents are generating more code, pulling in more dependencies, and interacting with open source at a scale humans have never seen before," said Dan Lorenc, CEO and Co-founder of Chainguard. "Chainguard Repository is the trust layer for this new era. By giving developers a single, policy-enforced experience for open source, organizations can control what software enters their environments. In a world where software is increasingly generated and deployed autonomously, trust must be built into the foundation."

With Chainguard Repository, organizations connect once to a single Chainguard-managed experience with built-in, intelligent policies for secure-by-default open source artifacts. Starting today, customers can consume JavaScript libraries from Chainguard Repository, gaining access to more than 73,000 Chainguard-built JavaScript packages, only falling back to npm when necessary. Chainguard Libraries are built in a SLSA L3-compliant environment and eliminate 99.7% of malware by design. A cooldown protects the upstream fallback from npm malware by giving community researchers time to discover attacks before they are available in an organization's environment. As the AI-native Chainguard Factory builds more packages from source, an organization's security posture improves automatically without having to change settings, endpoints, or a line of code.

Later this year, Chainguard Repository will expand to Python and Java libraries, container images, OS packages, virtual machine images, CI/CD workflows, and agent skills, bringing the same secure-by-default experience and even more policy controls to the entire modern software stack. Additional policy types will include:

- CVE blocking: Prevent artifacts with known critical vulnerabilities from being pulled, reducing exposure before code runs.

- License enforcement: Restrict artifacts to approved licenses to help organizations align with their legal requirements.

- End-of-life prevention: Reject artifacts that have reached end of life, eliminating the risk of unmaintained software.

- Long-term support enforcement: Require artifacts to have long-term support, ensuring all in-use software is actively maintained.

Chainguard Repository advances Chainguard's mission to make open source trustworthy by default by shifting security from reactive scanning and patching to secure-by-default at the point of consumption. Artifacts are built from verifiable, public source code, and intelligent policies add another layer of protection and compliance.

At its core, the repository delivers:

- Automated compliance: Configurable policies that enforce organizational security standards across containers and libraries without manual reviews.

- Security posture that improves automatically: Risk shrinks as Chainguard rebuilds more artifacts from source, all without requiring developers to change a line of code.

- Clear visibility: Dashboards show real-time coverage, policy enforcement, and vulnerability status across every artifact an organization consumes.

Chainguard Repository integrates with existing artifact managers or can be deployed as a standalone experience.

Chainguard Repository is available in beta.