Secure software supply chain solution provider Chainguard Inc. today announced Chainguard Libraries, a new product line that offers secure language libraries for Java built directly from source in supply-chain levels for software artifacts-hardened infrastructure.

Libraries has been built with end-to-end integrity and native protection at package build and distribution. Chainguard said the service represents a stark contrast to the disparate set of public registries that can only minimally vet hosted artifacts today. Using Libraries, customers gain one standardized endpoint for developers to consume language dependencies safely and securely without introducing malware and other supply chain security risks into their environment.

The new product line seeks to address the issue wherein securing the modern software development lifecycle requires locking down every layer of the stack, including the operating system, runtime environment, language libraries and application code. At the same time, developers rely on libraries from public registries such as PyPI, Maven and NPM, which prioritize convenience over safety and security.

According to Chainguard, public registries are low friction by design and thus have minimal vetting for the artifacts uploaded to their repos and no requirements for digital attestations to package integrity and build security. Attackers frequently exploit these weaknesses at the build and distribution stages of the package lifecycle, injecting malware into seemingly safe software.

The launch of Chainguard Libraries accelerates the company’s mission to build a safe source for open source. The service provides a single, standardized endpoint for developers to consume language dependencies safely and securely.

With Libraries, Chainguard is expanding beyond containerized application deployments and now delivers safe open source across compute modalities such as containers, virtual machines and developer workstations and across the software development lifecycle, including application development, testing, and deployment.

“Developers need a better way to consume open-source language dependencies that unites ease of use with trusted security,” said co-founder and Chief Executive Dan Lorenc. “Chainguard Libraries provides a secure, trusted source for Java dependencies, built entirely from source in Chainguard’s hardened environment.”

The announcement was made ahead of Chainguard Assemble, the company’s annual conference in San Francisco. TheCUBE, SiliconANGLE Media’s livestreaming studio, will be providing coverage of the event, including discussions with industry experts on the evolving threat landscape, new regulatory pressures and innovations reshaping software supply chain security.

Image: SiliconANGLE/Ideogram