Secure software supply chain solution provider Chainguard Inc. today expanded its Chainguard Repository product with malware scanning, policy enforcement and visibility features that now cover Java packages, Python packages and container images.
The update extends protections that previously applied only to JavaScript packages. Chainguard pitches the move as a way for security and platform teams to set guardrails once for an entire organization, so any artifact a developer or an artificial intelligence agent pulls already meets the company’s security and compliance bar.
The expansion targets a problem the company says has accelerated alongside AI coding tools. Faster development has been matched by a steady run of supply chain attacks, including npm package compromises and credential-stealing worms reported in recent months. Teams typically stack scanners, artifact managers and policy engines to manage the risk, but Chainguard argues those tools act too late in the pipeline or demand constant upkeep.
Chainguard’s proprietary scanner now analyzes upstream Python packages, Java packages and container images for malicious behavior in addition to JavaScript. The scanner sits at the repository level and removes the exposure window that occurs when checks run after an artifact has already been pulled.
The scanner also flags “greyware,” a term Chainguard uses for packages that function as advertised while actually doing something malicious, for example harvesting credentials or sending large language model prompts to a third-party server. Chainguard says it blocks more than 70 greyware projects every week that would never pass a chief information security officer security review but elude traditional malware scanners.
Repository’s built-in policy engine has been extended to the same artifact types, meaning consumption of containers, Python packages and Java packages can now be governed by policy. The change also brings an upstream fallback to Java and Python, allowing teams to pull scanned upstream packages that have passed a cool-down when Chainguard has not yet built a given package from source.
Chainguard also said its JavaScript libraries reached general availability, completing the rollout of its three library ecosystems alongside Java and Python.
New policy types accompany the expansion, available in open beta as of today. For containers, teams can block images that have reached end of life, restrict pulls to images with long-term support and set cool-downs that delay access to new versions. For libraries, Chainguard added custom blocking that prevents developers from pulling specific projects or versions, along with manual overrides across both product lines for cases where a team needs an artifact a policy would otherwise block.
The company also added a preview mode that shows how a policy would affect current open-source consumption before it is enforced, plus reporting on which artifacts were blocked, which policies triggered the block and when.
Founded in 2021, Chainguard raised $280 million in October at a reported valuation of $3.5 billion, bringing its total raised to roughly $892 million.
Image: Chainguard/ChatGPT
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
