Chainguard Libraries for Python: Now Generally Available with CVE Remediation and Malware Protection

We’re excited to announce the General Availability (GA) for Chainguard Libraries for Python, trusted builds of open source language libraries designed to strengthen malware protection and accelerate CVE remediation.

The recent compromise of 20 popular npm packages, collectively downloaded over 2 billion times, underscores how increasingly sophisticated and widespread software supply chain attacks have become. Because the vast majority of supply chain attacks rely on injecting malicious code somewhere between the source repository and your download, we’re building directly from source to eliminate the risk of the overwhelming majority of malware attacks across all ecosystems. Chainguard Libraries eliminates the risk of consuming packages directly from public registries.

Every package is continuously monitored and distributed through Chainguard’s hardened infrastructure, ensuring integrity from source to production. In addition, Chainguard Libraries for Python now backports patches for select critical and high-severity vulnerabilities, easing the burden on developers by reducing the need to immediately upgrade to the latest versions just to stay secure.

Preventing malware-based exploits AND remediating CVEs

Open source supply chain attacks have become more aggressive and pervasive. Recent ecosystem breaches have exposed how easily threat actors can inject malicious code into dependencies and exploit build and registry vulnerabilities to push dangerous versions of packages to consumers.

We initially announced Chainguard Libraries, knowing that our customers desperately needed a solution to this constant and growing threat of malware without slowing down software builds. And as we worked with over a hundred organizations during our initial beta release, they confirmed this.

"Chainguard's new Python library with CVE remediations has quickly become a key part of our security model at Abridge. By extending their approach to include active CVE remediation, they are helping us streamline how we secure our software supply chain without increasing overhead on our developers."

Additionally, many customers asked if we could do something to address CVEs across their open source libraries. Updating libraries to the latest versions with CVE fixes is also incredibly time-consuming, with most customers unable to update immediately due to existing build cycle demands.

With this GA release, we are excited to offer CVE Remediation for Chainguard Libraries for Python, with plans to extend support to additional languages over time. This capability was developed in close collaboration with early adopters and power users, who have been testing it in real-world environments to ensure our patches are reliable in production.

With Chainguard Libraries, we fix high and critical Python CVEs by identifying upstream patches, running full tests to ensure nothing breaks, and shipping secure updates – complete with VEX advisories – so customers stay protected without any disruption.

This CVE remediation capability helps customers gain clear operational and security benefits, reducing both the time and risk associated with managing vulnerable dependencies:

• Lower risk: Vulnerabilities are removed from Libraries, significantly reducing the attack surface and exposure. 

• Upgrade when ready: Customers can remain on the library versions that best fit their environments, without being forced into version upgrades just to patch a CVE, allowing customers to upgrade on their own schedule. 

• Less reporting and toil: With automated remediation, teams spend less time tracking and remediating CVEs, managing exceptions, or writing security justifications.

• Streamlined exception management: Simplified processes for handling ‘approved’ libraries, vulnerability management, and compliance reporting.

• Integrations with key scanners: Integrations with scanners you’re already using, like Grype and Trivy, to demonstrate CVE reduction. 

Get started today

Customers can use Chainguard Libraries for Python through their existing workflows and immediately benefit from CVE Remediation today. CVE fixes can be validated with scanners like Grype and Trivy, with more browsing capabilities to come.

Chainguard Libraries for Python is now generally available. Sign up today to help your teams stay secure and compliant without slowing development.