Chainguard launches malware-resistant dependencies for Python

The Python programming language has become the foundation of modern AI and machine learning applications. Of course that makes it a prime target for supply chain attacks.

Public registries do minimal vetting of hosted artifacts, and they don't provide assurance that the distributed library matches its source code, exposing enterprises to supply chain attacks. Python libraries are also susceptible to supply chain attacks because many projects include more than just pure Python code -- for example project maintainers often rebundle shared system libraries into their Python libraries to ensure stable behavior.

To help guard against these threats Chainguard is launching Chainguard Libraries for Python, an index of malware-resistant Python dependencies built securely from source on SLSA L2 infrastructure.

By securely building every library and all of its dependencies from source, Chainguard Libraries for Python provides application security teams with confidence that malware hasn’t been inserted during the build and distribution of libraries in the Python ecosystem.

"Chainguard is rebuilding every component for a given library -- Python, Java, or otherwise -- from source so organizations can mitigate malware, have clear visibility into what exactly is in their software, and eliminate the risk of hidden supply chain vulnerabilities," says Kim Lewandowski, co-founder and chief product officer at Chainguard. "We're providing a secure, trusted source of Python libraries that allows enterprises to remove friction and add security without asking developers to change how they build and deploy software."

It integrates with existing artifact managers to empower application security teams to close the massive security hole while not disrupting developers' work.

Building every dependency for every Python library from source combats malware injection at the build and distribution links of the open source supply chain. This reduces risk from supply chain threat points like compromised build processes, release pipelines, and distribution points. Isolating and rebuilding the shared system dependencies required by Python libraries allows Chainguard to eliminate an additional hidden attack vector stemming from bundled software components.

Chainguard Libraries for Python is now available in early access and you can find out more on the Chainguard site.

Image credit: Acnalesky/Dreamstime.com