Chainguard Unveils Unified Secure Repository to Govern Open Source in the AI Era

New updates have been reported about Chainguard.

Chainguard has launched Chainguard Repository, a unified, Chainguard-managed service that lets enterprises pull secure-by-default open source containers, libraries, OS packages, virtual machine images, CI/CD workflows, and agent skills under a single set of intelligent, enforceable security policies. The product is designed as a “trust layer” for AI-driven software development, where autonomous agents and AI coding tools are dramatically increasing the volume of code, dependencies, and open source artifacts entering enterprise environments.

The company is initially offering more than 73,000 Chainguard-built JavaScript packages through the repository, with a controlled fallback to npm only when required, and claims its Chainguard Libraries, built in a SLSA Level 3-compliant environment, eliminate 99.7% of malware by design while incorporating a cooldown period to keep newly discovered npm malware out of customer environments. Chainguard plans to extend the repository later this year to Python and Java libraries, container images, OS packages, virtual machine images, CI/CD workflows, and agent skills, adding policy controls such as CVE blocking, license enforcement, end-of-life prevention, and long-term support requirements.

The launch directly targets escalating supply chain risk as AI accelerates both defensive and offensive software development, with Chainguard citing data that the average container holds over 600 known CVEs and that nearly 455,000 malicious packages hit major ecosystems like npm, PyPI, and Maven Central in 2025. CEO and co-founder Dan Lorenc positioned Chainguard Repository as a mechanism for enterprises to control exactly which software enters their environments as software creation and deployment become increasingly autonomous, shifting security from reactive scanning and patching to secure-by-default consumption of artifacts built from verifiable, public source code.

Strategically, the repository deepens Chainguard’s role as a central gatekeeper for open source in large organizations, as its AI-native Chainguard Factory continuously rebuilds more artifacts from source, improving customers’ security posture automatically without configuration changes or developer workflow disruption. The platform offers dashboards for real-time visibility into policy enforcement, coverage, and vulnerabilities, integrates with existing artifact managers or can run standalone, and is currently available in beta while Chainguard targets further enterprise adoption across Fortune 500 and AI-intensive customers that need to balance rapid innovation with strict compliance and risk controls.