Chainguard Expands Trusted Open Source Defense With GA of Python Libraries

As software supply chain threats continue to evolve from nuisance to existential risk, Chainguard is doubling down on its mission to make open source dependencies verifiably safe. The company today announced the general availability of Chainguard Libraries for Python, a new class of trusted, continuously verified open source builds that now includes built-in CVE remediation — giving developers a way to stay secure without constantly chasing version upgrades.

Securing the Software Commons

The timing couldn’t be more critical. In recent months, attackers have compromised dozens of popular npm packages downloaded billions of times, reinforcing that the open source ecosystem’s greatest strength — its openness — is also its most persistent vulnerability.

“Because the vast majority of supply chain attacks rely on injecting malicious code somewhere between the source repository and your download, we’re building directly from source,” Chainguard explained in its release. By doing so, the company says it can “eliminate the risk of the overwhelming majority of malware attacks across all ecosystems.”

Instead of depending on public registries that can be poisoned by threat actors, Chainguard Libraries are built and distributed through the company’s hardened infrastructure. Every package is continuously monitored for integrity and paired with verifiable provenance data — a “chain of custody” that can be traced from the upstream source to production deployment.

Tackling CVEs Without Breaking Builds

The new Python release introduces something more ambitious: automated patching for critical and high-severity CVEs. Rather than forcing developers to upgrade immediately to the latest version of a library, Chainguard now identifies upstream security fixes, runs tests to ensure they don’t break dependencies, and ships secure, patched builds complete with VEX (Vulnerability Exploitability eXchange) advisories.

That proactive approach has already drawn attention from early adopters. “Chainguard’s new Python library with CVE remediations has quickly become a key part of our security model at Abridge,” said Trey Caliva, Staff Platform Engineer at Abridge AI. “By extending their approach to include active CVE remediation, they are helping us streamline how we secure our software supply chain without increasing overhead on our developers.”

For many security teams, managing dependencies riddled with vulnerabilities is a Sisyphean task. Developers are often forced to choose between delaying product releases or running unpatched software until the next sprint. Chainguard’s model offers a third path: stay secure and stay put.

A Shift Toward Trusted-by-Design Ecosystems

Beyond efficiency, the implications for long-term resilience are significant. With trusted builds and backported security patches, organizations can reduce both their attack surface and their compliance burden. The company says this approach will allow developers to “upgrade when ready,” while automated CVE remediation minimizes reporting, exception tracking, and audit fatigue.

The integrations with leading scanners like Grype and Trivy also make it easier for security teams to verify and document CVE reduction at scale — a feature that could help bridge the gap between development velocity and regulatory accountability.

Chainguard plans to expand the CVE remediation framework beyond Python to other languages in the coming months, positioning itself as a key player in redefining how enterprises consume open source code.

In a world where open source is both the foundation of innovation and the front line of cyber risk, Chainguard’s release signals a new phase: one where the software commons can finally be secured not by trust, but by proof.