Chainguard has launched Chainguard Repository, a unified secure-by-default endpoint for open source artifacts targeting the growing security risk posed by AI coding agents. Because AI agents' training data is typically a year or more out of date, they tend to pull older, often vulnerable library versions at machine speed. The product currently covers 70,000+ npm packages built in an SLSA Level 3-compliant environment, eliminating 99.7% of malware by design, with a seven-day cooldown policy for upstream fallback packages. Configurable exceptions allow security teams to bypass the cooldown for critical CVE patches. Governance controls also let engineering teams limit which packages developers can access, addressing dependency sprawl beyond just security. Future expansion will cover Python, Java, containers, OS packages, and VMs, with planned CVE blocking, license enforcement, and end-of-life prevention policies.
Table of contents
Attackers are using AI tooA single front door for open sourceThe cooldown dilemmaGovernance beyond securitySecurity that improves on its ownWhat’s nextSort: