chainctl
chainctl Chainguard Control
For the complete documentation index, see llms.txt.
Update lockfile integrity hashes with Chainguard Libraries checksums
update-hashes reads package lockfiles and updates integrity hashes with checksums from Chainguard Libraries.
Provide a path to a specific lockfile, or omit it to auto-detect a lockfile in the current directory.
By default, Chainguard hashes are appended alongside existing hashes in supported formats (e.g. pip-tools, poetry). Use –replace to replace them.
Note: formats that store a single hash per artifact (uv.lock, pdm.lock, pylock.toml) always replace — –replace has no effect on them.
JavaScript formats:
Python formats:
The ecosystem is auto-detected from the lockfile name. Use –ecosystem to override.
For Python, hashes are fetched from the Chainguard Libraries “python” catalog by default. Use –remediated to fetch from “python-remediated” (CVE-patched packages), and –cuda to also include packages from the matching CUDA variant catalog.
chainctl libraries update-hashes [lockfile-path] [flags] # Auto-detect lockfile in the current directory
chainctl libraries update-hashes
# Update hashes in a specific npm lockfile
chainctl libraries update-hashes package-lock.json
# Update hashes in a Python pip-tools requirements file
chainctl libraries update-hashes path/to/requirements.txt
# Preview changes without writing the file
chainctl libraries update-hashes --dry-run package-lock.json
# Replace hashes (instead of appending alongside existing ones)
chainctl libraries update-hashes --replace uv.lock
# Include CUDA variant packages for Python
chainctl libraries update-hashes --cuda cu128 uv.lock --cuda string CUDA variant to include alongside python (e.g. "cu124", "cu130")
--dry-run Show what would change without writing
--ecosystem string Ecosystem: "auto", "js", or "python" (default "auto")
--ecosystems-url string URL for the Ecosystems Proxy (defaults to https://libraries.cgr.dev)
--no-color Disable colored output
--parent string Parent organization for authentication
--remediated Use python-remediated registry (Python only)
--replace Replace integrity hashes instead of appending (no-op for formats that only support replacement) --api string The url of the Chainguard platform API. (default "https://console-api.enforce.dev")
--audience string The Chainguard token audience to request. (default "https://console-api.enforce.dev")
--config string A specific chainctl config file. Uses CHAINCTL_CONFIG environment variable if a file is not passed explicitly.
--console string The url of the Chainguard platform Console. (default "https://console.chainguard.dev")
--force-color Force color output even when stdout is not a TTY.
-h, --help Help for chainctl
--issuer string The url of the Chainguard STS endpoint. (default "https://issuer.enforce.dev")
--log-level string Set the log level (debug, info) (default "ERROR")
-o, --output string Output format. One of: [csv, env, go-template, id, json, markdown, none, table, terse, tree, wide]
-v, --v int Set the log verbosity level.Last updated: 2026-04-23 19:31