Vulnerability scanners and Chainguard Libraries
Details for using vulnerability scanners with Chainguard Libraries.
For the complete documentation index, see llms.txt.
Chainguard Libraries provide controlled access to security-enhanced Java and Python dependencies through the unified Chainguard platform authentication system. This guide explains how to access (download) Chainguard library artifacts for your organization.
--parent
parameter to specify your organization when running commands with chainctl.There are two approaches to access: Using an artifact manager or direct access.
If your organization uses an artifact manager such as Cloudsmith, JFrog Artifactory, or Sonatype Nexus, you can set up and configure credentials once per language ecosystem. Then, all projects and developers automatically inherit the configuration. This option is recommended for organizations with multiple teams, and provides centralized access controls and consistent uptime.
Set up authentication directly in each project’s build configuration. This option allows for faster initial setup, but it does not allow for global configuration. It requires configuration per project and workstation, which creates more overhead as you scale across teams and projects.
Both approaches require pull tokens for authentication; see Pull token characteristics and use for more information.
NOTE: For Python users, the Chainguard keyring provider uses short-lived credentials and is the preferred method where your environment supports it.
Once your user account is created and access is confirmed, install the
Chainguard Control chainctl command line
tool and log in to your
account:
chainctl auth loginAfter authentication in a browser window, a successful login displays a message and a token:
Successfully exchanged token.
Valid! Id: 8a4141a........7d9904d98cPull tokens authenticate requests to download library artifacts from Chainguard. You can create the pull tokens:
For environments where short-lived credentials are not suitable, such as some CI/CD platforms, you can generate a pull token, which provides longer-lived access to Chainguard Libraries.
To create a pull token you must have the relevant entitlement
for the ecosystem and the libraries.java.pull_token_creator,
libraries.javascript.pull_token_creator, or
libraries.python.pull_token_creator role.
Create a new pull token for the Chainguard Libraries for Java with the chainctl auth pull-token command:
chainctl auth pull-token --repository=java --parent=example --ttl=8670h--repository=java: retrieve the token for use with Chainguard Libraries for
Java. Use python for a token to use
Chainguard Libraries for Python and
javascript for a token to use Chainguard Libraries for
JavaScript.--parent=example: specify the parent organization for your account as
provided when requesting access to Chainguard Libraries and replace example.--ttl=8670h: set the duration for the validity of the token, defaults to
720h (equivalent to 30 days), maximum valid value is 8760h (equivalent to
365 days), valid unit strings range from nanoseconds to hours and are ns,
us, ms, s, m, and h.Use the optional --name flag to supply a meaningful and short name for the
token, to be able to locate it easier at a later stage.
When omitting the parent parameter, potentially a list of organizations is
displayed. Use the arrow keys to navigate the selection displayed after the
question “With which location is the pull token associated?” and select the
organization that has the entitlement to access Chainguard Libraries for Java.
Press / to filter the list.
chainctl returns a username and password suitable for basic authentication in
the response:
Username: 45a.....424eb0
Password: eyJhbGciO..........WF0IjoxNFollow these steps to create a pull token for Chainguard Libraries in the Chainguard console:
The returned username and password combination is a new credential set in the organization that is independent of the account used to create and retrieve the credential set. It is therefore suitable for use in any service application, such as a repository manager or a build tool that is not tied to a specific user. You can also use the token as an individual for your development with direct access to Chainguard Libraries.
To use the pull token in another environment, supply the username and password for basic authentication. Note that the actual returned values are much longer.
Note: Chainguard does not offer an SLA for uptime availability of the Chainguard Libraries repositories at
libraries.cgr.dev. To reduce production risk and ensure reliability, we recommend proxying the repositories through your own artifact repository whenever possible.
For artifact manager setup, see the global configuration guides:
For direct access, see the build configuration guides:
Using environment variables for username and password is more secure than hard coding the values in configuration files. In addition, you can use the same configuration and files for all users to simplify setup and reduce errors.
Use the env environment output option to create a snippet for a new token
suitable for integration in a script.
$ chainctl auth pull-token --output env --repository=java --parent=example
export CHAINGUARD_JAVA_IDENTITY_ID=45a.....424eb0
export CHAINGUARD_JAVA_TOKEN=eeyJhbGciO..........WF0IjoxNCombine the call with eval to populate the environment variables directly by
calling chainctl:
eval $(chainctl auth pull-token --output env --repository=java --parent=example)Equivalent commands for Python and JavaScript are supported and result in values
for the CHAINGUARD_PYTHON_IDENTITY_ID/CHAINGUARD_PYTHON_TOKEN and
CHAINGUARD_JAVASCRIPT_IDENTITY_ID/CHAINGUARD_JAVASCRIPT_TOKEN variables.
Use the export commands in a ~/.env or similar file or use your preferred
secrets management application to reuse the token in multiple sessions. Source
the file or load the secrets from the app to have access to the tokens in your
shell session, including build configurations file that can load from
environment variables, for example a Maven settings.xml file.
Running this command as part of a login script or some other automation allows your organization to replace actual username and password values in your build tool configuration with environment variable placeholders:
curl and a number of other tools support configuration of
username and password authentication details for a specific domain in the
.netrc
file,
typically located in the user’s home directory.
Use this approach for authentication to a repository manager in your organization or to Chainguard Libraries directly, for example with pip and others for Chainguard Libraries for Python, with bazel for Chainguard Libraries for Java or for manual testing with curl.
The following example shows a suitable setup for a repo manager available at
repo.example.com:
machine repo.example.com
login YOUR_USERNAME_FOR_REPOSITORY_MANAGER
password YOUR_PASSWORDFor a direct connection to Chainguard Libraries, for example for testing with
curl, use the following example with the username
CHAINGUARD_PYTHON_IDENTITY_ID and password CHAINGUARD_PYTHON_TOKEN value for
the pull token for the desired language ecosystem:
machine libraries.cgr.dev
login CHAINGUARD_PYTHON_IDENTITY_ID
password CHAINGUARD_PYTHON_TOKENNote that the long string for the password value must use only one line.
Use the credentials for manual testing in a browser or with a script and curl if you know the URL for a specific library artifact. Refer to the following sections for more details:
Python users can leverage an alternative to pull tokens. The Chainguard keyring implementation provides short-lived credentials from supported environments, such as local development and CI/CD platforms that can use assumable identities.
Where possible, Chainguard recommends using short-lived credentials to access Chainguard Libraries.
To set up the keyring, install the keyrings-chainguard-libraries package:
pip install keyrings-chainguard-librariesNote: If you haven’t set up access to Chainguard Libraries for Python, the above command installs the package from PyPI. After installing and configuring Chainguard Libraries for Python, you can get the private package again, to get the package built by Chainguard. To re-install the package:
pip install keyrings-chainguard-libraries --ignore-installed --no-cache-dirOnce the keyring package is installed, when you request to install packages from
Chainguard Libraries for Python, the keyring automatically retrieves short-lived
credentials for you, using chainctl.
To use the keyring with a project uv, install the keyring:
uv pip install keyrings-chainguard-librariesNote: If you haven’t set up access to Chainguard Libraries for Python, the above command installs the package from PyPI. After installing and configuring Chainguard Libraries for Python, you can get the private package again, to get the package built by Chainguard. To re-install the package:
uv pip install keyrings-chainguard-libraries --reinstall --no-cacheBy default, uv disables keyring auth.
To enable it in the global uv.toml:
keyring-provider = "subprocess"To enable it in a project-specific pyproject.toml:
[tool.uv]
keyring-provider = "subprocess"Pull tokens are separate identities with username and password that are used for access to Chainguard Libraries. The tokens have a limited Time to Live (TTL) with a default of 30 days and a maximum TTL of 365 days.
As a result, pull tokens become invalid after the TTL and are flagged as expired. For your use of Chainguard Libraries you must replace the token with a new one.
Expired tokens can no longer be used for access to Chainguard Libraries, but otherwise do not cause any issues and continue to exist until you delete them.
Inspect all pull tokens for your organization in the Chainguard console:
The list includes the following columns:
Use the action to remove a pull token:
Alternatively use chainctl with the auth pull-token and iam identities commands for various inspection and management tasks.
List all pull tokens with the list command:
chainctl auth pull-token listThe displayed list includes the following columns:
apk.pull, container
images registry.pull, Python libraries libraries.python.pull, Java
libraries libraries.java.pull, and JavaScript libraries
libraries.javascript.pull .List all pull tokens for Chainguard Libraries for Java that are not yet expired:
chainctl auth pull-token list --repository=javaList all expired pull tokens for Chainguard Libraries for Python:
chainctl auth pull-token list --repository=python --expired=trueUse the delete command for IAM
identities
to delete a specific pull token using its ID 45a0c61ea6fd97...:
chainctl iam identities delete 45a0c61ea6fd97...Use the identifier or name of your organization example and the --expired
flag to remove all expired pull tokens:
chainctl iam ids rm --expired --parent=exampleYou can create, list, and remove entitlements using chainctl libraries entitlements.
As administrator you can use chainctl libraries entitlements create for one or more ecosystems:
chainctl libraries entitlements create --ecosystems=JAVASCRIPT,JAVA,PYTHONTo enable upstream fallback for JavaScript, use the --policy flag:
chainctl libraries entitlements create --ecosystems=JAVASCRIPT --policy=CHAINGUARD_AND_UPSTREAMTo update the upstream fallback policy on an existing entitlement, rerun the create command with the new --policy value.
You can delete an ecosystem library entitlement for a specific ecosystem from your organization with chainctl libraries entitlements delete:
chainctl libraries entitlements delete --ecosystem=JAVASCRIPT --parent=exampleYou can verify entitlements for your organization example.com to verify which ecosystems are enabled:
chainctl libraries entitlements listThe output includes the ecosystem and configured policy in the table:
Ecosystem Library Entitlements for example (45a0...p7q)
ID | ECOSYSTEM | POLICY
-----------------------------------------------------------|------------|--------------------------------
45a0c61a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q/12345abc67890 | JAVASCRIPT | POLICY_CHAINGUARD_AND_UPSTREAM
45a0c61a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q/45678abc67890 | JAVA | POLICY_CHAINGUARD
45a0c61a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q/56789abc67890 | PYTHON | POLICY_CHAINGUARDUsers with the Owner role can create, enable, disable, and list library policies using chainctl libraries policy commands. These policies apply to all packages pulled through Chainguard Repository. The upstream fallback must be enabled for an ecosystem in order to use policies.
One custom policy per ecosystem can be enabled at a time. This policy should include all the rules you need, which may include a cooldown period, package block rules, and any overrides.
Chainguard Libraries supports the following types of policies:
Note: The commands in this section require
chainctlv0.2.291 or newer.
Library policies use package URLs, or purls, to identify packages across ecosystems:
pkg:pypi/<name>pkg:pypi/requestspkg:npm/<name> or pkg:npm/%40<scope>/<name> for scoped packagespkg:npm/lodash or pkg:npm/%40angular/corepkg:maven/<group>/<artifact>pkg:maven/com.fasterxml.jackson.core/jackson-databindOmit the version to match all versions of the package.
Append @<version> to target one version. For example:
pkg:pypi/requests@2.31.0pkg:npm/lodash@4.17.20, pkg:npm/%40angular/core@17.0.0pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.0To understand the impact before enforcing a policy, use --mode=PREVIEW with the chainctl libraries policy enable command. In preview mode, installs continue to succeed, but Chainguard records what would have been blocked over the last 30 days if the policy had been enforced.
In the following example, a policy called 3day-cooldown has already been created. To preview what would have been blocked if that policy had been enforced, run this command:
chainctl libraries policy enable --policy=3day-cooldown --ecosystem=JAVASCRIPT --mode=PREVIEWThis returns a list of successful installs that would have been blocked by this policy over the last 30 days.
After creating a policy, use --mode=ENFORCE to enable it for the ecosystem where you want to apply it. For example:
chainctl libraries policy create --name=disable-cooldown --cooldown-days=0
chainctl libraries policy enable --policy=disable-cooldown --ecosystem=JAVASCRIPT --mode=ENFORCEWhen upstream fallback is enabled, users with the Owner role can create and enable a cooldown policy with chainctl. The cooldown period provides an additional layer of defense on top of malware and greyware scanning, giving the broader security community time to surface threats that may not be immediately detectable.
In the following example, a 10-day cooldown policy is created, then it is enforced on the JavaScript ecosystem:
chainctl libraries policy create --name=js-cooldown --cooldown-days=10
chainctl libraries policy enable --policy=js-cooldown --ecosystem=JAVASCRIPT --mode=ENFORCEThe default cooldown period is 7 days.
To understand the impact before enforcing a policy, use --mode=PREVIEW. In preview mode, installs continue to succeed, but Chainguard records what would have been blocked if the policy were enforced.
To disable the cooldown, set it to 0. In the example below, the policy is created, then it is enforced on the Java ecosystem:
chainctl libraries policy create --name=no-cooldown --cooldown-days=0
chainctl libraries policy enable --policy=no-cooldown --ecosystem=JAVA --mode=ENFORCECreate a custom policy with one or more --block entries to deny packages explicitly. Block rules are helpful if your organization has deliberately decided not to allow certain packages. To understand the impact before enforcing a block, use --mode=PREVIEW.
For example, if your organization standardizes on React and wants to prevent teams from pulling in Angular, you can add a --block entry for each Angular package you want to deny. In the following example, a policy called team-policy has previously been created, and this command is run to update the policy to add blocks of specific Angular packages:
chainctl libraries policy update --name=team-policy \
--block=purl=pkg:npm/%40angular/core \
--block=purl=pkg:npm/%40angular/common \
--block=purl=pkg:npm/%40angular/router
chainctl libraries policy enable --name=team-policy --ecosystem=JAVASCRIPT --mode=ENFORCETo block one specific version, include the version in the purl. For example, if a particular release is flagged with a known vulnerability that you want to block within your organization, you can block just the affected version while allowing the other versions. Use a command like the following:
chainctl libraries policy update --name=team-policy \
--block=purl=pkg:npm/ua-parser-js@0.7.29
chainctl libraries policy enable --name=team-policy --ecosystem=JAVASCRIPT --mode=ENFORCETo block all versions of a package, omit the version. For example, the following command updates the existing team-policy to add a block of all versions of a package:
chainctl libraries policy update team-policy \
--block=purl=pkg:pypi/<name>
chainctl libraries policy enable --name=team-policy --ecosystem=PYTHON --mode=ENFORCEYou can also combine block rules with a custom cooldown in the same policy. The following example creates a policy that blocks colourama, a typosquat of the colorama package. In addition, a cooldown is included:
chainctl libraries policy create --name=team-policy \
--cooldown-days=2 \
--block=purl=pkg:pypi/colourama
chainctl libraries policy enable --name=team-policy --ecosystem=PYTHON --mode=ENFORCEUse chainctl libraries packages blocked to review what a policy has blocked. By default, this shows pull events that were blocked under any enforced policies. For example:
chainctl libraries packages blocked --ecosystem=JAVASCRIPTIf you have policies enabled in Preview mode, you can check successful pulls that would have been blocked in the last 30 days if the policy were to be enforced. For example:
chainctl libraries policy enable --policy=example-policy --ecosystem=JAVASCRIPT --mode=PREVIEW
chainctl libraries packages blocked --mode=PREVIEW --ecosystem=JAVASCRIPTReplace example-policy with the name of the policy you want to preview.
Use --allow to permit a package that has been blocked by a policy or by malware and greyware scanning.
Override policies takes precedence over block policies.
A cooldown override is useful when a newly published version includes an urgent fix and you need it before the cooldown window expires. For example:
chainctl libraries policy update team-policy \
--allow='purl=pkg:npm/undici@8.4.1,override-cooldown=true,justification="urgent patch"'If the new version pulls in transitive dependencies that are also blocked under a cooldown policy, those transitive packages must be overridden too.
A malware override should be used sparingly and only after your security team has explicitly reviewed the package. A justification is required when you set override-malware=true.
chainctl libraries policy update team-policy \
--allow='purl=pkg:npm/node-ipc@10.1.3,override-malware=true,justification="approved in SEC-1234"'To list available policies, run the following:
chainctl libraries policy listTo verify which policy is active and its cooldown settings, run the following:
chainctl libraries policy binding listPrior to chainctl version 0.2.291, cooldown policies were enabled via the chainctl entitlements command. Cooldown policies configured prior to this version of chainctl are migrated under the new chainctl libraries policies system.
Last updated: 2025-07-23 15:09