Build configuration
Configuring Chainguard Libraries for Java on your workstation
For the complete documentation index, see llms.txt.
Java and JVM library consumption in a large organization is typically managed by a repository manager. Commonly used repository manager applications are Cloudsmith, Google Artifact Registry, JFrog Artifactory, and Sonatype Nexus Repository. The repository manager acts as a single point of access for developers and development tools to retrieve the required libraries.
The recommended approach is to use the upstream
fallback
feature of Chainguard Repository, which allows you to configure your repository
manager with a single upstream pointed at https://libraries.cgr.dev/java/ without a separate fallback to Maven Central. The
Chainguard Repository handles fallback and policy enforcement; your repository
manager handles local caching and access control. Chainguard retrieves
packages from the public Maven Central repository on your behalf when upstream
fallback is enabled. This includes protections such as malware scanning and a
cooldown period for newly published packages.
At a high level, adopting the use of Chainguard Libraries consists of the following steps:
https://libraries.cgr.dev/java/
as the single upstream source for Java package retrieval. This can be done
either:This page explains how to use Chainguard Libraries for Java with a repository manager. If your organization does not use a repository manager, you can pull directly from Chainguard. Refer to the direct access documentation for build tools for more information.
Chainguard recommends using the Chainguard Repository’s built-in upstream fallback rather than configuring a fallback to the public Maven Central registry in your repo manager. Configuring your own fallback bypasses the protection that the Chainguard Repository provides.
However, if you intentionally want to manage fallback ordering yourself, you can
configure https://libraries.cgr.dev/java/ as a remote repository alongside
your Maven upstream, and combine them in a virtual or group repository with
Chainguard as the first priority. If you configure a fallback to Maven Central,
packages sourced from that registry are not covered by Chainguard’s
malware-resistance guarantees.
The per-tool instructions on this page vary by repository manager. The JFrog Artifactory and Sonatype Nexus Repository sections use the recommended upstream fallback approach, which Chainguard has tested with those tools. The Cloudsmith and Google Artifact Registry sections use the manual Maven Central fallback pattern; Chainguard has not yet tested the upstream fallback with those tools.
Cloudsmith supports Maven repositories for proxying and hosting. Refer to the Maven Repository documentation and the Maven Upstream documentation for Cloudsmith for more information. Cloudsmith supports combining repositories by defining multiple upstream repositories.
Note: Chainguard has not yet tested the recommended upstream fallback approach — a single upstream pointed at
https://libraries.cgr.dev/java/— with Cloudsmith. The following steps instead configure Maven Central as an upstream fallback in your repository manager. Packages sourced from Maven Central are not covered by Chainguard’s malware-resistance guarantees.
Use the following steps to add a repository with the Maven Central Repository and the Chainguard Libraries for Java repository as Maven upstream repositories.
Configure a java-all repository:
java-all for your new repository. The name should
include java to identify the ecosystem. This convention helps
avoid confusion since repositories in Cloudsmith are multi-format.Configure an upstream proxy for the Maven Central Repository:
java-public repository on the repositories
page to configure it.java-public2https://repo1.maven.org/maven2/Configure an upstream proxy for the Chainguard Libraries for Java repository:
java-chainguard repository on the repositories
page to configure it.java-chainguard1https://libraries.cgr.dev/java/java-chainguard-remediated with a URL set to https://libraries.cgr.dev/java-remediated/. Use the same authentication details.Use this setup for initial testing with Chainguard Libraries for Java. For
production usage, add the java-chainguard upstream proxy to your production
repository.
The following steps allow you to determine the URL and authentication details for accessing the repository:
<url> tag from the XML snippet with the
<repositories> entry. For example,
https://dl.cloudsmith.io/basic/exampleorg/java-all/maven/ with exampleorg
replaced with the name of your organization. Note that the name of the
repository java-all as well as maven as identifier for the format are
part of the URL.Choose a different format and the equivalent sections if you are using another build tools such as Gradle.
Use the URL of the repository, the username, and the password for the server authentication block in the build configuration and build a first test project. In a working setup, all libraries retrieved from Chainguard are tagged with the name of the upstream proxy.
Google Artifact Registry supports the Maven format for hosting artifacts in Standard repositories and proxying artifacts from public repositories in Remote repositories. Use Virtual repositories to combine them for consumption with Maven and other build tools. Use the Java package documentation for Google Artifact Registry as the starting point for more details.
Note: Chainguard has not yet tested the recommended upstream fallback approach — a single upstream pointed at
https://libraries.cgr.dev/java/— with Google Artifact Registry. The following steps instead configure Maven Central as an upstream fallback in your repository manager. Packages sourced from Maven Central are not covered by Chainguard’s malware-resistance guarantees.
Use the following steps to add the Maven Central Repository and the Chainguard Libraries for Java repository as remote repositories and combine them as a virtual repository:
Before configuring the repositories, you must create a secret with the password value as retrieved with chainctl:
chainguard-libraries-java.chainctl output.Navigate to Artifact Registry and select Repositories in the left hand navigation under the Artifact Registry label to configure a remote repository for the Maven Central Repository:
java-publicConfigure a remote repository for the Chainguard Libraries for Java repository:
java-chainguardMavenhttps://libraries.cgr.dev/java/chainguard-libraries-java secret in the list.java-public repository.java-chainguard-remediated with a URL set to https://libraries.cgr.dev/java-remediated/. Use the same authentication details.Combine the repositories in a new virtual repository:
java-alljava-chainguard
repository as Repository 1 and set the Policy name 1 to
java-chainguard.java-public repository
as Repository 1 and set the Policy name 1 to java-public.java-chainguard policy name to a higher
value than the java-public priority value.java-chainguard-remediated repository and ensure it is the first in the displayed list. If not, ensure the java-chainguard repository is first.java-public repository.The following steps allow you to configure your build tool for accessing the repository:
java-all repository name in the list of repositories.com.google.cloud.artifactregistry:artifactregistry-maven-wagon to each
project.In a working setup, the chainguard remote repository contains all artifacts
retrieved from Chainguard.
JFrog Artifactory supports Maven repositories for proxying and hosting, and virtual repositories to combine them. Refer to the Maven Repository documentation for Artifactory for more information.
Use the following steps to set up a repository in Artifactory to access Chainguard Java Libraries via the Chainguard Repository.
Configure a remote repository for the Chainguard Libraries for Java repository:
java-chainguardhttps://libraries.cgr.dev/java/java-chainguard-remediated with a URL set to https://libraries.cgr.dev/java-remediated/. Use the same authentication details.If you are manually managing fallback, you can configure an additional remote repository for Maven Central with lower priority. Make sure to deactivate Maven Settings - Handle Snapshots in the remote repository.
Note: If you are running Curation, you must add your Chainguard remote repository to the
curation-bypasslist.
Combine the repositories in a new virtual repository:
java-alljava-chainguard repository. If you are using the remediated repository, add the java-chainguard-remediated repository and ensure it is the first in the displayed list.Use this setup for initial testing with Chainguard Libraries for Java. For
production usage add the java-chainguard repository to your production virtual
repository.
After creating the java-chainguard remote repository, validate that Artifactory is successfully proxying through to Chainguard before proceeding. Because Artifactory falls back to Maven Central when a connection to a remote repository fails, a misconfigured repository may silently resolve packages from Maven Central rather than Chainguard — and the build will succeed without any visible error.
Common sources of misconfiguration include invalid or expired credentials, or an incorrect or incomplete repository URL. The Artifactory Test button on the repository configuration screen is not a reliable indicator; it may fail for a correctly configured repository, and may pass for an incorrectly configured one. Instead, use the following steps to verify that fetching an artifact through Artifactory produces the same checksum as fetching it directly from libraries.cgr.dev.
Fetch the artifact directly from Chainguard and compute its checksum. This example uses junit-4.13.2.jar. You can substitute any artifact you know to be available.
curl -sSf -L \
-u "${CHAINGUARD_JAVA_IDENTITY_ID}:${CHAINGUARD_JAVA_TOKEN}" \
https://libraries.cgr.dev/java/junit/junit/4.13.2/junit-4.13.2.jar \
| sha256sumFetch the same artifact through the Artifactory remote repository and compute its checksum:
curl -sSf -L \
-u "${ARTIFACTORY_USER}:${ARTIFACTORY_TOKEN}" \
https://<artifactory-host>/artifactory/java-chainguard/junit/junit/4.13.2/junit-4.13.2.jar \
| sha256sumReplace artifactory-host with your Artifactory instance hostname.
The checksums returned by the commands must match.
If the checksum from the Artifactory remote repository differs from the direct fetch, or if the Artifactory fetch fails entirely, review the following before proceeding:
https://libraries.cgr.dev/java/.chainctl auth pull-token --repository=java and update the Artifactory repository credentials. Expired tokens fail silently.Do not proceed to virtual repository setup or build configuration until the checksums match.
The following steps allow you to determine the URL and authentication details for accessing the repository:
chainguard-maven repository.https://exampleorg.jfrog.io/artifactory/java-all/ with exampleorg
replaced with the name of your organization.Use the URL of the virtual repository in the build configuration and build a first test project. In a working setup the chainguard remote repository contains all libraries retrieved from Chainguard.
Sonatype Nexus
Repository
includes a maven-public repository group out of the box. It groups access to
the Maven Central Repository from the maven-central repository with the
internal maven-releases and maven-snapshot repositories. Refer to the Maven
Repositories documentation for
Nexus for more
information.
If you are using this group, you can add a proxy repository for Chainguard Libraries for Java repository for production use.
Use the following steps to set up a repository in Sonatype Nexus to access Chainguard Java Libraries via the Chainguard Repository.
If you are configuring your own fallback in your repo manager, for initial testing it is advised to create a separate proxy repository for the Maven Central Repository, a separate proxy repository Chainguard Libraries for Java repository, and a separate repository group.
Configure a remote repository for the Chainguard Libraries for Java repository:
maven2 (proxy) recipe.java-chainguardRelease.https://libraries.cgr.dev/java/username Authentication type, and
provide the username and password values as retrieved with
chainctl.java-chainguard-remediated with a URL set to https://libraries.cgr.dev/java-remediated/. Use the same authentication details.If you are manually managing fallback, you can configure an additional java-public remote repository for Maven Central with lower priority.
Combine a new repository group and add the repositories:
maven2 (group) recipe.java-alljava-chainguard to the right. If you are using the remediated repository, move the java-chainguard-remediated repository to the right, above the java-chainguard repository.The following steps allow you to determine the URL and authentication details for accessing the repository:
java-all repository group and click
Copy.https://repo.example.com/repository/java-all/ (with
repo.example.com replaced with the hostname of your repository manager).Use the URL of the repository group, such as
https://repo.example.com/repository/java-all/ or
https://repo.example.com/repository/maven-public/ in the build
configuration and build a
first test project. In a working setup the java-chainguard proxy repository contains
all libraries retrieved from Chainguard.
Last updated: 2026-06-24 14:42