Chainguard Libraries for Python
Learning Lab for June 2025 on Chainguard Libraries for Python and Supply Chain Security
Python library consumption in a large organization is typically managed by a repository manager. Commonly used repository manager applications are Cloudsmith, JFrog Artifactory, and Sonatype Nexus Repository. The repository manager acts as a single point of access for developers and development tools to retrieve the required libraries.
At a high level, adopting the use of Chainguard Libraries consists of the following steps:
You should also:
If your organization does not use a repository manager, you can still use Chainguard Libraries. However, this approach requires configuration of multiple build and development platforms and utilities to use Chainguard Libraries. For this reason, adopting the use of a repository manager is the recommended approach.
Cloudsmith supports Python repositories for proxying and hosting and polyglot repositories that combine multiple repositories sources with compatible formats. Refer to the Cloudsmith Python Repository documentation and the Cloudsmith documentation for creating a repository for more information.
Use the following steps to add a repository with both Chainguard Libraries for Python and PyPI as upstream sources.
First, create a repository:
Next, configure the upstream proxies:
python-chainguard
1
https://libraries.cgr.dev/python/
Cache and Proxy
python-public
2
https://pypi.org/
Cache and Proxy
See the page on build tool configuration for Chainguard Libraries for Python for information on accessing credentials and setting up build tools.
JFrog Artifactory supports PyPI repositories for proxying and virtual repositories to combine multiple sources into a single repository. The following instructions are based on the PyPI Repository documentation for Artifactory.
Use the following steps to add the Chainguard Libraries for Python index and the PyPI public index as remote repositories and combine them as a virtual repository:
Configure a remote repository for the Chainguard Libraries for Python index:
python-chainguard
.https://libraries.cgr.dev/python/
.https://libraries.cgr.dev/python/
.Configure a remote repository for the PyPI public index:
python-public
.https://files.pythonhosted.org
.https://pypi.org/
.Combine the two repositories in a new virtual repository:
python-all
.python-chainguard
and
python-public
repositories. Ensure the python-chainguard
repository is
the first in the displayed list. Use the icon on the right of the repository
name to drag and drop repositories into the desired position.At this point, you have a virtual repository set up in Artifactory that allows you or others in your organization to access Chainguard Libraries for Python with your chosen tools. This setup falls back to the public PyPI index in cases where a package is not available in Chainguard’s index.
See the page on build tool configuration for Chainguard Libraries for Python for information on accessing credentials and setting up build tools.
Sonatype Nexus Repository allows for merging multiple remote repositories as a repository group. The below instructions for are based on the Nexus documentation for PyPI
The following steps create remote repositories for Chainguard Libraries for Python, a remote repository for the public PyPI index, and a repository group combining these sources.
First, log in to Sonatype Nexus as a user with administrator privileges and access the Server administration and configuration section within the gear icon in the top navigation bar.
Next, configure a remote repository for the public PyPI index:
python-public
.https://pypi.org/
.Configure a remote repository for the Chainguard Libraries for Python repository:
python-chainguard
.https://libraries.cgr.dev/python/
.Finally, create a new repository group and add the two repositories:
python-all
.python-public
and python-chainguard
to the right and move the
python-chainguard
repository to the top of the list with the arrow control.See the page on build tool configuration for Chainguard Libraries for Python for information on accessing credentials and setting up build tools.
Last updated: 2025-04-07 14:42