Build configuration
Configuring Chainguard Libraries for Java on your workstation
For the complete documentation index, see llms.txt.
Java and JVM library consumption in a large organization is typically managed by a repository manager. Commonly used repository manager applications are Cloudsmith, Google Artifact Registry, JFrog Artifactory, and Sonatype Nexus Repository. The repository manager acts as a single point of access for developers and development tools to retrieve the required libraries.
The recommended approach is to use the upstream
fallback
feature of Chainguard Repository, which allows you to configure your repository
manager with a single upstream pointed at https://libraries.cgr.dev/java/. The
Chainguard Repository handles fallback and policy enforcement; your repository
manager handles local caching and access control. Chainguard also retrieves
packages from the public Maven Central repository on your behalf when upstream
fallback is enabled. This includes protections such as malware scanning and a
cooldown period for newly published packages.
At a high level, adopting the use of Chainguard Libraries consists of the following steps:
https://libraries.cgr.dev/java/
as the single upstream source for Java package retrieval. This can be done
either:This page explains how to use Chainguard Libraries for Java with a repository manager. If your organization does not use a repository manager, you can pull directly from Chainguard. Refer to the direct access documentation for build tools for more information.
Chainguard recommends using the Chainguard Repository’s built-in upstream fallback rather than configuring a public registry fallback in your repo manager. Configuring your own fallback bypasses the protection that the Chainguard Repository provides.
However, if you intentionally want to manage fallback ordering yourself, you can
configure https://libraries.cgr.dev/java/ as a remote repository alongside
your Maven upstream, and combine them in a virtual or group repository with
Chainguard as the first priority. The per-tool instructions on this page follow
this pattern. If you configure a fallback to Maven Central, packages sourced
from that registry are not covered by Chainguard’s malware-resistance
guarantees.
Cloudsmith supports Maven repositories for proxying and hosting. Refer to the Maven Repository documentation and the Maven Upstream documentation for Cloudsmith for more information. Cloudsmith supports combining repositories by defining multiple upstream repositories.
Use the following steps to set up a repository in Cloudsmith to access Chainguard Java Libraries via the Chainguard Repository.
Configure a java-all repository:
java-all for your new repository. The name should
include java to identify the ecosystem. This convention helps
avoid confusion since repositories in Cloudsmith are multi-format.Configure an upstream proxy for the Chainguard Libraries for Java repository:
java-chainguard repository on the repositories
page to configure it.java-chainguard1https://libraries.cgr.dev/java/java-chainguard-remediated with a URL set to https://libraries.cgr.dev/java-remediated/. Use the same authentication details.If you are manually configuring fallback, you can add an additional upstream proxy for the public Maven Central repository with a lower priority than java-chainguard.
Use this setup for initial testing with Chainguard Libraries for Java. For
production usage, add the java-chainguard upstream proxy to your production
repository.
The following steps allow you to determine the URL and authentication details for accessing the repository:
<url> tag from the XML snippet with the
<repositories> entry. For example,
https://dl.cloudsmith.io/basic/exampleorg/java-all/maven/ with exampleorg
replaced with the name of your organization. Note that the name of the
repository java-all as well as maven as identifier for the format are
part of the URL.Choose a different format and the equivalent sections if you are using another build tools such as Gradle.
Use the URL of the repository, the username, and the password for the server authentication block in the build configuration and build a first test project. In a working setup, all libraries retrieved from Chainguard are tagged with the name of the upstream proxy.
Google Artifact Registry (GAR) supports the Maven format for hosting artifacts in Standard repositories and proxying artifacts from public repositories in Remote repositories. Use Virtual repositories to combine them for consumption with Maven and other build tools. Use the Java package documentation for Google Artifact Registry as the starting point for more details.
Use the following steps to set up a repository in GAR to access Chainguard Java Libraries via the Chainguard Repository.
Before configuring the repositories, you must create a secret with the password value as retrieved with chainctl:
chainguard-libraries-java.chainctl output.Navigate to Artifact Registry. In the left hand navigation under Artifact Registry, select Repositories. Configure a remote repository for Chainguard Libraries for Java:
java-chainguardMavenhttps://libraries.cgr.dev/java/chainguard-libraries-java secret in the list.java-public repository.java-chainguard-remediated with a URL set to https://libraries.cgr.dev/java-remediated/. Use the same authentication details.If you are manually managing fallback, you can configure an additional remote repository for the public Maven Central with lower priority.
Combine the repositories in a new virtual repository:
java-alljava-chainguard
repository as Repository 1 and set the Policy name 1 to
java-chainguard.java-chainguard-remediated, java-chainguard, then if you are manually configuring fallback to public Maven, java-public last.java-public repository.The following steps allow you to configure your build tool for accessing the repository:
java-all repository name in the list of repositories.com.google.cloud.artifactregistry:artifactregistry-maven-wagon to each
project.In a working setup, the chainguard remote repository contains all artifacts
retrieved from Chainguard.
JFrog Artifactory supports Maven repositories for proxying and hosting, and virtual repositories to combine them. Refer to the Maven Repository documentation for Artifactory for more information.
Use the following steps to set up a repository in Artifactory to access Chainguard Java Libraries via the Chainguard Repository.
Configure a remote repository for the Chainguard Libraries for Java repository:
java-chainguardhttps://libraries.cgr.dev/java/java-chainguard-remediated with a URL set to https://libraries.cgr.dev/java-remediated/. Use the same authentication details.If you are manually managing fallback, you can configure an additional remote repository for Maven Central with lower priority. Make sure to deactivate Maven Settings - Handle Snapshots in the remote repository.
Combine the repositories in a new virtual repository:
java-alljava-chainguard and java-public repositories. Drag and drop repositories into the
desired position.java-chainguard-remediated repository and ensure it is the first in the displayed list. If not, ensure the java-chainguard repository is first.Use this setup for initial testing with Chainguard Libraries for Java. For
production usage add the java-chainguard repository to your production virtual
repository.
After creating the java-chainguard remote repository, validate that Artifactory is successfully proxying through to Chainguard before proceeding. Because Artifactory falls back to Maven Central when a connection to a remote repository fails, a misconfigured repository may silently resolve packages from Mavel Central rather than Chainguard — and the build will succeed without any visible error.
Common sources of misconfiguration include invalid or expired credentials, or an incorrect or incomplete repository URL. The Artifactory Test button on the repository configuration screen is not a reliable indicator; it may fail for a correctly configured repository, and may pass for an incorrectly configured one. Instead, use the following steps to verify that fetching an artifact through Artifactory produces the same checksum as fetching it directly from libraries.cgr.dev.
junit-4.13.2.jar. You can substitute any artifact you know to be available.curl -sSf -L \
-u "${CHAINGUARD_JAVA_IDENTITY_ID}:${CHAINGUARD_JAVA_TOKEN}" \
https://libraries.cgr.dev/java/junit/junit/4.13.2/junit-4.13.2.jar \
| sha256sumcurl -sSf -L \
-u "${ARTIFACTORY_USER}:${ARTIFACTORY_TOKEN}" \
https://<artifactory-host>/artifactory/java-chainguard/junit/junit/4.13.2/junit-4.13.2.jar \
| sha256sumReplace artifactory-host with your Artifactory instance hostname.
The checksums returned by the commands must match.
If the checksum from the Artifactory remote repository differs from the direct fetch, or if the Artifactory fetch fails entirely, review the following before proceeding:
https://libraries.cgr.dev/java/.chainctl auth pull-token --repository=java and update the Artifactory repository credentials. Expired tokens fail silently.Do not proceed to virtual repository setup or build configuration until the checksums match.
The following steps allow you to determine the URL and authentication details for accessing the repository:
chainguard-maven repository.https://exampleorg.jfrog.io/artifactory/java-all/ with exampleorg
replaced with the name of your organization.Use the URL of the virtual repository in the build configuration and build a first test project. In a working setup the chainguard remote repository contains all libraries retrieved from Chainguard.
Sonatype Nexus
Repository
includes a maven-public repository group out of the box. It groups access to
the Maven Central Repository from the maven-central repository with the
internal maven-releases and maven-snapshot repositories. Refer to the Maven
Repositories documentation for
Nexus for more
information.
If you are using this group, you can add a proxy repository for Chainguard Libraries for Java repository for production use.
Use the following steps to set up a repository in Sonatype Nexus to access Chainguard Java Libraries via the Chainguard Repository.
If you are configuring your own fallback in your repo manager, for initial testing it is advised to create a separate proxy repository for the Maven Central Repository, a separate proxy repository Chainguard Libraries for Java repository, and a separate repository group.
Configure a remote repository for the Chainguard Libraries for Java repository:
maven2 (proxy) recipe.java-chainguardRelease.https://libraries.cgr.dev/java/username Authentication type, and
provide the username and password values as retrieved with
chainctl.java-chainguard-remediated with a URL set to https://libraries.cgr.dev/java-remediated/. Use the same authentication details.If you are manually managing fallback, you can configure an additional java-public remote repository for Maven Central with lower priority.
Combine a new repository group and add the repositories:
maven2 (group) recipe.java-alljava-public and java-chainguard to the right. Move the
java-chainguard repository to the top of the list with the arrow control. If you are using the remediated repository, move the java-chainguard-remediated repository to the top.The following steps allow you to determine the URL and authentication details for accessing the repository:
java-all repository group and click
Copy.https://repo.example.com/repository/java-all/ (with
repo.example.com replaced with the hostname of your repository manager).Use the URL of the repository group, such as
https://repo.example.com/repository/java-all/ or
https://repo.example.com/repository/maven-public/ in the build
configuration and build a
first test project. In a working setup the java-chainguard proxy repository contains
all libraries retrieved from Chainguard.
Last updated: 2026-06-24 14:42