Enforce, Chainguard's enterprise-ready platform for supply chain security in containerized applications has been upgraded to provide major new features that enable secure software development across every step of the software supply chain.

Chainguard/Sigstore is no stranger when it comes to supply chain security, and we here at I Programmer know all about it having dedicated quite a few articles to it, the latest being Sigstore Java - Sign And Verify Your Java Builds, which was about a tool for signing and verifying Java package distributions with Sigstore's keyless signing.

In Surveying Software Supply Chain Security we looked at Chainguard's survey that addressed the questions:

• Is everyone doing software supply chain security, or is everyone just talking about software supply chain security?
  
  
• Do software professionals actually think different software supply chain practices are helpful, easy or difficult?

It seems that Chainguard is continuously on the move, producing solutions looking to secure the software supply chain. Enforce is Chainguard's solution for end-to-end supply chain security for containerized workloads. It enables engineering and security teams to ensure continuous compliance through policy enforcements utilizing open source projects and standards that are trusted by the community.

Its main selling points are :

• Discover your running workloads, top security risks, and recommended mitigations
  
  
• Define and apply supply chain security policies to your Kubernetes clusters
  
  
• Sign any software artifact — including container images, code commits, and more — with an identity-based one-time-use signature
  
  
• Meet compliance requirements such as SLSA levels, CIS benchmarks, Pod Security Standards, and more
  
  
• Ensure continuous compliance in real time of all of your organization’s policies with instant notification of any violations

Chainguard has just announced an upgrade to its Enforce platform with the new capabilities of automatic SBOM generation and vulnerability analysis reporting; just in time for the federal government's mandate on implementing stronger software security standards and requirements for vendors.

These new capabilities include:

• Automatic SBOM generation and ingests for supported container images, and a central console for filtering and searching for SBOMs and vulnerabilities across environments.

With the new SBOM features in Enforce, the platform will automatically ingest SBOMs attached to your container images and allow you to search packages and track them back to the workloads and clusters they are running in.

When Enforce ingests an SBOM, it will convert the
SBOM’s JSON structure into structured data that can be queried within a database.

• Daily vulnerability scans and report generation across cloud-native workloads. 

This ensures you are always aware of any new vulnerabilities that could affect your workloads, and you no longer need to implement vulnerability scan generation in your build pipelines. If a critical or high impact vulnerability is discovered, you’ll easily be able to find out if it’s running in your cluster.

• Keyless signatures through a privately managed signing infrastructure for enterprises who do not want sensitive data stored publicly.

So if you are workloads run on Kubernetes, Enforce can secure the software supply chain by being armed with capabilities like workload discovery, policy enforcement, continuous verification and now, ingesting and generating SBOMs, deep vulnerability analysis reporting and a private signing infrastructure.

These capabilities come as a life saver now, at a time that the federal government is requiring the filling of CISA self-attestation forms, which require CEOs or a delegated leader to attest to the security and integrity of software developed by their teams whether its first-party or third-party code.

More Information

Enforce

Related Articles

Sigstore Java - Sign And Verify Your Java Builds

Surveying Software Supply Chain Security

Wolfi Linux (Un)Distribution Secures The Software Supply Chain

Protect The Software Supply Chain With Gitsign

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info