Chainguard has announced new capabilities in its software supply chain risk management platform, Chainguard Enforce. These include a software signing service powered by Sigstore.

Chainguard is on a mission to ensure that every link in the software supply chain is secure by default. Its philosophy is:

you don't fix a weak link in a chain by bolting a strong link on after it. Securing the software supply chain begins with developers and permeates every link of the chain through to production. 

Chainguard Enforce is its risk management platform designed to ensure continuous compliance and enforce policies that protect an organization from supply chain threats. Announced in April 2022 it became Generally Available in September and recently became available on the AWS Marketplace making it easier for enterprises to discover, try and purchase the platform.

As Kim Lewandowski, Chainguard's Founder, explained: 

Attacks are happening at each and every point along the chain, from the way code gets built, to its deployment, to how it’s run and then packaged and shipped to end users. Because software supply chain security covers the entire development lifecycle, it isn’t like other areas in security where point solutions can solve it. An iterative approach to addressing the security of the entire software supply chain is needed to make long term progress. Chainguard Enforce has been designed to help organizations on this journey ensure only trusted container images are allowed to move through their supply chains and deployed to their clusters.

Chainguard Enforce enables clients to define, observe, distribute, and enact policies that ensure only trusted container images are deployed and run in your clusters. It has four main components as well as a developer-friendly CLI and UI: a Policy Agent, Build System Integrations, Continuous Verification, and an Evidence Lake,  a real-time asset inventory that provides visibility into the security posture across an organization.

Now several new features are being added. The headline capability is Chainguard Enforce Signing, which enables customers to generate digital signatures for software artifacts inside their own organization using their individual identities and one-time-use keys. This feature, powered by Sigstore the open source project now under the auspices of the Linux Foundation, helps organizations ensure the integrity of container images, code commits, and other artifacts with private signatures that can be validated at any point an artifact needs to be verified. Additionally, Enforce Signing allows customers to bring their own key and certificate, so key usage can be monitored and audited per compliance and privacy requirements. No information is stored in a public transparency log, so customers get the value of Sigstore without losing any privacy. 

• Security Policy Catalog: A library of out-of-the-box policies that administrators can deploy directly from the Chainguard Enforce web console to their environments to ensure software is signed, free of known critical vulnerabilities, and has comprehensive and accurate Software Bills of Material.

• Enterprise Tooling Integrations: Users can now log in using their Gitlab account, in addition to existing Google and Github logins.
• Rich Eventing Framework: The platform now includes CloudEvents for over 20 types of events to keep security teams instantly informed of changes in their environments through notifications via Slack, email, or a SIEM tool. 
• Enhanced Policy Management: Support for policies on fine-grained Kubernetes workload objects such as Deployments, Pods, and CronJobs.
• Enterprise Scalability and Reliability: An enhanced Chainguard Enforce infrastructure enables customers with thousands of nodes and hundreds of clusters to enforce continuous policy compliance with no downtime. 

More Information

Chainguard

Chainguard images

Related Articles

Sigstore Reaches General Availability

Wolfi Linux (Un)Distribution Secures The Software Supply Chain 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info