I’ve noted that cyber security news has been inundating my inbox. As well, media relations people have identified me as a supply chain writer/analyst. It’s one of those indications of the broadening of the market I serve. This news concerns the first product of a new company–Chainguard.
We’re announcing our first product, Chainguard Enforce–a software supply chain solution that is native for Kubernetes workloads. Chainguard Enforce enables you to define, observe, distribute, and enact policies that ensure only trusted container images are deployed and run in your clusters. The goals of Chainguard Enforce are to deliver a seamless developer experience with security built in, and a platform for CISOs to manage organization-wide security controls.
After speaking with over 50 organizations about their software supply chain challenges, it was clear security leaders share a similar concern: it’s impossible to be confident about the code running in production environments. There are limited options for production supply chain security policy management today, yet emerging frameworks like SLSA and NIST’s SSDF require it.
“Insider risks are top of mind for us. The capabilities Chainguard Enforce provides are filling critical gaps across our organization.” said Jim Higgins, CISO for Block.
Chainguard Enforce consists of four main components as well as a developer-friendly CLI and UI: a Policy Agent, Build System Integrations, Continuous Verification, and an Evidence Lake.
The read-only Policy Agent provides support for per-cluster policy and webhook configurations that can all be centrally managed and administered across multi-cluster environments. The Agent integrates with many Kubernetes platforms like EKS, AKS, and GKE today. It comes with a curated set of policy definitions based on the open-source SLSA and NIST SSDF standards, and also supports a full policy language for defining custom policies.
Chainguard Enforce includes Build System Integrations for most popular CI platforms like GitHub Actions, CircleCI, BuildKite, and GitLab to establish a record of what source code was used to build each container. In most cases, it takes less than a day for DevOps teams to install and configure these build system integrations.
Continuous Verification ensures that deployed container images stay in compliance with your defined policies and any deviations will trigger an alert.
Last but not least, the Evidence Lake is a real-time asset inventory that provides visibility into the security posture across an organization. The data can be used to power developer tooling, incident recovery, debugging, and audit automation. There are also integrations available for popular alerting and ticketing platforms such as Slack and Jira.