Chainguard Enforce protects organizations from supply chain threats

Chainguard announced its first product, Chainguard Enforce, an open source software supply chain security solution for Kubernetes workloads.

Chainguard Enforce enables clients to define, observe, distribute, and enact policies that ensure only trusted container images are deployed and run in your clusters. The goals of Chainguard Enforce are to deliver a seamless developer experience with security built in, and a platform for CISOs to manage organization-wide security controls.

After speaking with over 50 organizations about their software supply chain challenges, it was clear security leaders share a similar concern: it’s impossible to be confident about the code running in production environments. There are limited options for production supply chain security policy management today, yet emerging frameworks like SLSA and NIST’s SSDF require it.

“Insider risks are top of mind for us. The capabilities Chainguard Enforce provides are filling critical gaps across our organization.” said Jim Higgins, CISO for Block.

Let’s walk through an example use case before diving into more details about the product. As an organization, you may decide that you want to prevent unwanted container images from being deployed by only allowing those that have been signed by trusted authorities, like a build system that you’ve hardened. Chainguard Enforce simplifies this entire journey giving you confidence in container images running in production with the added benefits of knowing where they came from and how they got there.

Chainguard Enforce consists of four main components as well as a developer-friendly CLI and UI: a Policy Agent, Build System Integrations, Continuous Verification, and an Evidence Lake.

The read-only Policy Agent provides support for per-cluster policy and webhook configurations that can all be centrally managed and administered across multi-cluster environments. The Agent integrates with many Kubernetes platforms like EKS, AKS, and GKE today. It comes with a curated set of policy definitions based on the open-source SLSA and NIST SSDF standards, and also supports a full policy language for defining custom policies.

Chainguard Enforce includes Build System Integrations for most popular CI platforms like GitHub Actions, CircleCI, BuildKite, and GitLab to establish a record of what source code was used to build each container. In most cases, it takes less than a day for DevOps teams to install and configure these build system integrations.

Continuous Verification ensures that deployed container images stay in compliance with your defined policies and any deviations will trigger an alert.

Last but not least, the Evidence Lake is a real-time asset inventory that provides visibility into the security posture across an organization. The data can be used to power developer tooling, incident recovery, debugging, and audit automation. There are also integrations available for popular alerting and ticketing platforms such as Slack and Jira.

Serving the software supply chain

Making things frictionless for developers is the best way to support the adoption of more secure solutions. The team behind Chainguard Enforce are active across open-source communities, and leaders in security standards working groups. They have built this tool with stakeholders and developers in mind, in the hopes of making the software supply chain more secure by default.