Chainguard’s Enforce is designed to help developers define and enact policies for container images to enable safer deployment. Credit: Joyseulay / Shutterstock Software supply chain security provider Chainguard is launching its first product, Chainguard Enforce, a native Kubernetes application for securing deployment of container images.Enforce is designed to let developers define, observe, distribute, and enact policies that ensure only trusted container images are deployed and run in their clusters.“Chainguard Enforce is built on cryptographic signatures, which allows it to authenticate the contents of an image rather than where it was served from,” says Kim Lewandowski, co-founder, Chainguard. “This system can be used to protect against insider risks and to restrict production deployments to a set of highly secured build systems.” A container image refers to a static file with executable code that can create a container on a computing system. A container holds multiple packages of a software application and all the constituent resources that can be run in any environment. Kubernetes, on the other hand, is an open-source orchestration automating deployment, scaling, and management of containerized applications. Digital signatures secure software supply chainEnforce is based on the open-source Sigstore project that secures software supply chains by creating digital signatures for the various components of an application. “Container security has a number of challenges, from overstuffed images to container sprawl to awareness gaps to control gaps,” says Sandy Carielli, an analyst at Forrester. “The Chainguard solution focuses on control gaps. Customers will still need a range of other tools and processes to address container security requirements.” According to Carielli, removing any unnecessary or unused components that could increase the attack surface increases the trustability of the container images. Enforce supports build system integration, complianceEnforce will feature four major components with a “developer friendly” command-line interface (CLI). The components are a policy agent, build system integration, continuous verification, and evidence lake. Policy Agent: a read-only support for per-cluster policies and configurations that can be centrally managed and administered across multicluster environments. Included policy definitions are based on open-source supply chain levels for software artifacts (SLSAs) and secure software development framework (SSDF) standards. Build System Integration: includes integration for multiple CI platforms like GitHub Actions, CircleCI, BuildKite, and GitLab to enable streamlining of development and tracking source code’s original environments. Integrations are quick to install and configure for DevOps teams. Continuous Verification: has consistent support to alert about deviations from defined policies and compliance in the container images.Evidence Lake: refers to the real-time asset inventory that provides visibility into the security posture across the organization including developer tooling, incident recovery, debugging, and audit automation. “One key use case for Chainguard Enforce is to help organizations get a better handle on their build systems as they’re common attack vectors,” says Lewandowski. “We’re starting with a very prescriptive set of policies designed for key management and SLSA levels, without a full-blown language. We’re also looking into using Cue for constraint and schema definitions.” Configure Unify Execute (Cue) is an open-source language with a set of APIs and tools for coding, scripting, and querying. Related content brandpost Shifting security left: DevSecOps meets virtualization By Anthony Ricco, CMO of Corellium. 01 Jul 2023 4 mins Security news analysis Attackers add hacked servers to commercial proxy networks for profit Proxyjacking allows attackers to sell unknowing victims' unused network bandwidth. By Lucian Constantin 30 Jun 2023 4 mins Cybercrime news Command-and-control framework PhonyC2 attributed to Iran’s Muddywater group PhonyC2 was used to exploit the log4j vulnerability in the Israeli software SysAid, the attack against Israel’s Technion institute, and the ongoing attack against the PaperCut print management software. By Apurva Venkat 30 Jun 2023 4 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news First state-sponsored cyberattack against UK government revealed two decades later Rare insight marks the 20th anniversary of a state-backed malware attack on a UK government department. By Michael Hill 30 Jun 2023 3 mins Cyberattacks Government Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe