Chainguard launches native Kubernetes compliance software Enforce

Software supply chain security provider Chainguard is launching its first product, Chainguard Enforce, a native Kubernetes application for securing deployment of container images.

Enforce is designed to let developers define, observe, distribute, and enact policies that ensure only trusted container images are deployed and run in their clusters.

“Chainguard Enforce is built on cryptographic signatures, which allows it to authenticate the contents of an image rather than where it was served from,” says Kim Lewandowski, co-founder, Chainguard. “This system can be used to protect against insider risks and to restrict production deployments to a set of highly secured build systems.” 

A container image refers to a static file with executable code that can create a container on a computing system. A container holds multiple packages of a software application and all the constituent resources that can be run in any environment. Kubernetes, on the other hand, is an open-source orchestration automating deployment, scaling, and management of containerized applications.  

Digital signatures secure software supply chain

Enforce is based on the open-source Sigstore project that secures software supply chains by creating digital signatures for the various components of an application. 

“Container security has a number of challenges, from overstuffed images to container sprawl to awareness gaps to control gaps,” says Sandy Carielli, an analyst at Forrester. “The Chainguard solution focuses on control gaps. Customers will still need a range of other tools and processes to address container security requirements.” 

According to Carielli, removing any unnecessary or unused components that could increase the attack surface increases the trustability of the container images.  

Enforce supports build system integration, compliance

Enforce will feature four major components with a “developer friendly” command-line interface (CLI). The components are a policy agent, build system integration, continuous verification, and evidence lake.  

• Policy Agent: a read-only support for per-cluster policies and configurations that can be centrally managed and administered across multicluster environments. Included policy definitions are based on open-source supply chain levels for software artifacts (SLSAs) and secure software development framework (SSDF) standards. 
• Build System Integration: includes integration for multiple CI platforms like GitHub Actions, CircleCI, BuildKite, and GitLab to enable streamlining of development and tracking source code’s original environments. Integrations are quick to install and configure for DevOps teams.  
• Continuous Verification: has consistent support to alert about deviations from defined policies and compliance in the container images.
• Evidence Lake: refers to the real-time asset inventory that provides visibility into the security posture across the organization including developer tooling, incident recovery, debugging, and audit automation.  

“One key use case for Chainguard Enforce is to help organizations get a better handle on their build systems as they’re common attack vectors,” says Lewandowski. “We’re starting with a very prescriptive set of policies designed for key management and SLSA levels, without a full-blown language. We’re also looking into using Cue for constraint and schema definitions.” 

Configure Unify Execute (Cue) is an open-source language with a set of APIs and tools for coding, scripting, and querying.