• United States



Shweta Sharma
Senior Writer

Chainguard adds automated SBOMs, vulnerability scanning to Enforce

Jul 19, 20233 mins
Application Security

With the added features, Enforce can now generate and ingest software bills of materials for container images, automate vulnerability scans and generate reports.

A network of connected virtual container blocks.
Credit: NoLimit46 / GettyImages

Software supply chain security provider Chainguard is adding a suite of new capabilities to its native Kubernetes security and compliance platform Enforce.

The new capabilities include automatic generation and ingestion of software bills of materials (SBOMs) for container images, vulnerability scans, report generation, and a central console.

Enforce was launched last year for securing deployment of container images by helping developers defining and enacting policies for them.

Automated SBOM ingestion

With the new SBOM features in Enforce, the platform will automatically ingest SBOMs attached to container images and will convert the SBOM's JSON structure into structured data that can be queried with a database.

Such automation is vital if organizations are to make use of SBOMs, said Katie Norton, an analyst with IDC.

"For SBOMs to be an effective mechanism for aiding in the security of the software supply chain at scale, they must be operationalized and integrated into daily operations, existing tools, and security ecosystems," said Norton. "In the event of a security incident or vulnerability, organizations need the ability to query all their software’s SBOMs instantly."

Being able to query SBOMs across the application portfolio enables the organization to determine the impact rather than wait for each application development team to provide them with individual assessments or waste valuable time scanning each application again, Norton added.

Enforce will automatically create SBOMs for container images without them using Syft, an open source framework and library.

Centralized console

Enforce is also adding a search functionality in the platform's console, allowing developers to easily search for specific packages, versions, licenses, or a file within their SBOMs.

"Organizations need SBOM management solutions, like what Chainguard is offering, that provide a centralized repository," Norton said. "As modern applications typically include open source and third-party commercial libraries along with internally developed code, these solutions must be able to ingest SBOMs external to the organization. Further, the solution must be able to reconcile and normalize SBOM data to provide a unified, organization-wide view."

The centralized console's search and filter capabilities will further help in investigating vulnerabilities, according to the company. Additionally, Enforce will automatically generate daily vulnerability reports for supported container workloads using Grype, an open-source vulnerability scanner developed and maintained by the Anchore project. 

Vulnerability reports are automatically created using the previously generated or ingested SBOM for each container image by focusing the scans on the list of available packages used in a workload.

All the new features are available as part of the Enforce platform at launch.