Chainguard’s Enforce is designed to help developers define and enact policies for container images to enable safer deployment. Credit: Joyseulay / Shutterstock Software supply chain security provider Chainguard is launching its first product, Chainguard Enforce, a native Kubernetes application for securing deployment of container images.Enforce is designed to let developers define, observe, distribute, and enact policies that ensure only trusted container images are deployed and run in their clusters.“Chainguard Enforce is built on cryptographic signatures, which allows it to authenticate the contents of an image rather than where it was served from,” says Kim Lewandowski, co-founder, Chainguard. “This system can be used to protect against insider risks and to restrict production deployments to a set of highly secured build systems.” A container image refers to a static file with executable code that can create a container on a computing system. A container holds multiple packages of a software application and all the constituent resources that can be run in any environment. Kubernetes, on the other hand, is an open-source orchestration automating deployment, scaling, and management of containerized applications. Digital signatures secure software supply chainEnforce is based on the open-source Sigstore project that secures software supply chains by creating digital signatures for the various components of an application. “Container security has a number of challenges, from overstuffed images to container sprawl to awareness gaps to control gaps,” says Sandy Carielli, an analyst at Forrester. “The Chainguard solution focuses on control gaps. Customers will still need a range of other tools and processes to address container security requirements.” According to Carielli, removing any unnecessary or unused components that could increase the attack surface increases the trustability of the container images. Enforce supports build system integration, complianceEnforce will feature four major components with a “developer friendly” command-line interface (CLI). The components are a policy agent, build system integration, continuous verification, and evidence lake. Policy Agent: a read-only support for per-cluster policies and configurations that can be centrally managed and administered across multicluster environments. Included policy definitions are based on open-source supply chain levels for software artifacts (SLSAs) and secure software development framework (SSDF) standards. Build System Integration: includes integration for multiple CI platforms like GitHub Actions, CircleCI, BuildKite, and GitLab to enable streamlining of development and tracking source code’s original environments. Integrations are quick to install and configure for DevOps teams. Continuous Verification: has consistent support to alert about deviations from defined policies and compliance in the container images.Evidence Lake: refers to the real-time asset inventory that provides visibility into the security posture across the organization including developer tooling, incident recovery, debugging, and audit automation. “One key use case for Chainguard Enforce is to help organizations get a better handle on their build systems as they’re common attack vectors,” says Lewandowski. “We’re starting with a very prescriptive set of policies designed for key management and SLSA levels, without a full-blown language. We’re also looking into using Cue for constraint and schema definitions.” Configure Unify Execute (Cue) is an open-source language with a set of APIs and tools for coding, scripting, and querying. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe