Chainguard’s Enforce is designed to help developers define and enact policies for container images to enable safer deployment. Credit: Joyseulay / Shutterstock Software supply chain security provider Chainguard is launching its first product, Chainguard Enforce, a native Kubernetes application for securing deployment of container images.Enforce is designed to let developers define, observe, distribute, and enact policies that ensure only trusted container images are deployed and run in their clusters.“Chainguard Enforce is built on cryptographic signatures, which allows it to authenticate the contents of an image rather than where it was served from,” says Kim Lewandowski, co-founder, Chainguard. “This system can be used to protect against insider risks and to restrict production deployments to a set of highly secured build systems.” A container image refers to a static file with executable code that can create a container on a computing system. A container holds multiple packages of a software application and all the constituent resources that can be run in any environment. Kubernetes, on the other hand, is an open-source orchestration automating deployment, scaling, and management of containerized applications. Digital signatures secure software supply chainEnforce is based on the open-source Sigstore project that secures software supply chains by creating digital signatures for the various components of an application. “Container security has a number of challenges, from overstuffed images to container sprawl to awareness gaps to control gaps,” says Sandy Carielli, an analyst at Forrester. “The Chainguard solution focuses on control gaps. Customers will still need a range of other tools and processes to address container security requirements.” According to Carielli, removing any unnecessary or unused components that could increase the attack surface increases the trustability of the container images. Enforce supports build system integration, complianceEnforce will feature four major components with a “developer friendly” command-line interface (CLI). The components are a policy agent, build system integration, continuous verification, and evidence lake. Policy Agent: a read-only support for per-cluster policies and configurations that can be centrally managed and administered across multicluster environments. Included policy definitions are based on open-source supply chain levels for software artifacts (SLSAs) and secure software development framework (SSDF) standards. Build System Integration: includes integration for multiple CI platforms like GitHub Actions, CircleCI, BuildKite, and GitLab to enable streamlining of development and tracking source code’s original environments. Integrations are quick to install and configure for DevOps teams. Continuous Verification: has consistent support to alert about deviations from defined policies and compliance in the container images.Evidence Lake: refers to the real-time asset inventory that provides visibility into the security posture across the organization including developer tooling, incident recovery, debugging, and audit automation. “One key use case for Chainguard Enforce is to help organizations get a better handle on their build systems as they’re common attack vectors,” says Lewandowski. “We’re starting with a very prescriptive set of policies designed for key management and SLSA levels, without a full-blown language. We’re also looking into using Cue for constraint and schema definitions.” Configure Unify Execute (Cue) is an open-source language with a set of APIs and tools for coding, scripting, and querying. Related content feature The biggest data breach fines, penalties, and settlements so far Hacks and data thefts, enabled by weak security, cover-ups or avoidable mistakes have cost these companies a total of nearly $4.4 billion and counting. By Shweta Sharma and Michael Hill Apr 26, 2024 16 mins Data Breach Security news New CISO appointments 2024 Keep up with news of CSO, CISO, and other senior security executive appointments. By CSO Staff Apr 26, 2024 14 mins CSO and CISO IT Jobs IT Governance news Top cybersecurity product news of the week New product and service announcements from Forcepoint, Ionix, Amplifier Secutiry and Torq. By CSO staff Apr 26, 2024 81 mins Generative AI Security feature Looking outside: How to protect against non-Windows network vulnerabilities Security administrators who work in Windows-based environments should heed the lessons inherent in recent vulnerability reports. By Susan Bradley Apr 25, 2024 7 mins Windows Security Network Security Security Practices PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe