Software Supply Chain Security for K8s – InApps Technology 2022

Only half a year ago, founder Kim Lewandowski, co-founder of Chainguard, the zero-trust security company, said, “Supply chain security by default is our mission and making it really easy for developers to do the right thing.” Now with the beta release of Chainguard Enforce, its first product, a native software supply chain solution for Kubernetes workloads, is here.

The brand-new Chainguard Enforce is made up of four main components. These are a Policy Agent, Build System Integrations, Continuous Verification, and an Evidence Lake. It also includes a developer-friendly CLI and UI.

The read-only Policy Agent provides per-cluster policy and webhook configurations support, and can be centrally managed and administered across multicluster environments. Even in its first release, the Agent integrates with many Kubernetes platforms such as EKS, AKS, and GKE. Enforce will work with any containers Kubernetes supports.

Standards-Based

The Policy Agent also comes ready to run with a curated set of policy definitions. These are based on the open source Supply chain Levels for Software Artifacts (SLSA) and NIST Secure Software Development Framework (SSDF) standards.

The Policy Agent supports a full policy language for defining custom policies. According to Lewandowski. “We’re starting with a very prescriptive set of policies designed for key management and SLSA levels, without a full-blown language.” Moving forward, Chainguard’s developers are also looking into using Configure Unify Execute (CUE) an open source language with a set of APIs for defining policies.

Chainguard Enforce includes build system integrations for such popular CI platforms. These include GitHub Actions, CircleCI, BuildKite, GitLab, and Jenkins. This enables you to establish a record for your container’s source code recipes. Chainguard also claims that it will take less than a day for your DevOps teams to install and configure these build system integrations.

Enforce, however, doesn’t include vulnerability scanning. It will, however, work with third-party scanners. With this, you can have a seamless security workflow that will cut down on false positives.

To make sure your containers are trouble-free, Continuous Verification checks to make sure your deployed container images are in compliance with your defined policies. If there are any deviations, an alert is triggered.

Evidence Lake

Last but not least, the Evidence Lake is a real-time asset inventory. This data can power developer tooling, incident recovery, debugging, and audit automation. There are also integrations available for popular alerting and ticketing platforms such as Slack and Jira.

To all this, the Chainguard team brings open-source and security standards expertise. As the company said, “We have built this tool with these stakeholders and developers in mind, in the hopes of making the software supply chain more secure by default.”

Enforce’s foundation is the open source Sigstore project. It secures software supply chains by creating digital signatures for containerized programs’ building blocks.

Put it all together, and Enforce enables you to build, manage, ensure continuous compliance, and enforce policies to protect you from supply chain threats. But, as Sandy Carielli, a Forrester security analyst, points out, “Container security has a number of challenges, from overstuffed images to container sprawl to awareness gaps to control gaps, The Chainguard solution focuses on control gaps. Customers will still need a range of other tools and processes to address container security requirements.”

Even, Enforce is a big step forward in protecting your developers’ programs from software supply chain woes without burning hours on manual security workflow headaches. It deserves your attention.

Featured image by John Salvino on Unsplash.