Chainguard’s Trail of Bits security assessment
In February, we partnered with Trail of Bits, a leading security research company, to review the security of Chainguard's production environment. This partnership culminated in a formal threat model for Chainguard and a detailed security assessment. Trail of Bits' goal was to find a way to disrupt or introduce malicious packages into Chainguard's supply chain.
We are pleased to report that Trail of Bits found no critical issues as part of their security assessment. Even so, they provided us with code review findings and security recommendations, which we have since taken action on.
Code review findings
Command injection through Actions input [HIGH]
Description: The "Provision Prod Infrastructure" GitHub Action is vulnerable to command injection through unsafe handling of malicious input.
Status: FIXED. We have since removed this internal Terraform workflow. Command injection attacks are prevalent with GitHub Action workflows, so we also audited other repositories for them.
Insufficient redaction of CloudEvents [MEDIUM]
Description: The IdentityProvider, Cluster, and Policy protobuf message types are not redacted in CloudEvents, leading to potential leakage of sensitive data via CloudEvent subscriptions.
Status: FIXED. We audited our codebase and found that only IdentityProvider was capable of hosting sensitive data. We've updated our code to redact this message type.
Additional recommendations
After thoroughly reviewing our code base, Trail of Bits provided additional recommendations for securing our code base. While there is still work to be done, we've strengthened our security significantly since the report in the following ways:
Dramatically reduced our use of long-lived GitHub credentials through Octo STS
Deployed StepSecurity to provide security monitoring for GitHub Actions
Access to all GitHub organizations requires a FIDO security key for 2FA
The few remaining virtual machines now require uncached FIDO security key actuation
GitHub PAT usage is monitored for anomalies using Elastic Security
Employee access to our production network alerts an on-call engineer. Read more about this in our blog post on audited least privilege.
Looking ahead
As part of our commitment to providing our customers with the highest level of security possible, Chainguard undergoes an independent security assessment every six months. In the meantime, we continue to work behind the scenes to reduce our surface area further and increase the number of safeguards we have to protect our users and customers. To download the complete Trail of Bits security assessment, please visit the Chainguard Trust Center.
Share this article
Articles connexes
- sécurité
2026: The year of AI-assisted attacks
Patrick Smyth, Principal Developer Relations Engineer
- sécurité
Is Grype a single point of failure for Chainguard’s CVE detection?
Alex Burrage, Director of Product Security
- sécurité
AI is finding vulnerabilities faster than anyone can patch them. Now what?
Ed Sawma, VP of Product Marketing
- sécurité
Attacks rewritten: Where malware enters the build
Manfred Moser, Sr. Principal Developer Relations Engineer, and Patrick Smyth, Principal Developer Relations Engineer
- sécurité
Your riskiest supplier isn't a vendor. It's a registry.
Cameron Martin, Manager, Solutions Engineering - APJ
- sécurité
Malicious axios versions published to npm: Chainguard customers protected
Quincy Castro, CISO