5 capabilities in Chainguard Enforce you don’t want to miss (your security team will LOVE #4)

Adam Dawson, Product Manager
  •  
March 23, 2023

Chainguard Enforce is a comprehensive platform for software supply chain security. One of its key capabilities is a fully-featured Kubernetes admission controller that can evaluate supply chain policies for your compliance requirements before allowing containers to be deployed in your clusters.

This is just one way Chainguard Enforces strengthens your software supply chain among additional features designed to help you secure workloads across the full software development lifecycle in a single platform. If you need a solution that spans across all of cloud environments and your software supply chain, check out these 5 features that you may have missed:

1. Automatic discovery and enrollment of cloud workloads 

Before implementing blocking admission control for Kubernetes clusters, many organizations simply want to build a complete inventory of their containerized workloads to use for analysis, triage and issue remediation. Security teams often tell us, "I just need to know what's running and where so I can communicate with my application teams about what they need to fix."

With only a few clicks or commands, Chainguard Enforce is able to automatically discover and catalog all of your containerized workloads across popular cloud Kubernetes products, including Google Kubernetes Engine (GKE) and Google Cloud Run, Amazon Elastic Kubernetes Service (EKS), Amazon Elastic Container Service, AWS AppRunner and Kubernetes distributions like OpenShift, Rancher or open source Kubernetes. 

While you may choose to install a full admission controller for policy enforcement, you can also configure Chainguard Enforce to run in Observer mode to simply find, catalog, and monitor your containerized workloads and to provide visibility into all your images, packages, and clusters in one place.

2. Centralized SBOM and Vulnerability Analysis for your clusters

When Chainguard Enforce finds a running workload, it will automatically import any SPDX or CycloneDX SBOMs attached to the source image. You can inspect all of these SBOMs, instantly search your clusters for packages and versions and configure policies to validate the contents and integrity of SBOMs to protect your production environment. If you attach vulnerability scans to your images, Chainguard Enforce can validate that your images have recent scans and contain no critical CVEs for all the containers deployed to your clusters. The platform also continuously monitors all running workloads to detect any workload that falls out of compliance after deployment. 

This means Chainguard Enforce will continuously ensure that you have full SBOM coverage and acceptable vulnerability risk for all your running workloads across cloud environments.

3. Keyless artifact signing with Enforce Signing

Digitally signing software artifacts is a foundational principle of supply chain security. The use of identity-based, one-time-use signatures (also known as "keyless" signatures) enhances artifact signing by eliminating the need to manage, store and rotate long-lived signing keys.

Chainguard Enforce Signing, powered by Sigstore and currently available in beta, enables you to implement keyless signing for your artifacts with a private instance of the Sigstore stack. This allows you to empower your developers to build systems and create ephemeral signatures for all your images without storing them in a public log. You can then use Chainguard Enforce to define policies to validate these signatures before allowing images to be deployed. This provides assurances that your applications haven't been tampered with.

4. Monitoring for popular managed container runtimes

Chainguard Enforce can act as a fully-featured admission controller for any Kubernetes cluster in your environment. However, many organizations also use cloud-based container runtimes, such as AWSAppRunner, Amazon ECS, Google Cloud Run, where the control plane is managed by the cloud provider and installing an admission controller isn't possible. 

The Chainguard Enforce agentless architecture can be used to discover, enroll and continuously monitor these workloads for compliance with your security requirements in real time. You can apply the same policies across all your workloads in the cloud and receive immediate alerts if any of your managed runtime containers falls out of compliance–all without installing anything on the cluster!

5. Continuous verification of policies

Admission controllers are used to make policy enforcement decisions on container deployment requests. But after the container is launched, the admission controller doesn't monitor it further. This means that running containers won't be checked for compliance:

  • If your organization defines a new security policy or updates an existing one
  • If a new critical vulnerability emerges
  • If you have a security policy that depends on a dynamic condition, such as an image being built within the last 30 days

Chainguard Enforce's continuous verification feature provides real-time, continuous monitoring of all your workloads against all of your policies. If a container is successfully deployed, but later falls out of compliance, you'll be notified immediately in the Chainguard Enforce console or through our event alerting system that can send notifications to systems like Slack and Jira.

6. BONUS: Commit signing for Github repositories with Enforce for Git

Signing code commits is another foundational step in securing your supply chain. Many organizations mandate that developers sign their git commits. But the most common methods of git commit signing use long-lived keys often stored on the developer's laptop and don't take advantage of Sigstore's Cosign technology.

With Enforce for Git, currently in alpha, your organization can implement keyless or ephemeral signatures for git commits using Cosign. You can then define policies that validate these commit signatures as part of your CI/CD process to have confidence that the code going into your build is tamper-free and was committed by a trusted developer in your organization. 

Chainguard Enforce is more than just an enterprise-ready admission controller for Kubernetes clusters. It’s a powerful end-to-end platform for securing the software supply chain through features like workload discovery, continuous verification and Sigstore-powered signatures for software artifacts and code commits. If you are interested in learning more about Chainguard Enforce, reach out to our team for a demo or a 30-day free trial.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Don’t break the chain – secure your supply chain today!

Product

5 capabilities in Chainguard Enforce you don’t want to miss (your security team will LOVE #4)

Adam Dawson, Product Manager
March 23, 2023
copied

Chainguard Enforce is a comprehensive platform for software supply chain security. One of its key capabilities is a fully-featured Kubernetes admission controller that can evaluate supply chain policies for your compliance requirements before allowing containers to be deployed in your clusters.

This is just one way Chainguard Enforces strengthens your software supply chain among additional features designed to help you secure workloads across the full software development lifecycle in a single platform. If you need a solution that spans across all of cloud environments and your software supply chain, check out these 5 features that you may have missed:

1. Automatic discovery and enrollment of cloud workloads 

Before implementing blocking admission control for Kubernetes clusters, many organizations simply want to build a complete inventory of their containerized workloads to use for analysis, triage and issue remediation. Security teams often tell us, "I just need to know what's running and where so I can communicate with my application teams about what they need to fix."

With only a few clicks or commands, Chainguard Enforce is able to automatically discover and catalog all of your containerized workloads across popular cloud Kubernetes products, including Google Kubernetes Engine (GKE) and Google Cloud Run, Amazon Elastic Kubernetes Service (EKS), Amazon Elastic Container Service, AWS AppRunner and Kubernetes distributions like OpenShift, Rancher or open source Kubernetes. 

While you may choose to install a full admission controller for policy enforcement, you can also configure Chainguard Enforce to run in Observer mode to simply find, catalog, and monitor your containerized workloads and to provide visibility into all your images, packages, and clusters in one place.

2. Centralized SBOM and Vulnerability Analysis for your clusters

When Chainguard Enforce finds a running workload, it will automatically import any SPDX or CycloneDX SBOMs attached to the source image. You can inspect all of these SBOMs, instantly search your clusters for packages and versions and configure policies to validate the contents and integrity of SBOMs to protect your production environment. If you attach vulnerability scans to your images, Chainguard Enforce can validate that your images have recent scans and contain no critical CVEs for all the containers deployed to your clusters. The platform also continuously monitors all running workloads to detect any workload that falls out of compliance after deployment. 

This means Chainguard Enforce will continuously ensure that you have full SBOM coverage and acceptable vulnerability risk for all your running workloads across cloud environments.

3. Keyless artifact signing with Enforce Signing

Digitally signing software artifacts is a foundational principle of supply chain security. The use of identity-based, one-time-use signatures (also known as "keyless" signatures) enhances artifact signing by eliminating the need to manage, store and rotate long-lived signing keys.

Chainguard Enforce Signing, powered by Sigstore and currently available in beta, enables you to implement keyless signing for your artifacts with a private instance of the Sigstore stack. This allows you to empower your developers to build systems and create ephemeral signatures for all your images without storing them in a public log. You can then use Chainguard Enforce to define policies to validate these signatures before allowing images to be deployed. This provides assurances that your applications haven't been tampered with.

4. Monitoring for popular managed container runtimes

Chainguard Enforce can act as a fully-featured admission controller for any Kubernetes cluster in your environment. However, many organizations also use cloud-based container runtimes, such as AWSAppRunner, Amazon ECS, Google Cloud Run, where the control plane is managed by the cloud provider and installing an admission controller isn't possible. 

The Chainguard Enforce agentless architecture can be used to discover, enroll and continuously monitor these workloads for compliance with your security requirements in real time. You can apply the same policies across all your workloads in the cloud and receive immediate alerts if any of your managed runtime containers falls out of compliance–all without installing anything on the cluster!

5. Continuous verification of policies

Admission controllers are used to make policy enforcement decisions on container deployment requests. But after the container is launched, the admission controller doesn't monitor it further. This means that running containers won't be checked for compliance:

  • If your organization defines a new security policy or updates an existing one
  • If a new critical vulnerability emerges
  • If you have a security policy that depends on a dynamic condition, such as an image being built within the last 30 days

Chainguard Enforce's continuous verification feature provides real-time, continuous monitoring of all your workloads against all of your policies. If a container is successfully deployed, but later falls out of compliance, you'll be notified immediately in the Chainguard Enforce console or through our event alerting system that can send notifications to systems like Slack and Jira.

6. BONUS: Commit signing for Github repositories with Enforce for Git

Signing code commits is another foundational step in securing your supply chain. Many organizations mandate that developers sign their git commits. But the most common methods of git commit signing use long-lived keys often stored on the developer's laptop and don't take advantage of Sigstore's Cosign technology.

With Enforce for Git, currently in alpha, your organization can implement keyless or ephemeral signatures for git commits using Cosign. You can then define policies that validate these commit signatures as part of your CI/CD process to have confidence that the code going into your build is tamper-free and was committed by a trusted developer in your organization. 

Chainguard Enforce is more than just an enterprise-ready admission controller for Kubernetes clusters. It’s a powerful end-to-end platform for securing the software supply chain through features like workload discovery, continuous verification and Sigstore-powered signatures for software artifacts and code commits. If you are interested in learning more about Chainguard Enforce, reach out to our team for a demo or a 30-day free trial.

Related articles