Announcing Chainguard Enforce discovery and expanded runtime support

Adam Dawson, Product Manager and Mark Drake, Technical Writer
February 27, 2023

All too often, we lose track of what infrastructure we're running in various cloud environments. Sometimes we forget to shut down a testing cluster; other times we can't remember what components are running in which cloud. Sometimes, organizations allow application teams to manage their own infrastructure, but still need to monitor those deployments for adherence to security and compliance standards.

Without a comprehensive understanding of the cloud resources you're using, there's no way to know the full scope of what software is running in your cloud fleet. This presents a serious threat to your software supply chain security, and in organizations with dozens or hundreds of developers, this problem can compound quickly. 

We're excited to announce Chainguard Enforce Discovery, a new feature that enables customers to discover various containerized workloads across their organization's clouds and runtimes. Discovery can provide organizations with greater visibility into their security posture and help to ensure that Chainguard Enforce (and any policies they have configured) are being evaluated against all of the clusters across their organization. Discovery is also agentless; it can find and enroll clusters and containers for continuous monitoring in Chainguard Enforce without installing anything on the cluster.

In addition to automated discovery and enrollment of Google Kubernetes Engine (GKE) and Amazon Elastic Kubernetes Service (EKS) clusters, Chainguard Enforce's agentless architecture can now discover and monitor containers running in managed runtimes like Google CloudRun, AWS ECS, AWS AppRunner, and (coming soon) AWS Lambda. Expanded runtime support means customers can now define and monitor software supply chain policies even on services with managed control planes where installing an admission controller isn't possible. 

Watch Enforce Discovery in action:

How to get started 

In order to use the Discovery feature, you must first set up a cloud account association between Enforce and any cloud account containing resources you want to enroll. This will allow Chainguard Enforce to monitor and (where applicable) enforce policy on changes to your infrastructure.

There are currently two options for how you can use Discovery: using the Chainguard Enforce Console or the `chainctl cluster discover` command.

Option 1 — Chainguard Enforce Console

You can discover workloads running in your various cloud accounts through the Chainguard Enforce Console. After logging in to the Console, there will be a `Discover` button at the top-right of the list of clusters.

Clicking the button will take you to the Discover UI, which contains a list of Chainguard Enforce groups that are associated with one or more cloud accounts, as well as the providers available for those groups.

If you click on a group, the Chainguard Enforce Console will discover all the resources associated with that group and will list them on the resulting page. This example shows a group associated with App Runner, GKE, Cloud Run, EKS and ECS resources.

From there, you can select the resources you want Chainguard to oversee and then click the `Enroll` button to enroll them into Chainguard Enforce. Following that, you'll be taken back to the Clusters list page. From there, you can begin using Enforce to view the images and packages running on your newly-enrolled cluster or apply security policies to make sure cloud applications are up-to-date, just as you would with any other that you've enrolled into Chainguard Enforce.

Option 2 — `chainctl cluster discover`

As this example shows, `chainctl` will prompt you to confirm whether you want to enroll all of the eligible resources. If you press `ENTER`, then all of the eligible clusters will be enrolled in Chainguard Enforce Agentless mode. Following that, you can use the `chainctl` CLI or the Enforce web console at to interact with them just like any other cluster you have installed Enforce onto.


Chainguard Enforce Discovery can help you get a comprehensive view of all your cloud containers. It also provides a handy way to quickly enroll your resources into Chainguard Enforce, and expanded runtime support helps you expand your security policies to new services like ECS, Cloud Run, and App Runner. Get started with Chainguard Discovery in our Chainguard Academy documentation. 

If you'd like to learn more about the benefits of Chainguard Enforce and its features like Discovery, reach out to our team or sign up for a free trial

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.