Chainguard Enforce is our trusted control plane to help you protect your cloud-native environments from supply chain threats. Since announcing the general availability of Enforce last year, we’ve been working to expand the platform with capabilities that continuously help to sustain the integrity of your software supply chain, including workload discovery, robust policy enforcement, continuous verification and signing. We’ve also been closely following federal efforts like the White House’s recent National Cybersecurity Strategy and CISA’s Secure Software Self-Attestation practice guidelines – and translating these looming regulatory requirements for software bill of materials (SBOMs) into workflows and policies that developers and CISOs alike can start adopting today.
Today, we are excited to announce that Enforce now offers even more built-in and automatic tooling to secure the software supply chain. The new capabilities include:
As the federal government moves quickly to implement and mandate stronger software security standards and requirements for vendors, these features are coming at a critical time for organizations who need to comply with FedRAMP, CISA’s self-attestation form and even the FDA’s new requirements for manufacturers of medical devices to provide an SBOM for the commercial, open-source and off-the-shelf software components contained within devices.
Automating SBOMs for more useful outcomes
Developers, security professionals and even auditors within an organization must know what software packages are deployed, at what time, where and by whom. With this information readily available, one can answer questions like are any software packages deployed in our environment that violate certain licensing terms? Are any packages that are being deployed tagged as latest? Are they coming from a known and trusted registry? Are we affected by CVE-2021-44832 (Log4j) and if so where are we vulnerable?
Chainguard is announcing the availability of new features in the Enforce platform to help customers generate, ingest and organize SBOMs across their Kubernetes and Google Cloud Run environments. Chainguard Enforce was designed to enhance the value of SBOMs by harnessing the information they provide to better understand everything that’s running in a given cluster. These new Enforce SBOM features will help organizations make the most out of SBOMs in cloud workloads, including:
With the new SBOM features in Enforce, the platform will automatically ingest SBOMs attached to your container images and allow you to search packages and track them back to the workloads and clusters they are running in. When Enforce ingests an SBOM, it will convert the SBOM’s JSON structure into structured data that can be queried within a database. This allows the Enforce platform to retrieve key information about an SBOM, like the packages contained within it, their versions and their license details. Chainguard Enforce supports both the SPDX and Cyclone DX SBOM schemas, meaning that SBOMs must conform to these standards in order for Enforce to ingest them.
If you have a container image without an existing SBOM, Enforce will automatically create an SBOM using Syft. This means that you don’t have to worry about generating the SBOM yourself or performing any additional steps. Chainguard Enforce’s SBOM generation tool takes care of it for you, ensuring that you have comprehensive package information for each image. Generated SBOMs will be clearly indicated in the Enforce console. This helps you identify which SBOMs were generated on-demand and which ones were ingested from external sources. Generated SBOMs will be exportable in SPDX format. No customer action is required to enable SBOM generation. As soon as we detect a container image running in one of your clusters without an SBOM, Enforce will generate one for you.
Chainguard Enforce also provides a powerful search functionality in the platform’s console, allowing you to easily search for specific packages, versions, licenses or even a file within your SBOMs. The example below shows a search for packages using “openssl.” Using the search feature, you can find relevant information about a particular package or version, ensuring that you stay informed about the software components in your environment. Whether you are investigating vulnerabilities, ensuring license compliance or tracking specific versions, Enforce’s SBOM search and filtering capabilities makes finding this information more accessible.
Tackle vulnerability scan sprawl with automatically ingested and generated vulnerability reports
Any organization focused on securing the software supply chain has faced the challenge of vulnerability management. When one CVE is patched, another is on the way. This is a complex problem on its own, and due to recent federal requirements for software self attestations and existing frameworks like FedRAMP, not having a handle on software vulnerabilities can have significant consequences for meeting government compliance.
Starting today, Chainguard Enforce will automatically generate daily vulnerability reports for supported container workloads using Grype. This ensures you are always aware of any new vulnerabilities that could affect your workloads, and you no longer need to implement vulnerability scan generation in your build pipelines. If a critical or high impact vulnerability is discovered, you’ll easily be able to find out if it’s running in your cluster. Here’s what you can expect from the new vulnerability analysis capability in Chainguard Enforce.
If you have container images without an existing vulnerability report, Enforce will automatically create a vulnerability report using Grype. This means that you don’t have to worry about generating the scanning reports yourself or performing any additional steps. Chainguard Enforce will ensure that you have comprehensive information about the vulnerabilities discovered for each image. To create a vulnerability report, Enforce relies on a previously generated or ingested SBOM for each image. By doing so, these vulnerability scans focus on the list of available packages used in your workloads.
No user action or configuration is required to generate these automatic vulnerability reports. As soon as Enforce detects a container image running in one of your clusters without a vulnerability report, it will generate one for you. Furthermore, Enforce will rescan your images every 24 hours and create a new vulnerability scan report. This ensures that vulnerabilities that are reported are always up to date.
Visibility is key to understanding what software you are running and if there are vulnerabilities present. Chainguard Enforce provides a powerful search functionality in the console that allows you to search for specific CVE IDs, packages, versions or even the severity types of the vulnerabilities.
Software signing and integrity
One of the most critical components of a secure supply chain is signing and verifying software. The federal government has taken notice and recently CISA introduced requirements for a self-attestation form for vendors who sell software to the federal government. In fact, the term integrity shows up 37 times across the self-attestation form and states that vendors will now be responsible for signing and verifying the signatures of all components they use, including commits, artifacts and more.
Through our own journey at Chainguard signing software and developing open source tools like Sigstore, we’ve recognized that private and public software artifacts might have different signing requirements. This is why we built our Enforce Signing feature, which gives users the flexibility of keyless signatures alongside a privately managed signing infrastructure where no sensitive data is stored.
Internally, we also use Sigstore’s gitsign tool to associate every commit with an email address using the Sigstore public infrastructure. We then use a tool we call Enforce for Git to verify these commits have been signed by a Chainguardian as a required presubmit check on every Github PR. If the commit hasn’t been signed, then the PR can’t be merged. Signing git commits is an easy way to start securing your source code and make sure that only authorized users are able to commit code. We are working on making our tool freely available through the GitHub Marketplace. If this is something you’d be interested in testing out in your environment as an early user, reach out to our team.
Chainguard Enforce is more than just an enterprise-ready admission controller for Kubernetes clusters. It’s a powerful, comprehensive platform that acts as a control plane for your software supply chain. Today, the platform has capabilities for securing the software supply chain like workload discovery, policy enforcement, continuous verification and now capabilities to ingest and generate SBOMs, deep vulnerability analysis reports and a private signing infrastructure for enterprises. Chainguard Enforce can help customers not only comply with upcoming federal requirements for SBOMs and self attestations, but also be prepared for when the next major vulnerability hits with searchable insights and data for critical workloads. To get started with Enforce today, reach out to our team.
Chainguard will be at Hacker Summer Camp in Las Vegas, NV on August 9 - 13. Check out our booth #SC208 at Black Hat or book a meeting with our team on site.