Chainguard Enforce announces new software signing capability, enterprise supply chain security updates

Adam Dawson, Product Manager and Priya Wadhwa, Engineering Manager
December 8, 2022

Today we’re excited to announce several new enterprise-grade features including a software signing service, a security policy catalog and a new eventing framework to Chainguard Enforce, our comprehensive software supply chain risk management platform. Following Chainguard Enforce’s general availability in September, we’ve been focused on working with customers to build out key features and integrations that meet the needs of today’s modern enterprises. 

These new capabilities in Chainguard Enforce come at a critical moment for many organizations. This time last year the industry received a wake up call when a vulnerability was discovered in the widely used Apache Log4j-core software, dubbed “Log4Shell.” Recently nation-state actors were discovered exploiting the vulnerability to try to gain access to federal government networks. 

The nature of supply chain attacks is that attackers will continue to go after the weakest link and this is what we are seeing happen one year after the “Log4Shell” disclosure. At Chainguard, we’re on a mission to ensure that every link in the chain is secure by default. Our philosophy is that you don't fix a weak link in a chain by bolting a strong link on after it. Securing the software supply chain begins with developers and permeates every link of the chain through to production. 

Here’s a look at what’s new in Chainguard Enforce and what our customers have to say about the platform’s secure-by-default design that acts as a control plane for the full software development lifecycle. 

Private Preview of Enforce Signing, Keyless Provenance Powered by Sigstore

Today we’re announcing Chainguard Enforce Signing, powered by Sigstore, which enables customers to generate digital signatures for software artifacts inside their own organization using their individual identities and one-time-use keys. This new capability helps organizations ensure the integrity of container images, code commits, and other artifacts with private signatures that can be validated at any point an artifact needs to be verified. 

Additionally, this capability allows customers to bring their own key and certificate, so key usage can be monitored and audited per compliance and privacy requirements. No information is stored in a public transparency log, so customers get the value of Sigstore without losing any privacy. 

Software signatures are a critical part of software supply chain security and getting it right over time. This is why it was important to the Chainguard team to provide our enterprise customers with the same benefits that Sigstore already offers as the de facto signing standard for many open source projects and libraries like Kubernetes, npm and PyPi as well as enterprises like Verizon and Autodesk

New Enterprise Security and Compliance Features 

To enable customers operating at enterprise scale, we’re adding several new product features to the Chainguard Enforce developer security platform, including:

  • Security Policy Catalog: A rich library of out-of-the-box policies that administrators can customize and deploy directly from the Chainguard Enforce web console to their environments. For example, the catalog includes a policy to check that an image has a signed SBOM, a policy to check container image signatures, and policies to prevent deploying artifacts with known vulnerabilities like Log4Shell. A recent report from Tenable found that 72% of organizations still remain vulnerable to the Log4Shell vulnerability.
  • Enterprise Tooling Integrations: Users can now log in using their Gitlab account, in addition to existing Google and Github logins.
  • Rich Eventing Framework: Chainguard Enforce now includes CloudEvents for over 20 types of events to keep security teams instantly informed of changes in their environments through notifications via Slack, email, or a SIEM tool.
  • Enhanced Policy Management: Support for policies on fine-grained Kubernetes workload objects such as Deployments, Pods, and CronJobs.
  • Enterprise Scalability and Reliability: An enhanced Chainguard Enforce infrastructure enables customers with thousands of nodes and hundreds of clusters to enforce continuous policy compliance to meet customer’s SLAs or minimal/unnoticeable downtime.

“Precisely is the global leader in data integrity, and that commitment extends to the integrity of the SaaS solutions we provide to customers around the world,” said Andy Kelly, Senior Director of DevOps at Precisely. “Our mission is to empower businesses to make confident decisions based on data that is accurate, consistent, and contextual – and delivered through software that is trusted and secure. We are pleased to work with Chainguard Enforce to ensure the software our developers build and deploy is safe, tamper-resistant and protected against attacks – across the software development lifecycle to production.”  

We also recently announced that Chainguard Enforce is now available globally on AWS Marketplace, making it easier for enterprises to discover, try and purchase the platform through the channel they prefer. Learn more about Chainguard Enforce and how enterprise customers like Block, Inc. (Square, CashApp, TIDAL, etc.) are using the platform to build holistic software supply chain security solutions here

Reach out to our team for a demo or to try the 30-day free trial to get hands on with the Chainguard Enforce platform. Chainguard Enforce Signing will be an early access program in private preview for select customers.

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.