Sign inContact usTry it out
Sign inContact usTry it out

Chainguard Enforce announces new software signing capability, enterprise supply chain security updates

Adam Dawson, Product Manager and Priya Wadhwa, Engineering Manager
  •  
December 8, 2022
The Case for Farm-to-Table Package Signing

Today we’re excited to announce several new enterprise-grade features including a software signing service, a security policy catalog and a new eventing framework to Chainguard Enforce, our comprehensive software supply chain risk management platform. Following Chainguard Enforce’s general availability in September, we’ve been focused on working with customers to build out key features and integrations that meet the needs of today’s modern enterprises. 

These new capabilities in Chainguard Enforce come at a critical moment for many organizations. This time last year the industry received a wake up call when a vulnerability was discovered in the widely used Apache Log4j-core software, dubbed “Log4Shell.” Recently nation-state actors were discovered exploiting the vulnerability to try to gain access to federal government networks. 

The nature of supply chain attacks is that attackers will continue to go after the weakest link and this is what we are seeing happen one year after the “Log4Shell” disclosure. At Chainguard, we’re on a mission to ensure that every link in the chain is secure by default. Our philosophy is that you don't fix a weak link in a chain by bolting a strong link on after it. Securing the software supply chain begins with developers and permeates every link of the chain through to production. 

Here’s a look at what’s new in Chainguard Enforce and what our customers have to say about the platform’s secure-by-default design that acts as a control plane for the full software development lifecycle. 

Private Preview of Enforce Signing, Keyless Provenance Powered by Sigstore

Today we’re announcing Chainguard Enforce Signing, powered by Sigstore, which enables customers to generate digital signatures for software artifacts inside their own organization using their individual identities and one-time-use keys. This new capability helps organizations ensure the integrity of container images, code commits, and other artifacts with private signatures that can be validated at any point an artifact needs to be verified. 

Additionally, this capability allows customers to bring their own key and certificate, so key usage can be monitored and audited per compliance and privacy requirements. No information is stored in a public transparency log, so customers get the value of Sigstore without losing any privacy. 

Software signatures are a critical part of software supply chain security and getting it right over time. This is why it was important to the Chainguard team to provide our enterprise customers with the same benefits that Sigstore already offers as the de facto signing standard for many open source projects and libraries like Kubernetes, npm and PyPi as well as enterprises like Verizon and Autodesk

New Enterprise Security and Compliance Features 

To enable customers operating at enterprise scale, we’re adding several new product features to the Chainguard Enforce developer security platform, including:

  • Security Policy Catalog: A rich library of out-of-the-box policies that administrators can customize and deploy directly from the Chainguard Enforce web console to their environments. For example, the catalog includes a policy to check that an image has a signed SBOM, a policy to check container image signatures, and policies to prevent deploying artifacts with known vulnerabilities like Log4Shell. A recent report from Tenable found that 72% of organizations still remain vulnerable to the Log4Shell vulnerability.
  • Enterprise Tooling Integrations: Users can now log in using their Gitlab account, in addition to existing Google and Github logins.
  • Rich Eventing Framework: Chainguard Enforce now includes CloudEvents for over 20 types of events to keep security teams instantly informed of changes in their environments through notifications via Slack, email, or a SIEM tool.
  • Enhanced Policy Management: Support for policies on fine-grained Kubernetes workload objects such as Deployments, Pods, and CronJobs.
  • Enterprise Scalability and Reliability: An enhanced Chainguard Enforce infrastructure enables customers with thousands of nodes and hundreds of clusters to enforce continuous policy compliance to meet customer’s SLAs or minimal/unnoticeable downtime.

“Precisely is the global leader in data integrity, and that commitment extends to the integrity of the SaaS solutions we provide to customers around the world,” said Andy Kelly, Senior Director of DevOps at Precisely. “Our mission is to empower businesses to make confident decisions based on data that is accurate, consistent, and contextual – and delivered through software that is trusted and secure. We are pleased to work with Chainguard Enforce to ensure the software our developers build and deploy is safe, tamper-resistant and protected against attacks – across the software development lifecycle to production.”  

We also recently announced that Chainguard Enforce is now available globally on AWS Marketplace, making it easier for enterprises to discover, try and purchase the platform through the channel they prefer. Learn more about Chainguard Enforce and how enterprise customers like Block, Inc. (Square, CashApp, TIDAL, etc.) are using the platform to build holistic software supply chain security solutions here

Reach out to our team for a demo or to try the 30-day free trial to get hands on with the Chainguard Enforce platform. Chainguard Enforce Signing will be an early access program in private preview for select customers.

The Case for Farm-to-Table Package Signing

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

More articles

A growing ecosystem of vulnerability scanners that now support Chainguard Images and Wolfi

Kim Lewandowski, Chief Product Officer
  •  
September 21, 2023

How to use Dockerfiles with wolfi-base images

Adrian Mouat, Staff DevRel Engineer
  •  
September 14, 2023

An update on Chainguard Images FIPS Validation

Adam Dawson, Product Manager, Chainguard Images
  •  
September 13, 2023

Don’t break the chain – secure your supply chain today!

Contact us
Please direct security disclosures or questions about our bug bounty program to security@chainguard.dev
Copyright 2022
BlogCareersLegalTerms

Sign up for our newsletter

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Unchained
Products
Chainguard Images
Reduce your attack surface with minimal, distroless images.
Chainguard Enforce
Manage, monitor and enforce end-to-end policies.
Chainguard Services
Infrastructure, configuration, and compliance assessment.
Developer
Resources
Company
Contact
Back
Docs
Open source
Back
Unchained blog
Chainguard labs
Customer stories
Education
Back
About
Newsroom
Careers
Back
About
Newsroom
Careers
Product

Chainguard Enforce announces new software signing capability, enterprise supply chain security updates

Adam Dawson, Product Manager and Priya Wadhwa, Engineering Manager
December 8, 2022
copied

Today we’re excited to announce several new enterprise-grade features including a software signing service, a security policy catalog and a new eventing framework to Chainguard Enforce, our comprehensive software supply chain risk management platform. Following Chainguard Enforce’s general availability in September, we’ve been focused on working with customers to build out key features and integrations that meet the needs of today’s modern enterprises. 

These new capabilities in Chainguard Enforce come at a critical moment for many organizations. This time last year the industry received a wake up call when a vulnerability was discovered in the widely used Apache Log4j-core software, dubbed “Log4Shell.” Recently nation-state actors were discovered exploiting the vulnerability to try to gain access to federal government networks. 

The nature of supply chain attacks is that attackers will continue to go after the weakest link and this is what we are seeing happen one year after the “Log4Shell” disclosure. At Chainguard, we’re on a mission to ensure that every link in the chain is secure by default. Our philosophy is that you don't fix a weak link in a chain by bolting a strong link on after it. Securing the software supply chain begins with developers and permeates every link of the chain through to production. 

Here’s a look at what’s new in Chainguard Enforce and what our customers have to say about the platform’s secure-by-default design that acts as a control plane for the full software development lifecycle. 

Private Preview of Enforce Signing, Keyless Provenance Powered by Sigstore

Today we’re announcing Chainguard Enforce Signing, powered by Sigstore, which enables customers to generate digital signatures for software artifacts inside their own organization using their individual identities and one-time-use keys. This new capability helps organizations ensure the integrity of container images, code commits, and other artifacts with private signatures that can be validated at any point an artifact needs to be verified. 

Additionally, this capability allows customers to bring their own key and certificate, so key usage can be monitored and audited per compliance and privacy requirements. No information is stored in a public transparency log, so customers get the value of Sigstore without losing any privacy. 

Software signatures are a critical part of software supply chain security and getting it right over time. This is why it was important to the Chainguard team to provide our enterprise customers with the same benefits that Sigstore already offers as the de facto signing standard for many open source projects and libraries like Kubernetes, npm and PyPi as well as enterprises like Verizon and Autodesk

New Enterprise Security and Compliance Features 

To enable customers operating at enterprise scale, we’re adding several new product features to the Chainguard Enforce developer security platform, including:

  • Security Policy Catalog: A rich library of out-of-the-box policies that administrators can customize and deploy directly from the Chainguard Enforce web console to their environments. For example, the catalog includes a policy to check that an image has a signed SBOM, a policy to check container image signatures, and policies to prevent deploying artifacts with known vulnerabilities like Log4Shell. A recent report from Tenable found that 72% of organizations still remain vulnerable to the Log4Shell vulnerability.
  • Enterprise Tooling Integrations: Users can now log in using their Gitlab account, in addition to existing Google and Github logins.
  • Rich Eventing Framework: Chainguard Enforce now includes CloudEvents for over 20 types of events to keep security teams instantly informed of changes in their environments through notifications via Slack, email, or a SIEM tool.
  • Enhanced Policy Management: Support for policies on fine-grained Kubernetes workload objects such as Deployments, Pods, and CronJobs.
  • Enterprise Scalability and Reliability: An enhanced Chainguard Enforce infrastructure enables customers with thousands of nodes and hundreds of clusters to enforce continuous policy compliance to meet customer’s SLAs or minimal/unnoticeable downtime.

“Precisely is the global leader in data integrity, and that commitment extends to the integrity of the SaaS solutions we provide to customers around the world,” said Andy Kelly, Senior Director of DevOps at Precisely. “Our mission is to empower businesses to make confident decisions based on data that is accurate, consistent, and contextual – and delivered through software that is trusted and secure. We are pleased to work with Chainguard Enforce to ensure the software our developers build and deploy is safe, tamper-resistant and protected against attacks – across the software development lifecycle to production.”  

We also recently announced that Chainguard Enforce is now available globally on AWS Marketplace, making it easier for enterprises to discover, try and purchase the platform through the channel they prefer. Learn more about Chainguard Enforce and how enterprise customers like Block, Inc. (Square, CashApp, TIDAL, etc.) are using the platform to build holistic software supply chain security solutions here

Reach out to our team for a demo or to try the 30-day free trial to get hands on with the Chainguard Enforce platform. Chainguard Enforce Signing will be an early access program in private preview for select customers.

Related articles
Product
An update on Chainguard Images FIPS Validation
September 13, 2023
Product
Announcing a Chainguard Image for OpenTF
September 6, 2023
Product
Update for Chainguard Images Users on HashiCorp License Changes
September 1, 2023
Products

Chainguard Images

Chainguard Enforce

Chainguard Services

Developer

Open source

Docs

Resources

Unchained blog

Chainguard Labs

Customer stories

Scanners

Security

Education

Company

About

Newsroom

Careers

Legal

Contact

Follow

Twitter

GitHub

LinkedIn

TikTok

© 2023 Chainguard, Inc.

Contact