Today we’re excited to announce several new enterprise-grade features including a software signing service, a security policy catalog and a new eventing framework to Chainguard Enforce, our comprehensive software supply chain risk management platform. Following Chainguard Enforce’s general availability in September, we’ve been focused on working with customers to build out key features and integrations that meet the needs of today’s modern enterprises.
These new capabilities in Chainguard Enforce come at a critical moment for many organizations. This time last year the industry received a wake up call when a vulnerability was discovered in the widely used Apache Log4j-core software, dubbed “Log4Shell.” Recently nation-state actors were discovered exploiting the vulnerability to try to gain access to federal government networks.
The nature of supply chain attacks is that attackers will continue to go after the weakest link and this is what we are seeing happen one year after the “Log4Shell” disclosure. At Chainguard, we’re on a mission to ensure that every link in the chain is secure by default. Our philosophy is that you don't fix a weak link in a chain by bolting a strong link on after it. Securing the software supply chain begins with developers and permeates every link of the chain through to production.
Here’s a look at what’s new in Chainguard Enforce and what our customers have to say about the platform’s secure-by-default design that acts as a control plane for the full software development lifecycle.
Private Preview of Enforce Signing, Keyless Provenance Powered by Sigstore
Today we’re announcing Chainguard Enforce Signing, powered by Sigstore, which enables customers to generate digital signatures for software artifacts inside their own organization using their individual identities and one-time-use keys. This new capability helps organizations ensure the integrity of container images, code commits, and other artifacts with private signatures that can be validated at any point an artifact needs to be verified.
Additionally, this capability allows customers to bring their own key and certificate, so key usage can be monitored and audited per compliance and privacy requirements. No information is stored in a public transparency log, so customers get the value of Sigstore without losing any privacy.
Software signatures are a critical part of software supply chain security and getting it right over time. This is why it was important to the Chainguard team to provide our enterprise customers with the same benefits that Sigstore already offers as the de facto signing standard for many open source projects and libraries like Kubernetes, npm and PyPi as well as enterprises like Verizon and Autodesk.
New Enterprise Security and Compliance Features
To enable customers operating at enterprise scale, we’re adding several new product features to the Chainguard Enforce developer security platform, including:
“Precisely is the global leader in data integrity, and that commitment extends to the integrity of the SaaS solutions we provide to customers around the world,” said Andy Kelly, Senior Director of DevOps at Precisely. “Our mission is to empower businesses to make confident decisions based on data that is accurate, consistent, and contextual – and delivered through software that is trusted and secure. We are pleased to work with Chainguard Enforce to ensure the software our developers build and deploy is safe, tamper-resistant and protected against attacks – across the software development lifecycle to production.”
We also recently announced that Chainguard Enforce is now available globally on AWS Marketplace, making it easier for enterprises to discover, try and purchase the platform through the channel they prefer. Learn more about Chainguard Enforce and how enterprise customers like Block, Inc. (Square, CashApp, TIDAL, etc.) are using the platform to build holistic software supply chain security solutions here.
Reach out to our team for a demo or to try the 30-day free trial to get hands on with the Chainguard Enforce platform. Chainguard Enforce Signing will be an early access program in private preview for select customers.