The Sigstore policy-controller was built and designed to help improve the security of the software supply chain when paired with Sigstore’s suite of tooling like cosign, rekor, fulcio and more. As organizations and open source projects look to strengthen the integrity of their software, Sigstore’s policy-controller is a helpful tool which allows users to enforce policies on Kubernetes workloads based on verifiable and trusted supply-chain metadata from cosign.
To help users unlock the security benefits of the Sigstore policy-controller, Chainguard is open sourcing a new policy catalog that can be adopted incrementally to improve the security of your software supply chain.
Previously only available to Chainguard Enforce customers, the new policy catalog is being open sourced and is available today for existing policy-controller users, organizations and OSS projects. We welcome input from the community on new policies to include in the catalog as the software security landscape evolves and will maintain contributions directly through the open source catalog repo.
Building a secure software supply chain with policy-controller
The underlying principles upon which the Sigstore ecosystem is built are based on roots of trust: knowing where software came from, whether it is signed, if it came from a trusted source, and having confidence that it hasn’t been tampered with.
Several admission controllers today allow users to define policies for Kubernetes resources and workloads such as requiring signatures or attestations. The Sigstore policy-controller goes a step further by allowing you to use CUE or Rego languages to customize and create complex policies to suit your organization’s compliance needs. For example, to meet PCI-DSS, it is required that all vulnerabilities with a CVSS score higher than 4 are addressed. Our policy for failing images that have high or critical CVES (written in Rego to leverage cosign attestation data) can help you meet this need.
Additionally, Chainguard engineers worked with the Sigstore community to design a fully integrated and native cosign verification API that declares policies using YAML, a format that some users prefer.
Getting started with the policy catalog
Let’s look at some of the key policies in the policy catalog that you can get started with today to secure your software supply chain using Sigstore policy-controller:
Fail on High or Critical CVEs (REGO): Vulnerability attestation with no High or Critical CVEs.
Signature Policy: this enforces that all images are signed before they are allowed to be pushed to production.
Maximum Image Age (REGO): This checks that the maximum age an image is allowed to have is 30 days old. This is measured using the container image's configuration, which has a "created" field. Some build tools may fail this check because they build reproducibly, and use a fixed date (e.g. the Unix epoch) as their creation time, but many of these tools support specifying SOURCE_DATE_EPOCH, which aligns the creation time with the date of the source commit.
Log4Shell (CUE): Ensure that Log4shell is not running in your environment. A recent report found that 29% of vulnerable assets saw the reintroduction of Log4Shell even after full remediation was achieved. This policy will prevent reintroduction from being possible.
Building trust and integrity in the software artifacts that underpin the technologies we depend on requires an open approach. That is why the policy catalog is being released and maintained openly to advance adoption of admission controller tooling with supply chain security principles built in. Here are some key insights from the Sigstore community, maintainers and end users that highlight these benefits and more of the Sigstore policy-controller.
"This is not the year 2020 anymore. We have the data and the means to trace the integrity of our software supply chain and, now, with the policy controller and its catalog, we can have agency to enforce our security requirements. This is beyond a catalog, but rather the language to speak about software supply chains.” – Santiago Torres-Arias, Director of the Trustworthy Software Ecosystems Lab @ Purdue University
“The Sigstore policy-controller is an incredible tool that helps developers and maintainers everywhere enable stronger software supply chain security policies like enforcing software signatures and attestations, and preventing critical or high CVEs. The availability of the new open source policy catalog is an exciting opportunity for the Sigstore community and beyond to start unlocking these benefits with a clear path to the enforcement of software supply chain security policies.” – Priya Wadhwa, Software Engineer at Chainguard and member of the Sigstore Technical Steering Committee
“When I recently learned about Cosign, Sigstore policy-controller was a natural fit to make sure that my container images are signed before actually being deployed in my Kubernetes clusters. It was easy to get started with, and yet powerful. I was able to leverage an advanced setup on Google Kubernetes Engine (GKE) with Workload Identity to securely connect Sigstore policy-controller to Google Artifact Registry and Cloud KMS (see associated blog post). Last but not least, the Sigstore community and contributors are very active on Slack and GitHub, they were eager to answer my questions to help me in my learning journey.” – Mathieu Benoit, CNCF Ambassador
To get started with the policy catalog, visit the public repo here or watch this demo video that explores available policies:
If you are a Chainguard Enforce customer, you can use the policy catalog to set and enforce policies compatible with Sigstore policy-controller directly through the platform. Want to learn more about Chainguard Enforce and its rich policy enforcement and admission controller capabilities? Reach out to our team for a demo or start your 30-day free trial.