Security

Chainguard’s Trail of Bits security assessment

Thomas Stromberg, Director of Security
May 14, 2024
copied

In February, we partnered with Trail of Bits, a leading security research company, to review the security of Chainguard's production environment. This partnership culminated in a formal threat model for Chainguard and a detailed security assessment. Trail of Bits' goal was to find a way to disrupt or introduce malicious packages into Chainguard's supply chain.

A high-level architectural diagram of Chainguard's system
A high-level architectural diagram of Chainguard's system

We are pleased to report that Trail of Bits found no critical issues as part of their security assessment. Even so, they provided us with code review findings and security recommendations, which we have since taken action on.

Code review findings

Command injection through Actions input [HIGH]

  • Description: The "Provision Prod Infrastructure" GitHub Action is vulnerable to command injection through unsafe handling of malicious input.
  • Status: FIXED. We have since removed this internal Terraform workflow. Command injection attacks are prevalent with GitHub Action workflows, so we also audited other repositories for them.

Insufficient redaction of CloudEvents [MEDIUM]

  • Description: The IdentityProvider, Cluster, and Policy protobuf message types are not redacted in CloudEvents, leading to potential leakage of sensitive data via CloudEvent subscriptions.
  • Status: FIXED. We audited our codebase and found that only IdentityProvider was capable of hosting sensitive data. We've updated our code to redact this message type.

Additional recommendations

After thoroughly reviewing our code base, Trail of Bits provided additional recommendations for securing our code base. While there is still work to be done, we've strengthened our security significantly since the report in the following ways:

Looking ahead

As part of our commitment to providing our customers with the highest level of security possible, Chainguard undergoes an independent security assessment every six months. In the meantime, we continue to work behind the scenes to reduce our surface area further and increase the number of safeguards we have to protect our users and customers. 

To download the complete Trail of Bits security assessment, please visit the Chainguard Trust Center.

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.