Chainguard’s Trail of Bits security assessment

Thomas Stromberg, Director of Security

May 14, 2024

In February, we partnered with Trail of Bits, a leading security research company, to review the security of Chainguard's production environment. This partnership culminated in a formal threat model for Chainguard and a detailed security assessment. Trail of Bits' goal was to find a way to disrupt or introduce malicious packages into Chainguard's supply chain.

A high-level architectural diagram of Chainguard's system.

We are pleased to report that Trail of Bits found no critical issues as part of their security assessment. Even so, they provided us with code review findings and security recommendations, which we have since taken action on.‍

Code review findings

Command injection through Actions input [HIGH]

Description: The "Provision Prod Infrastructure" GitHub Action is vulnerable to command injection through unsafe handling of malicious input.
‍
Status: FIXED. We have since removed this internal Terraform workflow. Command injection attacks are prevalent with GitHub Action workflows, so we also audited other repositories for them.

Insufficient redaction of CloudEvents [MEDIUM]

Description: The IdentityProvider, Cluster, and Policy protobuf message types are not redacted in CloudEvents, leading to potential leakage of sensitive data via CloudEvent subscriptions.
‍‍
Status: FIXED. We audited our codebase and found that only IdentityProvider was capable of hosting sensitive data. We've updated our code to redact this message type.

‍

Additional recommendations

After thoroughly reviewing our code base, Trail of Bits provided additional recommendations for securing our code base. While there is still work to be done, we've strengthened our security significantly since the report in the following ways: ‍

Dramatically reduced our use of long-lived GitHub credentials through Octo STS ‍
Deployed StepSecurity to provide security monitoring for GitHub Actions ‍
Access to all GitHub organizations requires a FIDO security key for 2FA ‍
The few remaining virtual machines now require uncached FIDO security key actuation ‍
GitHub PAT usage is monitored for anomalies using Elastic Security
‍
Employee access to our production network alerts an on-call engineer. Read more about this in our blog post on audited least privilege.

‍

Looking ahead

As part of our commitment to providing our customers with the highest level of security possible, Chainguard undergoes an independent security assessment every six months. In the meantime, we continue to work behind the scenes to reduce our surface area further and increase the number of safeguards we have to protect our users and customers. ‍To download the complete Trail of Bits security assessment, please visit the Chainguard Trust Center.

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Get Started

Our Product

Chainguard Images

Images Directory

By Use Case

Container Image Security

Vulnerability Remediation

Compliance & Risk Mitigation

Software Supply Chain Security

AI/ML Security

Resource Hub

Unchained Blog

Chainguard Labs

Events

Trust Center

Education

Documentation

Courses

Featured Event