Introducing automatic vulnerability analysis features in Chainguard Enforce

Priya Wadhwa, Engineering Manager
July 19, 2023

Any organization focused on securing the software supply chain has faced the challenge of vulnerability management. When one CVE is patched, another is on the way. This is a complex problem on its own, and due to recent federal requirements for software self attestations and FedRAMP, not having a handle on software vulnerabilities can have significant consequences for meeting government compliance. 

If you are already trying to address the problem of vulnerability management in your organization or just getting started, Chainguard Enforce can help. Today, we’re announcing a new vulnerability analysis capability in the Chainguard Enforce platform that includes automatic, daily, vulnerability scanning, vulnerability report generation, and vulnerability filtering and search features right in the console. These new features combined help enable you to monitor all of the software components within your environment and streamline the headache of vulnerability management. 

Starting today, Chainguard Enforce will automatically generate daily vulnerability reports for supported container workloads using Grype. This ensures you are always aware of any new vulnerabilities that could affect your workloads, and you no longer need to implement vulnerability scan generation in your build pipelines. If a critical or high impact vulnerability is discovered, you’ll easily be able to find out if it’s running in your cluster. Here’s what you can expect from the new vulnerability analysis capability in Chainguard Enforce.

Automatically ingested vulnerability reports and new vulnerability report generation 

When you run a workload in Chainguard Enforce that is a supported container runtime (Amazon EKS, Google Cloud GKE, and Google Cloud Run), the platform will first check if there are already vulnerability reports attached to the workload’s container images and ingest them. We also support signed cosign vulnerability reports, for example, a vulnerability report uploaded using cosign attest as an in-toto attestation. Chainguard Enforce supports Grype’s custom scan report format in JSON format. 

If you’re not already generating vulnerability scans, it might be because you build a lot of images in a variety of different CI/CD pipelines and it becomes difficult to integrate scanners into all these pipelines. You can try to start generating scans in every single environment, but this process can be time-consuming and achieving comprehensive coverage across all of your build systems can be complicated. If you are already generating scans, that’s great! But what happens when a new vulnerability is discovered, and how do you know if it’s running in your cluster? Are you continuously scanning everything in production? 

If you have container images without an existing vulnerability report, Enforce will automatically create a vulnerability report using Grype. This means that you don’t have to worry about generating the scanning reports yourself or performing any additional steps. Chainguard Enforce will ensure that you have comprehensive information about the vulnerabilities discovered for each image. To create a vulnerability report, Enforce relies on a previously generated or ingested SBOM for each image. By doing so, these vulnerability scans focus on the list of available packages used in your workloads.

No user action or configuration is required to generate these automatic vulnerability reports. As soon as Enforce detects a container image running in one of your clusters without a vulnerability report, it will generate one for you. Furthermore, Enforce will rescan your images every 24 hours and create a new vulnerability scan report. This ensures that vulnerabilities that are reported are always up to date. 

Searching and filtering vulnerabilities in the Enforce console

Visibility is key to understanding what software you are running and if there are vulnerabilities present. Chainguard Enforce provides a powerful search functionality in the console that allows you to search for specific CVE IDs, packages, versions or even the severity types of the vulnerabilities.

Using the search feature, you can find relevant information about a particular vulnerability, ensuring that you stay aware of the existence of any vulnerability in your environment. Whether you need to investigate vulnerabilities or ensure certain packages are not used, the vulnerability search functionality in Enforce makes this information easily accessible.

For example, in the Enforce console below, we can see that there are 6 Critical and 122 High severity CVEs found in the test cluster. Alongside the CVE is the affected package, package version and which images and clusters they’re found in. We can also see how many of these CVEs have fixes available. 

Pro tip! If you want to start remediating the pain of CVE sprawl in your base images, check out the Chainguard Images solution, our suite of minimal, hardened container images that only contain what is required to build or run your application–delivering on average a 97.6% reduction in CVEs. 

Vulnerability management is a complicated, but necessary problem to solve for software supply chain security. With the new vulnerability analysis capabilities in Enforce, we can help do the heavy lifting for you. If you’re an existing Enforce customer, visit Chainguard Academy to get started with these capabilities today. 

If you are interested in tools that can help your organization’s vulnerability management strategy, reach out to our team to learn more about Enforce. 

Chainguard will be at Hacker Summer Camp in Las Vegas, NV on August 9 - 13. Check out our booth #SC208 at Black Hat or book a meeting with our team on site.

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.