Introducing Chainguard Enforce: A pragmatic solution for software supply chain security

Kim Lewandowski, Chief Product Officer
April 26, 2022

Today, we’re announcing our first product, Chainguard Enforce! Chainguard Enforce is a software supply chain native solution for containerized workloads. Chainguard Enforce enables you to define, observe, distribute, and enact policies that ensure only trusted container images are deployed and run in your clusters. The goals of Chainguard Enforce are to deliver a seamless developer experience with security built in, and a platform for CISOs to manage organization-wide security controls.

After speaking with over 50 organizations about their software supply chain challenges, it was clear security leaders share a similar concern: it’s impossible to be confident about the code running in production environments. This problem is compounded with the use of open source software and the sheer number of dependencies that are intertwined. It’s impossible to decide what code should be trusted or not when the data simply isn’t available to make those decisions. Furthermore, organizations spend an exorbitant amount of time after a supply chain attack trying to assess if they’re running the vulnerable software and impacted. There are limited options for production supply chain security controls today, yet emerging frameworks like SLSA and NIST’s SSDF require it.

"Insider risks are top of mind for us. The capabilities Chainguard Enforce provides are filling critical gaps across our organization."

—Jim Higgins, CISO at Block

Let’s walk through an example use case before diving into more details about the product. As an organization, you may decide that you want to prevent unwanted container images from being deployed by only allowing those that have been signed by trusted authorities, like a build system that you’ve hardened. Chainguard Enforce simplifies this entire journey giving you confidence in container images running in production with the added benefits of knowing where they came from and how they got there.

Component Breakdown

Chainguard Enforce consists of four main components as well as a developer-friendly CLI and UI: a Policy Agent, Build System Integrations, Continuous Verification, and an Evidence Lake.

The read-only Policy Agent provides support for per-cluster policy and webhook configurations that can all be centrally managed and administered across multi-cluster environments. The Agent integrates with many Kubernetes platforms like EKS, AKS, and GKE today. It comes with a curated set of policy definitions based on the open-source SLSA and NIST SSDF standards, and also supports a full policy language for defining custom policies.

Chainguard Enforce includes Build System Integrations for most popular CI platforms like GitHub Actions, CircleCI, BuildKite, and GitLab to establish a record of what source code was used to build each container. In most cases, it takes less than a day for DevOps teams to install and configure these build system integrations.

Turn this:

Into this!

Continuous Verification ensures that deployed container images stay in compliance with your defined policies and any deviations will trigger an alert.

Last but not least, the Evidence Lake is a real-time asset inventory that provides visibility into the security posture across an organization. The data can be used to power developer tooling, incident recovery, debugging, and audit automation. There are also integrations available for popular alerting and ticketing platforms such as Slack and Jira.

Serving the software supply chain

We know that making things frictionless for developers is the best way to support the adoption of more secure solutions. That is why we worked hard to make Chainguard Enforce a part of existing infrastructure workflows so that it does not slow down engineering and DevOps teams. In fact, Chainguard Enforce will help to boost productivity by giving them deep insights into production workloads; knowing what’s running where and when.

The team behind Chainguard Enforce are active across open-source communities, and leaders in security standards working groups. Chainguard Enforce is the first tool with built-in support for modern ‘keyless’ software signing through the Sigstore open source standard. We have built this tool with these stakeholders and developers in mind, in the hopes of making the software supply chain more secure by default.

Get on the list!

Whether you’re concerned about running your own containers, or untrusted containers, start your supply chain journey today with Chainguard Enforce. Reach out to get on our early access program list, or to schedule a demo!

We are also looking for participants to try out some new features and provide feedback. If you’re passionate about containers or security (or both!), and interested in helping us through a paid, 90 minute session, fill out this form and we’ll be in touch!

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.