Chainguard Secure Software Supply Chain Images Arrive The New Stack – thenewstack.io

Posted on by

Its easy to talk about securing the software supply chain. The trick is actually doing it. Now, Chainguard, the new zero trust security company, in order to make the software supply chain secure by default, has released Chainguard Images.

Chainguard Images are container base images designed for a secure software supply chain. They do this by providing developers and users with continuously updated base container images with zero-known vulnerabilities.

These images are based on Chainguards open source distroless image project. These are minimal Linux images based on Alpine Linux and Busybox. By cutting all but absolutely necessary software elements, Chainguard Images have the smallest possible attack surfaces.

While these open source images dont have Chainguards guarantees, they are continually updated and kept as bare-bones as possible. These are perfect for open source projects and organizations that dont need support and guarantees. Or, to just give this approach a try before committing to the commercial Chainguard Images.

Chainguard Images are built using its open source projects apko and melange. These tools leverage the Android Package (apk) ecosystem to provide declarative, reproducible builds with a full Software Bill of Materials (SBOM). The images also support the industry-standard, Open Source Vulnerability (OSV) schema for vulnerability information.

People have tried to offer clean images before, but its hard to do. To accomplish this feat, Chainguard uses its own first product, Chainguard Enforce. In particular, Enforces Evidence Lake provides a real-time asset inventory of containerized programs components. Evidence Lake, in turn, is based on the open-source Sigstore project. It secures software supply chains by creating digital signatures for the programs elements.

On top of this, Chainguard has built what they call Painless Vulnerability Management.

This is a manually curated vulnerability feed. The company then puts its money where its mouth is. Chainguard offers Service Level Agreements (SLA)s for its images. They guarantee to provide patches or mitigations for new vulnerabilities. You dont have to constantly monitor security disclosures. Chainguard does it for their Images so you dont have to.

All Chainguard images come signed. They also include a signed SBOM. Signatures and provenance can be traced and verified with Sigstore. These signatures and signing information are kept in a public Rekor transparency log.

The company is also providing Federal Information Processing Standards (FIPS) compliant variants of its images for government organizations. FIPS validation is coming soon.

The images are also designed to achieve high Supply-chain Levels for Software Artifacts (SLSA) ratings. As part of this, the Chainguard Images are meant for full reproducibility. That is, Chainguard explained, any given image can be bitwise recreated from the source.

At least one customer is already sold on Chainguards new offering. Tim Pletcher, an HPE Research Engineer at the Office of the Security CTO, said, We are excited about the prospect of an actively curated base container image distro that has the potential to allow HPE to further enhance software supply chain integrity for our customers.

Finally to make all this happen and keep it going into the future Chainguard has also raised a $50 million Series A financing round. This is being led by Sequoia Capital and numerous other venture capitalists and angel investors. In other words, both technically and financially, Chainguard Images are set to make a major difference in securing the cloud native computing world.

Featured image by IO-ImagesfromPixabay

See the article here:

Chainguard Secure Software Supply Chain Images Arrive The New Stack - thenewstack.io

Related Posts
This entry was posted in $1$s. Bookmark the permalink.