Chainguard Launches Platform to Enforce Secure Containers

Chainguard today launched a platform that ensures only trusted container images are run on Kubernetes clusters to ensure the integrity of a software supply chain.

Chainguard Enforce! is the first product from the company, which was founded by former Google employees with a long history of working on open source software security. Chainguard co-founder Kim Lewandowski says it was created to help CISOs gain control over container deployments that, in many instances, have become the security equivalent of the wild, wild west.

Company co-founder Dan Lorenc adds that Chainguard Enforce! enables IT and security teams to define, observe, distribute and enact policies that prevent unauthorized containers from being allowed to run within a DevOps workflow.

Chainguard Enforce! consists of a policy agent, build system integrations, continuous verification and an evidence lake that can be accessed via either a command-line interface (CLI) or user interface (UI). The read-only policy agent provides support for per-cluster policy and webhook configurations that can all be centrally managed and administered across multiple clusters. It comes with a curated set of policy definitions based on the supply chain levels for software artifacts (SLSA) framework defined by Google and the Secure Software Development Framework (SSDF) defined by the National Institute of Standards and Technology (NIST) in the U.S.

It also provides integrations for continuous integration platforms such as GitHub Actions, CircleCI, BuildKite and GitLab to establish a record of the source code used to build each container. Continuous verification ensures that deployed container images stay in compliance with defined policies. Any deviations will trigger an alert that can be shared via alerting and ticketing platforms such as Slack and Jira.

Finally, the evidence lake provides access to a real-time asset inventory that provides visibility into the overall security posture of the Kubernetes application environment.

Chainguard is trying to enable IT and security teams to strike a balance between the flexibility that containers and DevOps workflows provide and the need for more secure software supply chains, which have become a much larger issue in the wake of a series of high-profile security breaches, says Lorenc.

The challenge with containers is that it is simply too easy for developers to inadvertently employ containers to encapsulate software components that have known vulnerabilities, adds Lewandowski. Chainguard Enforce! not only prevents those containers from running, it also makes it easier to identify which containers might include a zero-day vulnerability that might only have been discovered after a container is deployed, she adds.

It’s not clear to what extent organizations are now embracing best DevSecOps practices to ensure the security of Kubernetes application environments. Regardless of approach, the need to make sure only validated containers are allowed to run is becoming a major security issue. It’s not all that difficult for cybercriminals to make available a seemingly innocuous reusable container that is, in fact, infested with malware. The challenge is to implement the policies required to secure those environments without impeding the overall rate at which applications are being built and deployed.

Mike Vizard

Mike Vizard is a veteran IT journalist with more than 25 years of experience covering the technology industry, having previously served as Editor-in-Chief of both CRN and InfoWorld and as editorial director for Ziff-Davis Enterprise, where he oversaw titles including eWEEK, CIO Insight and Baseline. Over his career he has also edited or contributed to a wide range of enterprise technology publications, including IT Business Edge, Channel Insider, ComputerWorld, TMCNet and Digital Review, and he later led editorial for CTOEdge.com. His reporting and analysis span software development, cloud computing, cybersecurity, IT channel strategy and, more recently, artificial intelligence and DevOps practices. A recognized voice in enterprise IT journalism, Vizard is known for tracking emerging technology trends as they move from early adoption into mainstream enterprise use. He now serves as Chief Content Officer for Techstrong Group, where he oversees editorial strategy across the full network — DevOps.com, Security Boulevard, Cloud Native Now, Digital CxO, Techstrong.ai, TechStrong.IT, Techstrong Semi and PlatformEngineering.com — in addition to writing and hosting content for Techstrong TV and the Techstrong Gang podcast.

    Mike Vizard has 1813 posts and counting. See all posts by Mike Vizard