|New Software Signing Capability For Chainguard Enforce|
|Written by Sue Gee|
|Thursday, 08 December 2022|
Chainguard has announced new capabilities in its software supply chain risk management platform, Chainguard Enforce. These include a software signing service powered by Sigstore.
Chainguard is on a mission to ensure that every link in the software supply chain is secure by default. Its philosophy is:
you don't fix a weak link in a chain by bolting a strong link on after it. Securing the software supply chain begins with developers and permeates every link of the chain through to production.
Chainguard Enforce is its risk management platform designed to ensure continuous compliance and enforce policies that protect an organization from supply chain threats. Announced in April 2022 it became Generally Available in September and recently became available on the AWS Marketplace making it easier for enterprises to discover, try and purchase the platform.
As Kim Lewandowski, Chainguard's Founder, explained:
Attacks are happening at each and every point along the chain, from the way code gets built, to its deployment, to how it’s run and then packaged and shipped to end users. Because software supply chain security covers the entire development lifecycle, it isn’t like other areas in security where point solutions can solve it. An iterative approach to addressing the security of the entire software supply chain is needed to make long term progress. Chainguard Enforce has been designed to help organizations on this journey ensure only trusted container images are allowed to move through their supply chains and deployed to their clusters.
Chainguard Enforce enables clients to define, observe, distribute, and enact policies that ensure only trusted container images are deployed and run in your clusters. It has four main components as well as a developer-friendly CLI and UI: a Policy Agent, Build System Integrations, Continuous Verification, and an Evidence Lake, a real-time asset inventory that provides visibility into the security posture across an organization.
Now several new features are being added. The headline capability is Chainguard Enforce Signing, which enables customers to generate digital signatures for software artifacts inside their own organization using their individual identities and one-time-use keys. This feature, powered by Sigstore the open source project now under the auspices of the Linux Foundation, helps organizations ensure the integrity of container images, code commits, and other artifacts with private signatures that can be validated at any point an artifact needs to be verified. Additionally, Enforce Signing allows customers to bring their own key and certificate, so key usage can be monitored and audited per compliance and privacy requirements. No information is stored in a public transparency log, so customers get the value of Sigstore without losing any privacy.
Other new features in Enforce include:
or email your comment to: firstname.lastname@example.org
|Last Updated ( Thursday, 08 December 2022 )|