It’s easy to talk about securing the software supply chain. The trick is actually doing it. Now, Chainguard, the new zero trust security company, in order to make the software supply chain secure by default, has released Chainguard Images.
Chainguard Images are container base images designed for a secure software supply chain. They do this by providing developers and users with continuously updated base container images with zero-known vulnerabilities.
These images are based on Chainguard’s open source distroless image project. These are minimal Linux images based on Alpine Linux and Busybox. By cutting all but absolutely necessary software elements, Chainguard Images have the smallest possible attack surfaces.
While these open source images don’t have Chainguard’s guarantees, they are continually updated and kept as bare-bones as possible. These are perfect for open source projects and organizations that don’t need support and guarantees. Or, to just give this approach a try before committing to the commercial Chainguard Images.
Based on Open Source Projects
Chainguard Images are built using its open source projects apko and melange. These tools leverage the Android Package (apk) ecosystem to provide declarative, reproducible builds with a full Software Bill of Materials (SBOM). The images also support the industry-standard, Open Source Vulnerability (OSV) schema for vulnerability information.
People have tried to offer clean images before, but it’s hard to do. To accomplish this feat, Chainguard uses its own first product, Chainguard Enforce. In particular, Enforce’s Evidence Lake provides a real-time asset inventory of containerized programs’ components. Evidence Lake, in turn, is based on the open-source Sigstore project. It secures software supply chains by creating digital signatures for the program’s elements.
Painless Vulnerability Management
On top of this, Chainguard has built what they call “Painless Vulnerability Management.”
This is a manually curated vulnerability feed. The company then puts its money where its mouth is. Chainguard offers Service Level Agreements (SLA)s for its images. They guarantee to provide patches or mitigations for new vulnerabilities. You don’t have to constantly monitor security disclosures. Chainguard does it for their Images so you don’t have to.
All Chainguard images come signed. They also include a signed SBOM. Signatures and provenance can be traced and verified with Sigstore. These signatures and signing information are kept in a public Rekor transparency log.
The company is also providing Federal Information Processing Standards (FIPS) compliant variants of its images for government organizations. FIPS validation is coming soon.
The images are also designed to achieve high Supply-chain Levels for Software Artifacts (SLSA) ratings. As part of this, the Chainguard Images are meant for “full reproducibility.” That is, Chainguard explained, “any given image can be bitwise recreated from the source.”
At least one customer is already sold on Chainguard’s new offering. Tim Pletcher, an HPE Research Engineer at the Office of the Security CTO, said, “We are excited about the prospect of an actively curated base container image distro that has the potential to allow HPE to further enhance software supply chain integrity for our customers.”
Finally to make all this happen and keep it going into the future Chainguard has also raised a $50 million Series A financing round. This is being led by Sequoia Capital and numerous other venture capitalists and angel investors. In other words, both technically and financially, Chainguard Images are set to make a major difference in securing the cloud native computing world.