Chainguard Inc. added SBOM automation features to its Enforce product this week to keep pace with burgeoning regulations, but its Chainguard Images might ultimately be a more effective means of shoring up software supply chain security.
At least, that's the stance company executives and one early Chainguard adopter take, although the company plans to market an array of tools. Still, Chainguard's ultimate goal is to shift software supply chain security as far left in the DevSecOps process as possible, ideally back to the way container images are built.
The company's second product to ship, Chainguard Images, has thus become the linchpin of the vendor's long-term strategy. The image format strips out up to 80% of standard packages included in most container images and Linux operating system distributions, and with them a majority of known vulnerabilities.
"I believe that we have the best story for remediating vulnerabilities -- our Chainguard Images," said Kim Lewandowski, co-founder and head of product at Chainguard. "Basically, we're providing these hardened images, and we're dealing with it all so you don't have to."
Meanwhile, in the vein of product diversification, Chainguard's other product, Enforce, was updated this week to automatically ingest software bills of materials (SBOMs) for supported containers where they exist, automatically generate SBOMs using Syft where they don't, and perform automatic daily scans for vulnerabilities using Grype.
Chainguard co-founder Dan Lorenc had previously pointed out the limitations of vulnerability scanning tools, as well as their potential for false positive results. But Lewandowski added in an interview this week that such scans are still required by regulatory and governance frameworks such as FedRAMP.
"You have to run these vulnerability scans and provide a response … you have to acknowledge them," she said. "More security is better than less security."
Replicated starts with Images for supply chain security
The idea of starting with less vulnerable container images was the major selling point for Chainguard's commercial products at one early adopter customer, Replicated Inc., a Kubernetes-based software distribution service provider in West Hollywood, Calif. The company is in the final stages of preproduction testing with Chainguard Images, and plans to deploy them in production within the next month.
Andrew StormsVice president of security, Replicated
"Going back to the '90s, where we had to compile our own Unix kernels, you would always spend days ripping things out because you didn't need it, or it could be a potential security hole in the future, or to make things faster," said Andrew Storms, vice president of security at Replicated. "Today's mindset is like, 'Just throw everything and the kitchen sink in there because nobody wants to deal with it.' [Chainguard Images] are taking us back to those days where you knew everything that was in there."
Storms said he has begun to encourage his company's developers to build applications from the outset using Chainguard Images from the company's private registry or Chainguard's public registry where applicable, instead of pulling images from Docker Hub and other sources. If existing Chainguard Images aren't available, Storms said, he still steers developers toward Chainguard's Wolfi micro-OS to use in custom images.
Replicated will also evaluate the latest additions to Chainguard Enforce further down the road, according to Storms. For now, Enforce is primarily an interface into Images at the company.
Eventually, though, Chainguard Enforce's new automatic SBOM generation feature and vulnerability scans will likely be of interest to Replicated's end users that request SBOMs or have questions about vulnerabilities, he said. Another Enforce feature added this week, a central console for filtering and searching on SBOM data, also seems like a potentially good fit for helping customers assess vulnerabilities, he said.
"It's going to be really valuable to have one place to go check without having to go pull out my command-line tools and sort through all kinds of machine-readable, not human-readable formats," Storms said.
When trying to demonstrate to a customer that a vulnerability report is actually a false positive, for example, "you end up taking them through this horrendous 12 steps of command-line stuff, and you're trying to convince the C-levels at your customer that you've done the right thing, and their eyes glaze over," Storms said.
Chainguard to-do list: Beyond containers?
Given its emphasis on container images, Chainguard also remains a distinctly cloud-native company. It primarily supports workloads that run in containers, whether its own or other widely used image formats, as well as serverless computing from cloud vendors such as AWS Lambda and Google Cloud Run.
However, the company has competitors -- such as Rezilion -- that also automatically create SBOMs, search them and provide vulnerability data, and push a shift-left agenda. Moreover, such SBOM competitors support workloads in VMs as well as containers, a feature one analyst said Chainguard should consider despite its cloud-native roots.
"For organizations running the majority or all of their workloads in containers, Chainguard can provide them with many of the capabilities needed to secure their software supply chains," said Katie Norton, an analyst at IDC. "However, this focus on containers might also be a limitation, especially as they look to expand into enterprises that have complex and varied infrastructure. … Some of these enterprises might be seeking solutions that can help secure their supply chain. regardless of where the workload is deployed."
Container usage is still growing, according to IDC's research, but in the company's most recent DevOps survey, 44% of 311 respondents said they still have applications that run on mainframes, let alone VMs, Norton said.
"Organizations are left exposed if they only secure a part of their software supply chain," she said. "Granted, some is better than none."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.