Software bills of materials (SBOMs) more than any other software supply chain security concept or technology have been top of mind for software producers and consumers striving for greater software transparency. The recent rise in supply chain attacks has continued to raise awareness of the need to know where software comes from, what dependencies it has and how it gets built. In response, the federal government has placed SBOMs as a cornerstone requirement under Executive Order 14028 in addition to CISA’s recent self-attestation form that applies to vendors who sell software to agencies. Even the FDA is now requiring that manufacturers of medical devices provide an SBOM for the commercial, open-source and off-the-shelf software components contained within the device.
Today, Chainguard is announcing the availability of new features in the Enforce platform to help customers generate, ingest and organize SBOMs across their Kubernetes and Google Cloud Run environments. Chainguard Enforce was designed to enhance the value of SBOMs by harnessing the information they provide to better understand everything that’s running in a given cluster. These new Enforce SBOM features will help organizations make the most out of SBOMs in cloud workloads, including:
Out-of-the-box SBOM generation and collection
Developers, security professionals and even auditors within an organization must know what software packages are deployed, at what time, where and by whom. With this information readily available, one can answer questions like are any software packages deployed in our environment that violate certain licensing terms? Are any packages that are being deployed tagged as latest? Are they coming from a known and trusted registry? Are we affected by CVE-2021-44832 (Log4j) and if so where are we vulnerable?
SBOMs are designed to help answer these questions and more, but the more complex an environment is, the more information you need to be able to collect, find and understand to make SBOMs actually useful. For example, what if your cluster is running hundreds of workloads with at least that many container images in it? Then, each container image has hundreds or thousands of packages. Now multiply this by the number of clusters across all of your cloud and non-cloud environments. This is where Chainguard Enforce is uniquely designed to help you break through the noise and streamline the most important information that is going to be most useful to your organization’s SBOM strategy.
With the new SBOM features in Enforce, the platform will automatically ingest SBOMs attached to your container images and allow you to search packages and track them back to the workload and the cluster it is running in. When Enforce ingests an SBOM, it will convert the SBOM’s JSON structure into structured data that can be queried within a database. This allows the Enforce platform to retrieve key information about an SBOM, like the packages contained within it, their versions and their license details. Chainguard Enforce supports both the SPDX and Cyclone DX SBOM schemas, meaning that SBOMs must conform to these standards in order for Enforce to ingest them.
But what if your container images do not have SBOMs today? If you have a container image without an existing SBOM, Enforce will automatically create an SBOM using Syft. This means that you don’t have to worry about generating the SBOM yourself or performing any additional steps. Chainguard Enforce’s SBOM generation tool takes care of it for you, ensuring that you have comprehensive package information for each image. Generated SBOMs will be clearly indicated in the Enforce console. This helps you identify which SBOMs were generated on-demand and which ones were ingested from external sources. Generated SBOMs will be exportable in SPDX format.
To streamline and simplify this process, we don’t require any customer action to enable SBOM generation. As soon as we detect a container image running in one of your clusters without an SBOM, Enforce will generate one for you.
To learn more about how Chainguard Enforce ingests and generates SBOMs, visit Chainguard Academy. If attestations and signatures are an important part of your organization’s SBOM strategy, check out this article to learn the differences between SBOMs and attestations and how each is handled by Enforce.
Searching and filtering SBOMs in the console
Chainguard Enforce provides a powerful search functionality in the platform’s console, allowing you to easily search for specific packages, versions, licenses or even a file within your SBOMs.
Using the search feature, you can find relevant information about a particular package or version, ensuring that you stay informed about the software components in your environment. Whether you are investigating vulnerabilities, ensuring license compliance or tracking specific versions, Enforce’s SBOM search and filtering feature makes finding this information more accessible.
At Chainguard, our mission is to make the software supply chain secure by default. A big part of helping organizations secure their software supply chains is offering a solution that provides deep visibility into what software is running, where it came from and what dependencies it has. Chainguard Enforce is more than just an enterprise-ready admission controller for Kubernetes clusters. It’s a powerful, comprehensive platform that acts as a control plane for your software supply chain. Today, the platform has capabilities for securing the software supply chain like workload discovery, policy enforcement, continuous verification and now capabilities to ingest and generate SBOMs. Chainguard Enforce can help customers not only comply with upcoming federal requirements for SBOMs and self attestations, but also be prepared for when the next Log4j type vulnerability hits. To get started with Enforce today, reach out to our team.
Chainguard will be at Hacker Summer Camp in Las Vegas, NV on August 9 - 13. Check out our booth #SC208 at Black Hat or book a meeting with our team on site.