Chainguard Images Are Now Available for Government of Canada Organizations

We’re thrilled to announce that Chainguard has secured a Software Licensing Supply Arrangement (SLSA) listing in partnership with Carahsoft from the Government of Canada (GC) for Chainguard’s zero-CVE, Guarded Container Images. This arrangement gives Canadian government entities an approved vehicle they can use to purchase Chainguard Images. This is a huge deal not only for us at Chainguard, but also for any Canadian government entity that wants to reduce their CVE numbers and free up development time for their engineering teams.

In this blog, we’ll dive into what SLSA is, how Chainguard’s philosophy aligns with the GC’s Cyber Security Strategy, and why Chainguard Images are the right solution for many government entities struggling with CVEs and developer bandwidth.

Canada’s Software Licensing Supply Arrangement (SLSA)

Before we jump in, let’s make one thing clear: This SLSA, and the SLSA we often talk about at Chainguard (Supply-chain Levels for Software Artifacts), are two different things. We won’t be talking about supply-chain levels for software artifacts in this blog, but we have plenty of resources available if you’re interested in learning more about that.

Canada’s Software Licensing Supply Arrangement Method of Supply is a procurement vehicle that allows approved GC client authorities access to perpetual and subscription licensing models on Government of Canada networks, as well as annual Maintenance and Support Services. This does not include Software as a Service solutions. When a piece of software is approved, it gets a listing in the SLSA catalog, which is viewable by Canadian federal government employees. Within the SLSA catalog, Chainguard Images are listed in the 0800 category, making them easy to find and procure.

Chainguard and Government of Canada’s Enterprise Software Cyber Security Strategy

A big part of getting a listing in the SLSA catalog is alignment with the Canadian government’s vision of cybersecurity. Fortunately, Chainguard fits like a glove.

There are several objectives within the GC’s Cyber Security Strategy that Chainguard Images are built to help influence. A good example is Section 2.3.1’s objective: articulate cyber security risk and its business impacts meaningfully for effective, action-oriented and accountable decision-making. This objective can be broken down into a few smaller parts:

• Improve the understanding of GC-wide exposure and strengthen vulnerability management.

• Implement tools to continuously identify, monitor, and manage the GC’s attack surface, leveraging existing tools where possible.

• Develop accurate asset inventories and map relationships and dependencies between assets, which will also facilitate patching efforts.

• Proactively address infrastructure, system, and application vulnerabilities, and the cyber security risks they present.

Chainguard Images are built with these goals in mind. Our images have zero CVEs, reduced attack surfaces, and come with full build-time SBOMs and Sigstore code signatures. Every image is rebuilt and patched nightly in a trusted environment, and includes only the components required to build & run your images. That means these images are minimal, hardened, and come with zero CVEs. Additionally, we provide a best-in-class SLA for CVE remediation which means that our images not only start at zero CVEs, but stay there continuously.

Customers leveraging Chainguard Images free their engineering teams from the toil of CVE remediation so that they can focus on other high priority areas of their work, such as building and maintaining effective, working applications for the Canadian people. With Chainguard Images, they achieve peace of mind knowing that no major security vulnerabilities are slipping through the cracks, putting critical infrastructure at risk. They can also trust that any vulnerabilities that do pop up are taken care of in a timely manner, before they are discovered by malicious actors.

Chainguard Container Images: Threat Resistant Foundation for Software Development

Getting Chainguard’s zero-CVE Guarded Container Images approved to help improve performance and security in the SDLC of Canadian government entities is incredibly exciting. Bringing Chainguard’s maintainer-level expertise, proficiency in vulnerability management, and advanced automation pipelines and build infrastructure into the fold will enable these entities to ensure they are keeping critical infrastructure safe and up-to-date. To put it simply, we help engineering teams focus on building and maintaining great products and services, without needing to chase around vulnerabilities.

If you work for the Government of Canada or an associated entity, and are interested in Chainguard Images, reach out today. Our team is happy to provide more information on how you can start building with Chainguard Container Images today.