Announcing the First Images Designed for a Secure Software Supply Chain

We started Chainguard eight short months ago with a simple mission: to make the software supply chain secure by default. While we’d love for it to be otherwise, software supply chains (and supply chain attacks) are far too complex for a single solution to fully protect an organization. Instead, we need holistic changes at every stage of the application lifecycle.

That’s why we’re building a suite of products with the goal of simplifying security for all developers. Our aim is to improve your development experience while securing your software supply chains.

Just over a month ago, we announced the beta for our first product: Chainguard Enforce. Organizations are already using it to gain visibility into, and apply policy on, the way code makes its way into production environments. Today, I’m excited to announce our second product: Chainguard Images.

Chainguard Images are the first container base images designed for a secure software supply chain. Chainguard Images are continuously updated base container images that aim for zero-known vulnerabilities.

Painless Vulnerability Management

We’ve heard time and time again that managing vulnerability information in containers is challenging, time-consuming, and error-prone. So we do the hard work and provide a manually curated vulnerability feed. Additionally, we offer SLAs for our images, guaranteeing that we will provide patches or mitigations for new vulnerabilities. No more having to constantly monitor security disclosures and choosing between running known-vulnerable software or manually patching images.

Trusted Supply Chain

Providing verifiable provenance is central to Chainguard Images. All our images are signed and include a Software Bill of Materials (SBOM). Signatures and provenance can be traced and verified using the Sigstore project, which stores signing information in a public Rekor transparency log.

Easy Compliance

We provide FIPS compliant variants of our images for organizations working in government or regulated industries, with FIPS validation coming soon. Our images are designed to help organizations achieve high SLSA (Supply-chain Levels for Software Artifacts) ratings. As part of this, our images aim for full reproducibility; any given image can be bitwise recreated from the source.

“We are excited about the prospect of an actively curated base container image distro that has the potential to allow HPE to to further enhance software supply chain integrity for our customers” — Tim Pletcher, Research Engineer, Office of the Security CTO, HPE

Built on Open Source and Standards

Chainguard Images are built using our open source projects apko and melange. These tools leverage the apk ecosystem to provide declarative, reproducible builds with full SBOMs. The resultant images are as minimally complex as possible to reduce potential issues and attack surface. We support the industry standard OSV schema for vulnerability information.

All of our commercial Chainguard Images are based on Chainguard’s open source distroless image project, available at github.com/distroless. While these images do not come with the same SLAs and guarantees, they are also continually updated and as minimal as possible. Distroless images are a fantastic choice for open source projects and organizations that do not require the support and guarantees provided by our commercial images.

One Last Thing!

Software is a complex beast, and supply chains are even more complex by definition! Attacks have risen over the last decade, and the US Executive Order and NIST Frameworks are placing a large amount of pressure on the industry to improve. While some changes can and must happen quickly, we’re here for the long haul at Chainguard. So today, we’re also proud to announce that we’ve raised a $50m Series A financing round that will allow us to continue to grow our team to solve some of the hardest problems in software development.

The round was led by Sequoia Capital with participation from Amplify Partners, Chainsmoker’s Mantis VC, K5/JPMC, Banana Capital, and LiveOak Venture Partners, as well as an incredible roster of angel investors (see image below). We can’t possibly have a better team or group of investors.

Chainguard's Series A Investors

We’re planning to use this funding to accelerate our product development, double down on our investment upstream in Sigstore, SLSA, and the OpenSSF, and launch a new developer education program focused on teaching developers how to improve the supply chain security of open source and internal codebases.

These supply chains aren’t going to secure themselves, but we’re hard at work helping. Please reach out if you’re interested in Chainguard Services, the beta program for Chainguard Enforce, or would like to try out Chainguard Images!

Show Comments