Chainguard Raises $50M in Series A to Make Software Supply Chain Secure by Default, Introduces Secure Container Base Images

Sequoia Capital leads round with participation from Amplify, Chainsmokers’ Mantis VC, LiveOak Ventures, Banana Capital, K5/JPMC  and other leading angels to support founding team of security engineers from Google

Kirkland, Washington, June 2, 2022 - Chainguard, the leader in securing the software supply chain by default, today announced it has raised $50 million in its Series A funding round led by Sequoia Capital with participation from Amplify, the Chainsmokers' Mantis VC, LiveOak Venture Partners, Banana Capital, K5/JPMC and CISOs from Square (Block), among others. The company today is also announcing Chainguard Images, the first container base images designed for a secure software supply chain that are continuously updated to achieve zero-known vulnerabilities.

"High profile software supply chain attacks like Log4j have flashed a spotlight on the need to establish a foundation of trust in the software that companies put in production," said Bogomil Balkansky, partner at Sequoia Capital. "Chainguard gives companies confidence in the critical open source software they deploy by providing a low-friction, developer-friendly way of signing and verifying software artifacts so they have a trail to trace if a breach does occur. The Chainguard team are the thought leaders in this space, and it is the right team at the right time in history to tackle this problem."

For decades, security was focused on firewalls and perimeter security – who gets inside software systems. With the increasingly distributed nature of software development, security concerns today are focused on the software supply chain, where attacks are on the rise across every stage of the development lifecycle and account for $100 billion in damages from the Solarwinds attack alone. Developers must consider the security of their code, build systems, artifacts and everything from binaries to container images and the language packages they’re using.

Chainguard's vision is a supply chain where every artifact can be verifiably traced back to the source code and hardware it was built on and by whom. The company is making sense of the chaotic security solutions space by seamlessly integrating security into the software development lifecycle. It’s a holistic, end-to-end solution from development to production to policy management. The Chainguard founding team includes open source industry veterans Dan Lorenc, Kim Lewandowski, Matt Moore, Scott Nichol and Ville Aikas. The team worked together at Google on many of the world’s foundational container projects, including: Minikube, Distroless, Skaffold, Knative, Tekton, Kaniko, ko, and Chainguard’s products are rooted in open standards and critical open source projects its founders helped create, including Sigstore, the SLSA framework, and apko.

“Security engineers are used to reasoning with roots of trust by using two-factor authentication and identification systems and establishing trust with hardware by using encryption keys. But we don't have that for source code and software artifacts today," said Dan Lorenc, co-founder and CEO at Chainguard. “Our vision is to connect these roots of trust throughout the development lifecycle and across the software supply chain and give developers and CISOs alike confidence in the code they’re running in production and the integrity of their systems.”

With this round of funding, Chainguard will be able to strategize and execute on its mission of securing the software supply chain through an expanded suite of products to serve developers and technical leaders, which includes today’s introduction of Chainguard Images.

Chainguard Images Introduced Today

Base images in software development are the foundation on which most container-based workflows are built and maintained — so their security is critically important. These images are among the first points along the software supply chain and today are inconsistently updated, leading to enormous sprawl of images and vulnerabilities in dependencies. Some organizations curate base images for their teams to use, but this still requires keeping the images up to date and vulnerability-free. Chainguard Images solves these problems by providing organizations with a secure set of base images that are fully signed with Sigstore and continuously updated with Service Level Agreements (SLAs), Software Bill of Materials (SBOMs) and Certifications (FIPS, SLSA). Chainguard Images complements the recent announcement of Chainguard Enforce, which addresses additional points along the supply chain and includes policy management, compliance automation and production insights.

Customer Comments

“We are excited about the prospect of an actively curated base container image distro that has the potential to allow HPE to further enhance software supply chain integrity for our customers,” said Tim Pletcher, research engineer, Office of the Security CTO, HPE.

"We are partnering with Chainguard to substantially increase our ability to build a secure foundation for supply chain security. Chainguard is working with us to understand our base image use cases to proactively protect the many supply chains we secure," said Emmanuel Odeke, founder and CEO at Orijtech.

Additional Comments from Angel Investors

“What I appreciate about Chainguard is its pragmatic approach to software supply chain security. They aren’t full of big promises; instead, they bring interesting, innovative and thoughtful solutions to a pan-industry problem that will only be solved by the best and the brightest. Chainguard has all of it,” said Jim Higgins, CISO at Square and Chainguard angel investor.

“The attack surface of modern applications has expanded hugely, leading to significant risk at each link in the build and release chain. Chainguard will enable developers to exert control and enforce policy, reducing the risk of injection of malicious submits, commits, artifacts, or dependencies,” said Tom Killalea, Chair of MongoDB and former VP of Technology and CISO at Amazon.

“Chainguard is baking in security instead of bolting it on, which is a key differentiation to the approach of other vendors in this space that are tackling a small piece of the supply chain and not the entire thing. Chainguard is addressing every critical point in the software supply chain,” said Milan Koch, Partner, Chainsmokers’ Mantis VC. “And they really have the best and brightest minds in the industry dedicated to solving this problem. We are thrilled to be a part of the team and this story.”

For more information or to see a demo of Chainguard Images, or the recently announced Chainguard Enforce, reach out.

About Chainguard

Chainguard is the leader in securing the software supply chain by default. It is founded by five of the industry's leading experts on open source software, security and cloud native development and is backed by Sequoia, Amplify, the Chainsmokers and more. Its product portfolio already includes Chainguard Enforce, Chainguard Images and Professional Services. Customers range from Fortune 500 companies in banking, fintech, government and infrastructure to startups and SMBs. For more information, please visit: https://www.chainguard.dev/

Media Contact
Ray George
ray@storychangesculture.com
650-922-3825

Show Comments