Zero-CVE Chainguard Images gain customization option
Chainguard opens its container image builder factory to let users mix and match hardened container components while preserving a zero-vulnerability SLA.
As supply chain attacks on enterprises continue, a purveyor of hardened container images wants to make it easier for IT organizations to customize their deployments while maintaining a zero-vulnerability pledge.
Chainguard Inc. this week added a beta-stage SaaS service called Custom Assembly for its Chainguard Images. These are a set of Linux container images that strip out most standard software packages, and with them a majority of known security vulnerabilities. While growing interest in Chainguard Images made them a focal point for the vendor over the last year, users were also asking for more flexibility to add some standard software packages back in or to mix components from different standard Chainguard Images together, according to Julian Dunn, senior director of product management at Chainguard.
Chainguard Images comes in a limited set of standard configurations separated by programming language, such as Java, Python or Go, but Dunn said there have been cases where customers want to put Python libraries into a Go image or want to combine two of the images to conform to an application's specific requirements.
We believe that there's enough energy here among the customer base that we should make this a service and let customers compose these things on their own.
Julian DunnSenior director of product management, Chainguard Inc.
"We would do this as a one-off for folks," he said. "[But] at a certain point, we saw enough demand from our customers that instead of trying to address these [individually], we believe that there's enough energy here among the customer base that we should make this a service and let customers compose these things on their own."
Chainguard weighs security and flexibility
Chainguard Images will still be distributed in the same way -- downloaded to a customer's mirror of an artifact repository for deployment through internal software delivery systems. The new Custom Assembly service deliberately stops short of acting as a full-fledged container build pipeline, Dunn said.
"We're not getting into the [continuous delivery] space. We're not letting people upload their own content," Dunn said. "This is [a] customization of the stock images that Chainguard provides."
The company made that choice to uphold its service-level agreement (SLA) for Chainguard Images, Dunn said. Under this agreement, Chainguard pledges to make "commercially reasonable efforts" to patch critical upstream vulnerabilities in its images within seven days of a qualifying patch being made available, and to patch high-, medium- and low-severity vulnerabilities within 14 days. Failure to meet these terms would come with a monetary payout to customers, Dunn said.
Chainguard can meet this SLA because of its proprietary back-end automation, which rapidly rebuilds images in response to new upstream vulnerabilities, while providing consistent attestation as to their provenance and an up-to-date software bill of materials about what packages they contain.
Customers can further customize container images within their own software delivery pipelines, Dunn said, but Custom Assembly offers a middle ground that's easier to consume than re-creating all that container build automation, attestation, digital signing and provenance information.
Chainguard is considering ways to make its Images more flexible and easier to adopt, including expanding beyond containers, Dunn said.
"There are lots of other preferences for how people want to get their containers, [with different] environment variables, or 'We want to change the file system,' these sorts of things," Dunn said. "These are all things that we're looking into as we evolve Custom Assembly."
Software supply chain security requires a multi-faceted approach, according to Enterprise Strategy Group.
Supply chain security falters amid shifting IT trends
Ease of consumption will be necessary to broaden the adoption of hardened container images or any other software supply chain security practices, said Katie Norton, an analyst at IDC. While securing software supply chains was a hot topic following the SolarWinds attack and Log4Shell vulnerability in 2021, interest in it has begun to fade as other trends such as generative AI steal the enterprise IT limelight.
Katie Norton
In a November 2024 IDC DevSecOps survey, just 17% of 350 responding organizations indicated they were using a hardened image as a software supply chain security measure, Norton said.
"However, for context, of all the software supply chain security practices we listed, the highest only had 32% adoption," she said. "We also see low adoption of practices like digitally signing binaries or containers (26%) and generating provenance metadata (21%), as well as sub-25% adoption of secure build system practices like reproducible and hermetic builds, all of which are practices and tooling organizations would need to put in place internally to be able to produce their own images with all the software supply chain assurances Chainguard provides."
Given the difficulty of putting those practices together on their own, "Custom Assembly sounds like … a win for customers that balances flexibility and security," Norton said.
Ultimately, software supply chain security must be a comprehensive practice, according to market research from Enterprise Strategy Group, now part of Omdia. In a May 2024 survey of 368 IT, cybersecurity and application development professionals in North America, 91% reported experiencing software supply chain attacks in the previous 12 months. While 40% of those were attributed to the kind of known vulnerabilities Chainguard Images remove, 41% came from unknown, or zero-day, vulnerabilities in third-party code. With multiple responses accepted on this survey question, 40% of respondents also cited cloud services misconfigurations.
Responding to such complex threats requires a multi-faceted approach, according to an August 2024 Enterprise Strategy Group Research Brief -- but implementing it is easier said than done.
"Organizations are experiencing a range of incidents that necessitate the use of multiple security tools, which teams are slow to properly adopt," the Enterprise Strategy Group report reads. "Further, the variety of actions needed to mitigate risk, starting early in the development process through when the applications are running, along with the complexity of responding to threats and attacks, make it difficult to secure the software supply chain."
Beth Pariseau, senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.