Software Supply Chain Security

VERIFY IMAGES AND ATTESTATIONS

Block Unauthorized Images

In recent times, software supply chain attacks have greatly increased. It has become essential to ensure that images deployed in a cluster can be trusted, have not been tampered with, and are free from known vulnerabilities. Securing images involves a layered approach that addresses three key areas:

  • Verifying image signatures: Preventing unsigned images from being deployed ensures image integrity and verifies provenance.
  • Verifying attestations: Attestations are signed artifacts that can be verified prior to deployment. Some examples of attestations that can be verified using policies include vulnerability scan reports, and SBOMs.
  • Enforcing best practices: In addition to checking signatures and attestations, other best practices such as auditing for stale images, and limiting image layers and sizes, can also be applied using policies to ensure clean production environments.

Business Benefits

Nirmata implements the “last-mile” for software supply chain security, and can be used to verify image signatures and attestations with configurable policy as code. Nirmata supports multiple signing formats such as Sigstore and Notary. For attestations, Nirmata can verify in-toto format attestations or raw JSON payloads. Nirmata integrates with solutions from AWS, Azure, and Venafi to future-proof your software supply chain security.

With Nirmata you can:

  • Integrate with an existing image signing platform like Cosign, Notary, Venafi, and AWS Signer.
  • Verify image attestations, including signed metadata like SBOMs, scan reports, provenance data, and scorecards.
  • Verify OCI image manifest data like layers, build time, etc.
  •  Enforce image build from trusted sources and repositories.
  • Simplify the deployment and management of security policies, which makes securing Kubernetes container images more manageable and efficient.

Recommended Content

Want to learn more about improving software supply chain security for your Kubernetes pods?