Anchore Demonstrates How to Further Software Supply Chain Security with Signed SBOMs and Security Reports

Demonstration workflow shows how organizations can use open source tools Syft, Grype, and Sigstore to share accurate data about the contents and security status of software

Anchore, a leader in software supply chain security, introduced a demonstration workflow that shows how software producers can create, sign, and share accurate software bill-of-material (SBOM) and security reports to help further the security of software supply chains. As the United States government implements the Executive Order on Improving the Nation’s Cybersecurity, federal agencies expect to require SBOMs from their software vendors. Commercial enterprises can also benefit from verifiable documents that attest to the contents and security status of the software they use.

Read More: Anchore Raises $20M Series A To Advance DevSecOps Workflows, Analysis And Security

The demonstration workflow leverages open source tools Syft, Grype, and Sigstore’s Cosign to create and share signed attestations about the security of software applications delivered in containers.

The workflow details how software producers can:

• Use Sigstore’s Cosign to sign a software container image
• Use Syft to produce a comprehensive SBOM that details the contents of the container image and then use Sigstore to create a signed attestation for its validity
• Use Grype to produce a vulnerability report for a container image and then use Sigstore to create a signed attestation for its validity
• Deliver the signed container image, SBOM and vulnerability report to their software customer or user

Software users can then verify the software container image, SBOM, and vulnerability report for an accurate picture of both the contents and security status of the software they are using.

The demonstration workflow was developed in partnership with Sigstore and builds off the complementary capabilities of open source tools, Syft, Grype, and Sigstore’s Cosign. A detailed blog on how to implement this demonstration workflow is available here and sample code and documentation is available here.

Why Software Supply Chain Security is Important
The need for a secure software supply chain increases in priority and urgency each day due to continued and persistent cyberattacks. The widespread use of DevOps processes to speed cloud-native software development has led to a concurrent rise in the use of software containers. An Anchore survey of 400+ large enterprises showed that 65% of respondents have a significant number of applications running in containers.

Containers make it easy to package software during development, but can bring in multiple open source software (OSS) dependencies as applications move through the DevOps pipeline, creating new security requirements. As a result, 63% of survey respondents plan to increase container use and 60% report improving supply chain security as a top initiative.

Read More: Foundational Cloud Services Will Enable The Digital-First Strategies Of The Future Enterprise,…

Anchore and Sigstore Cosign engineers are working in tandem to educate the open source community and raise industry awareness of software supply chain security and available tools to proactively secure the development pipeline. More information about SBOMs and the importance of container attestation for SBOM signing is available in this blog post.