Anchore builds DevSecOps pipeline with Department of Defense.

Building a DevSecOps Platform with the U.S. Air Force

When I arrived at Anchore, I joined an amazing group of engineers working to turn a bunch of slides into a tangible reality for the U.S. Air Force (USAF) and U.S. Department of Defense (DoD).

Our team of engineers at Anchore quickly became immersed in our first engagement with the DoD, along with Red Hat North American Public Sector consultants. During our initial onboarding, the DevSecOps Platform and Container Hardening teams faced multiple challenges. We had to build Platform One, a secure platform 100% based on OCI compliant images running on Kubernetes. In order to have Platform One running on secure images, we needed to harden and scan 170+ containers from hundreds of different vendors with Anchore. In addition, the USAF needed the image scanning to happen in an automated fashion. The goal was to have a DevSecOps pipeline that “bakes in” 100% of the DoD’s security and compliance checks before anything gets deployed to Kubernetes.

The Platform One project has broken new ground in many ways, such as insider threat checks on container images via Anchore and the integration of an entire security pipeline specific to container images. In many respects, the capabilities we have helped develop in the Platform One project surpass even those of our enterprise customers.

For most enterprise customers, adopting DevOps and implementing CI/CD gives them the capability to push new code continuously so that the latest version of their enterprise software is available to customers. For the USAF, the goal isn’t just to have unparalleled deployment velocity that enables them to deploy the latest software to fighter aircraft across the globe. They also need additional layers of security with a zero trust model, monitoring for insider threat within the software supply chain, and integration of strict software security best practices into container images.

This is a huge advancement – not just for the Air Force, but any service branch within the DoD. Any user can download pre-hardened, OCI-compliant images from Iron Bank, also known as the DoD Centralized Artifact Repository, which stores all of the images secured by the Container Hardening team. DoD users can use these containers to create their own software factories for their respective missions. The consumption of Iron Bank images saves a ton of time and resources that would be needed to build a DevSecOps pipeline from scratch. Developers can now focus on developing, not having to worry about typical STIGs, security, and compliance checks. The Platform One team, with help from Anchore and Red Hat, has taken care of them for you.

Read more about the Platform One and container hardening journey that have taken with our partners at Red Hat in our joint case study.