Demonstration workflow shows how organizations can use open source tools Syft, Grype, and Sigstore to share accurate data about the contents and security status of software 

Santa Barbara, Calif - September 20, 2021 - Anchore, a leader in software supply chain security, today introduced a demonstration workflow that shows how software producers can create, sign, and share accurate software bill-of-material (SBOM) and security reports to help further the security of software supply chains. As the United States government implements the Executive Order on Improving the Nation’s Cybersecurity, federal agencies expect to require SBOMs from their software vendors. Commercial enterprises can also benefit from verifiable documents that attest to the contents and security status of the software they use.

The demonstration workflow leverages open source tools Syft, Grype, and Sigstore’s Cosign to create and share signed attestations about the security of software applications delivered in containers.

The workflow details how software producers can: 

  • Use Sigstore’s Cosign to sign a software container image
  • Use Syft to produce a comprehensive SBOM that details the contents of the container image and then use Sigstore to create a signed attestation for its validity
  • Use Grype to produce a vulnerability report for a container image and then use Sigstore to create a signed attestation for its validity
  • Deliver the signed container image, SBOM and vulnerability report to their software customer or user

Software users can then verify the software container image, SBOM, and vulnerability report for an accurate picture of both the contents and security status of the software they are using.

The demonstration workflow was developed in partnership with Sigstore and builds off the complementary capabilities of open source tools, Syft, Grype, and Sigstore’s Cosign. A detailed blog on how to implement this demonstration workflow is available here and sample code and documentation is available here

Why Software Supply Chain Security is Important

The need for a secure software supply chain increases in priority and urgency each day due to continued and persistent cyberattacks. The widespread use of DevOps processes to speed cloud-native software development has led to a concurrent rise in the use of software containers. An Anchore survey of 400+ large enterprises showed that 65% of respondents have a significant number of applications running in containers. 

Containers make it easy to package software during development, but can bring in multiple open source software (OSS) dependencies as applications move through the DevOps pipeline, creating new security requirements. As a result, 63% of survey respondents plan to increase container use and 60% report improving supply chain security as a top initiative.

Anchore and Sigstore Cosign engineers are working in tandem to educate the open source community and raise industry awareness of software supply chain security and available tools to proactively secure the development pipeline. More information about SBOMs and the importance of container attestation for SBOM signing is available in this blog post.

About Anchore

Anchore is a leader in software supply chain security and enables organizations to protect cloud-native applications against software supply chain attacks. Anchore technology embeds continuous security and compliance checks at every stage of the software development process to prevent security risks from reaching production. Large enterprises and government agencies use Anchore solutions to generate a comprehensive software bill of materials, pinpoint vulnerabilities, identify malware and discover unprotected credentials that can lead to hacks and ransomware. With an API-centric approach, Anchore solutions integrate into the tools developers already use to detect issues earlier, saving time and lowering the cost to fix vulnerabilities. To learn more visit anchore.com