Chainguard, a startup that focuses on securing software supply chains, announced today that it has raised a $50 million Series A funding round led by Sequoia Capital. Amplify, the Chainsmokers' Mantis VC, LiveOak Venture Partners, Banana Capital, K5/JPMC and CISOs from Google and Square, among others, also participated in this round.
In addition to the new funding, the company, which is only 8 months old at this point, also launched its first set of container base images today, which Chainguard promises to have zero known vulnerabilities and which will be continuously updated. These images will be fully signed and will feature a software bill of materials (SBOM).
"Security engineers are used to reasoning with roots of trust by using two-factor authentication and identification systems and establishing trust with hardware by using encryption keys. But we don't have that for source code and software artifacts today," said Dan Lorenc, co-founder and CEO at Chainguard. "Our vision is to connect these roots of trust throughout the development lifecycle and across the software supply chain and give developers and CISOs alike confidence in the code they’re running in production and the integrity of their systems."
In addition to these new base images, Chainguard already offered its Enforce service for containerized workloads. Built on top of the sigstore, the open source tools for cryptographically signing code, verifying those signatures and making all of this data auditable, as well as other open source tools like Knative and other cloud-native services, Enforce allows businesses to enforce their supply chain policies based on the SLSA framework and NIST's Secure Software Development Framework. With this they can, for example, enforce which code can run where and ensure that developers and security teams know what's being used to build software inside a company.
Since few developers want to add more tools to their repertoire (you can only shift so far left, after all), the team aimed to make installing its service as easy as running a single command and also offers support for automation systems like CloudFormation and Terraform.
The fact that Chainguard puts an emphasis on protecting cloud-native technologies is no surprise. Among its co-founders are Ville Aikas, Kim Lewandowski, Matt Moore (CTO) and Scott Nichol, who were all previously at Google and heavily involved in the open source community.
I met with Aikas, who was part of the early Kubernetes team at Google and the tech lead for Knative Eventing, at the KubeCon/CloudNativeCon event in Spain last month. He noted that Enforce is very much the first piece of the puzzle for Chainguard.
"Enforce comes with the mindset that we understand that the chain is long and we are going to start tackling it, not with the mindset of 'oh yeah, cool, here's the 'secure-my-shit flag.' We don't build snake oil. The idea is that we build a solid technology platform that we can then use and come in and add features and start plugging holes in different chains. Enforce is the first piece of this and the second is the images."
He also noted that Chainguard's overall mission is to improve the developer experience — all while securing software supply chains.
Unsurprisingly, the company plans to use the new funding to accelerate its product development. But in addition to that, Chainguard also plans to invest heavily in open source projects like Sigstore, SLSA and OpenSSF, as well as a new developer education program that focuses on supply chain security.
"High profile software supply chain attacks like Log4j have flashed a spotlight on the need to establish a foundation of trust in the software that companies put in production," said Bogomil Balkansky, partner at Sequoia Capital. "Chainguard gives companies confidence in the critical open source software they deploy by providing a low-friction, developer-friendly way of signing and verifying software artifacts so they have a trail to trace if a breach does occur. The Chainguard team are the thought leaders in this space, and it is the right team at the right time in history to tackle this problem."