DevOps & SRE

Introducing Voucher, a service to help secure the container supply chain

GCP Open Source

Kubernetes helps developers build modern software that scales, but to do so securely, they also need a software supply chain with strong governance. From managed secure base imagesContainer Registry vulnerability scanning to Binary Authorization, Google Cloud helps secure that pipeline, giving you the support and flexibility you need to build great software without being locked into a particular provider.

Today, we are excited to announce a great open-source addition to the secure software supply chain tool box: Voucher. Developed by the Software Supply Chain Security team at Shopify to work with Google Cloud tools, Voucher evaluates container images created by  CI/CD pipelines and signs those images if they meet certain predefined security criteria. Binary Authorization then validates these signatures at deploy time, ensuring that only explicitly authorized code that meets your organizational policy and compliance requirements can be deployed to production.

Voucher is open source from the get-go, following the Grafeas specification. The signatures it generates, or ‘attestations,’ can be enforced by either Binary Authorization or the open-source Kritis admission controller. Out of the box, Voucher lets infrastructure engineers use Binary Authorization policies to enforce security requirements, such as provenance (e.g., a signature that is only added when images are built from a secure source branch) and block vulnerable images (e.g., require a signature that is only applied to images that don’t have any known vulnerabilities above the ‘medium’ level). And because it’s open source, you can also easily extend Voucher to support additional security and compliance checks or integrate it with your CI/CD tool of choice. 

“At Shopify, we ship more than 8,000 builds a day and maintain a registry with over 330,000 container images. We designed Voucher in collaboration with the Google Cloud team to give us a comprehensive way to validate the containers we ship to production,” said Cat Jones, Senior Infrastructure Security Engineer at Shopify. “Voucher, along with the vulnerability scanning functionality from Google’s Container Registry and Binary Authorization, provides us a way to secure our production systems using layered security policies, with a minimum impact to our unprecedented development velocity. We are donating Voucher to the Grafeas open-source project so more organizations can better protect their software supply chains. Together, Voucher, Grafeas and Kritis help infrastructure teams achieve better security while letting developers focus on their code.”

How Voucher simplifies a secure supply chain setup

In the past, if you wanted to gate deployments based on build or vulnerability findings, you needed to write, host and run your own evaluation logic (step 2a and 3a), as shown in the following process:

How Voucher simplifies a secure supply chain setup.jpg
  1. Code is pushed to a repository

  2. A continuous integration (CI) pipeline tool, such as Cloud Build, builds and tests the container.

    1. Write custom code to sign images based on their build provenance (e.g. only sign images built from the production branch)

  3. The newly built container image is checked into Google Container Registry and undergoes vulnerability scanning.

    1. Write custom code to sign images based on vulnerability findings

  4. BinAuthz verifies the image signatures as part of being deployed to GKE. 

To avoid privilege escalation, the signing steps should be hosted outside of the CI/CD pipeline (developers who can execute arbitrary code in a build step cannot gain access to the signing key or alter the signing logic). This puts a significant burden on DevOps teams to create and set up these kinds of signing tools. Voucher, however, automates a large portion of this setup -- it comes  with a pre-supplied set of security checks, and all you have to do is specify your signing policies in Binary Authorization. Once started, it automates the attestation generation as shown below:

How Voucher simplifies a secure supply chain setup 2.jpg

Try it out!

We’re honored that Shopify used Google Cloud tools to power Voucher, and we’re excited that they’ve decided to share it with developers at large. If you want  to try Voucher, you can find it on GitHub, or a click-to-deploy version on Google Cloud Marketplace. We’ve also created a step-by-step tutorial to help you launch Voucher on Google Cloud with Binary Authorization.