Software Delivery Shield overview

Stay organized with collections Save and categorize content based on your preferences.

Software Delivery Shield is a fully-managed, end-to-end software supply chain security solution. It provides a comprehensive and modular set of capabilities and tools across Google Cloud services that developers, DevOps, and security teams can use to improve the security posture of the software supply chain.

Software Delivery Shield consists of:

  • Google Cloud products and features that incorporate security best practices for development, build, test, scan, deployment, and policy enforcement.
  • Dashboards in the Google Cloud console that surfaces security information about source, builds, artifacts, deployments, and runtime. This information includes vulnerabilities in build artifacts, build provenance, and Software Bill of Materials (SBOM) dependency list.
  • Information identifying the maturity level of your software supply chain security using the Supply chain Levels for Software Artifacts (SLSA) framework.

Components of Software Delivery Shield

The following diagram illustrates how the different services within Software Delivery Shield work together to protect your software supply chain:

A diagram that shows the components of Software Delivery Shield

The following sections explains the products and features that are part of the Software Delivery Shield solution:

Components that help secure development

The following components of Software Delivery Shield help protect software source code:

  • Cloud Workstations (Preview)

    Cloud Workstations provides fully-managed development environments on Google Cloud. It enables IT and security administrators to easily provision, scale, manage and secure their development environments and allows developers to access development environments with consistent configurations and customizable tooling.

    Cloud Workstations helps with shifting security left by enhancing the security posture of your application development environments. It has security features such as VPC Service Controls, private ingress or egress, forced image update and Identity and Access Management access policies. For more information, see the Cloud Workstations documentation.

  • Cloud Code source protect (Preview)

    Cloud Code provides IDE support to create, deploy and integrate applications with Google Cloud. It enables developers to create and customize a new application from sample templates and run the finished application. Cloud Code source protect gives developers real-time security feedback, such as identification of vulnerable dependencies and license reporting, as they work in their IDEs. It provides quick and actionable feedback that allows developers to make corrections to their code at the beginning of the software development process.

    Feature availability: Cloud Code source protect is not available for public access. To get access to this feature, see the access request page.

Components that help secure the software supply

Securing the software supply — build artifacts and application dependencies — is a critical step in improving the software supply chain security. The pervasive use of open source software makes this problem particularly challenging.

The following components of Software Delivery Shield help protecting the build artifacts and application dependencies:

  • Assured OSS (Preview)

    Assured OSS service lets you access and incorporate the OSS packages that have been verified and tested by Google. It provides more than 250 packages across Java and Python. These packages are built using Google's secure pipelines and regularly scanned, analyzed, and tested for vulnerabilities. For more information, see the Assured Open Source Software documentation.

  • Artifact Registry and Container Analysis

    Artifact Registry enables you to store, secure, and manage your build artifacts, and Container Analysis proactively detects vulnerabilities for artifacts in Artifact Registry. Artifact Registry provides the following features to improve the security posture of your software supply chain:

    • Container Analysis provides integrated on-demand or automated scanning for base container images, Maven & Go packages in containers, and for non-containerized Maven packages.
    • Container Analysis provides standalone scanning (Preview) that identifies existing vulnerabilities and new vulnerabilities within the open source dependencies used by your Maven artifacts. The scan takes place each time you push a Java project to Artifact Registry. After the initial scan, Container Analysis continuously monitors the metadata for scanned images in Artifact Registry for new vulnerabilities.
      • Feature availability This feature is not available for public access. To get access to this feature, see the access request page.
    • Artifact Registry supports remote repositories (Preview) and virtual repositories (Preview) for Java packages. A remote repository acts as a caching proxy for dependencies from Maven Central, which reduces download time, improves package availability, and includes vulnerability scanning if scanning is enabled. Virtual repositories consolidate repositories of the same format behind a single endpoint and let you control the search order across upstream repositories. You can prioritize your private packages, which reduces the risk of dependency confusion attacks.
      • Feature availability These features are not available for public access. To get access to these feature, see the access request page.

Components that help protect the CI/CD pipeline

Bad actors can attack software supply chains by compromising the CI/CD pipelines. The following components of Software Delivery Shield help protecting the CI/CD pipeline:

  • Cloud Build

    Cloud Build executes your builds on Google Cloud infrastructure. It offers security features such as granualar IAM permissions, VPC Service Controls, and isolated and ephemeral build environments. Additionally, it provides the following features to improve the security posture of your software supply chain:

    • It supports SLSA Level 3 builds for container images.
    • It generates authenticated and non-falsifiable build provenance for containerized applications.
    • It displays security insights for built applications (Preview). This includes:
      • the SLSA build level, which identifies the maturity level of your software build process in accordance with the SLSA specification.
      • Vulnerabilities in build artifacts.
      • Build provenance, which is a collection of verifiable metadata about a build. It includes details such as the digests of the built images, the input source locations, the build toolchain, build steps, and the build duration.

    For instructions on viewing security insights for built applications, see Build an application and view security insights.

  • Google Cloud Deploy

    Google Cloud Deploy automates delivery of your applications to a series of target environments in a defined sequence. It supports continuous delivery directly to Google Kubernetes Engine, Anthos, and Cloud Run, with one-click approvals and rollbacks, enterprise security and audit, as well as built-in delivery metrics.

Components that help protect applications in production

GKE and Cloud Run helps secure the security posture of your runtime environments. They both come with security features to protect your applications at runtime.

  • GKE

    GKE can assess your container security posture and give active guidance around cluster settings, workload configuration, and vulnerabilities. It includes the security posture dashboard (Preview), that scan your GKE clusters and workloads to provide you with opinionated, actionable recommendations to improve your security posture. For instructions on viewing security insights in the GKE security posture dashboard, see Deploy on GKE and view security insights.

  • Cloud Run

    Cloud Run contains a security panel (Preview) that displays software supply chain security insights such as the SLSA build level compliance info, build provenance, and vulnerabilities found in running services. For instructions on viewing security insights in the Cloud Run security insights panel, see Deploy on Cloud Run and view security insights.

Build a chain of trust through policy

Binary Authorization helps establish, maintain and verify a chain of trust along your software supply chain by collecting attestations, which are digital documents that certify images. An attestation signifies that the associated image was built by successfully executing a specific, required process. Based on these attestations collected, Binary Authorization helps define, verify and enforce trust-based policies. It makes sure the image is deployed only when the attestations meet your organization's policy, and it can be also set to alert you if any policy violations are found. For example, attestions can indicate that an image is:

You can use Binary Authorization with GKE and Cloud Run.

Pricing

The following list points to the pricing information for the services in the Software Delivery Shield solution:

What's next