Software Delivery Shield overview

Software Delivery Shield is a fully managed, end-to-end software supply chain security solution. It provides a comprehensive and modular set of capabilities and tools across Google Cloud products that developers, DevOps, and security teams can use to improve the security posture of the software supply chain.

Software Delivery Shield consists of:

  • Google Cloud products and features that incorporate security best practices for development, build, test, scan, deployment, and policy enforcement.
  • Dashboards in the Google Cloud console that surfaces security information about source, builds, artifacts, deployments, and runtime. This information includes vulnerabilities in build artifacts, build provenance, and Software Bill of Materials (SBOM) dependency list.
  • Information identifying the maturity level of your software supply chain security using the Supply chain Levels for Software Artifacts (SLSA) framework.

Components of Software Delivery Shield

The following diagram illustrates how the different services within Software Delivery Shield work together to protect your software supply chain:

A diagram that shows the components of Software Delivery Shield

The following sections explains the products and features that are part of the Software Delivery Shield solution:

Components that help secure development

The following components of Software Delivery Shield help protect software source code:

  • Cloud Workstations

    Cloud Workstations provides fully managed development environments on Google Cloud. It enables IT and security administrators to provision, scale, manage and secure their development environments and allows developers to access development environments with consistent configurations and customizable tooling.

    Cloud Workstations helps with shifting security left by enhancing the security posture of your application development environments. It has security features such as VPC Service Controls, private ingress or egress, forced image update and Identity and Access Management access policies. For more information, see the Cloud Workstations documentation.

  • Cloud Code source protect (Preview)

    Cloud Code provides IDE support to create, deploy, and integrate applications with Google Cloud. It enables developers to create and customize a new application from sample templates and run the finished application. Cloud Code source protect gives developers real-time security feedback, such as identification of vulnerable dependencies and license reporting, as they work in their IDEs. It provides quick and actionable feedback that allows developers to make corrections to their code at the beginning of the software development process.

    Feature availability: Cloud Code source protect is not available for public access. To get access to this feature, see the access request page.

Components that help secure the software supply

Securing the software supply — build artifacts and application dependencies — is a critical step in improving the software supply chain security. The pervasive use of open source software makes this problem particularly challenging.

The following components of Software Delivery Shield help to protect build artifacts and application dependencies:

  • Assured OSS

    The Assured OSS service lets you access and incorporate the OSS packages that have been verified and tested by Google. It provides Java and Python packages that are built using Google's secure pipelines. These packages are regularly scanned, analyzed, and tested for vulnerabilities. For more information, see the Assured Open Source Software documentation.

  • Artifact Registry and Artifact Analysis

    Artifact Registry lets you store, secure, and manage your build artifacts, and Artifact Analysis proactively detects vulnerabilities for artifacts in Artifact Registry. Artifact Registry provides the following features to improve the security posture of your software supply chain:

Components that help protect the CI/CD pipeline

Bad actors can attack software supply chains by compromising the CI/CD pipelines. The following components of Software Delivery Shield help protecting the CI/CD pipeline:

  • Cloud Build

    Cloud Build executes your builds on Google Cloud infrastructure. It offers security features such as granular IAM permissions, VPC Service Controls, and isolated and ephemeral build environments. Additionally, it provides the following features to improve the security posture of your software supply chain:

    • It supports SLSA Level 3 builds for container images.
    • It generates authenticated and non-falsifiable build provenance for containerized applications.
    • It displays security insights for built applications. This includes:
      • the SLSA build level, which identifies the maturity level of your software build process in accordance with the SLSA specification.
      • Vulnerabilities in build artifacts.
      • Build provenance, which is a collection of verifiable metadata about a build. It includes details such as the digests of the built images, the input source locations, the build toolchain, build steps, and the build duration.

    For instructions on viewing security insights for built applications, see Build an application and view security insights.

  • Cloud Deploy

    Cloud Deploy automates delivery of your applications to a series of target environments in a defined sequence. It supports continuous delivery directly to Google Kubernetes Engine, GKE Enterprise, and Cloud Run, with one-click approvals and rollbacks, enterprise security and audit, as well as built-in delivery metrics. Additionally, it displays security insights for deployed applications.

Components that help protect applications in production

GKE and Cloud Run helps secure the security posture of your runtime environments. They both come with security features to protect your applications at runtime.

  • GKE

    GKE can assess your container security posture and give active guidance around cluster settings, workload configuration, and vulnerabilities. It includes the security posture dashboard, that scan your GKE clusters and workloads to provide you with opinionated, actionable recommendations to improve your security posture. For instructions on viewing security insights in the GKE security posture dashboard, see Deploy on GKE and view security insights.

  • Cloud Run

    Cloud Run contains a security panel that displays software supply chain security insights such as the SLSA build level compliance info, build provenance, and vulnerabilities found in running services. For instructions on viewing security insights in the Cloud Run security insights panel, see Deploy on Cloud Run and view security insights.

Build a chain of trust through policy

Binary Authorization helps establish, maintain, and verify a chain of trust along your software supply chain by collecting attestations, which are digital documents that certify images. An attestation signifies that the associated image was built by successfully executing a specific, required process. Based on these attestations collected, Binary Authorization helps define, verify and enforce trust-based policies. It makes sure the image is deployed only when the attestations meet your organization's policy, and it can be also set to alert you if any policy violations are found. For example, attestations can indicate that an image is:

You can use Binary Authorization with GKE and Cloud Run.

Pricing

The following list points to the pricing information for the services in the Software Delivery Shield solution:

What's next