Software supply chain security

Google Cloud improves end-to-end software supply chain security with dedicated tooling and built-in automation for policy enforcement, while enabling you to adopt industry standards in a flexible and incremental way.

Download whitepaper View documentation Download whitepaper View documentation

VIDEO

See how Google Cloud helps with software supply chain security

7:38

Benefits

Software supply chain security at cloud-native speed and scale

Shift left on security through software life cycle

Catch security issues early in the process with a holistic solution that spans the entire software life cycle, including developer tools, CI/CD pipelines, artifact repositories, and runtime environments.

Improve security with proven best practices

Enable software supply chain security with dedicated tooling and automation for high-velocity environments. Automatically block deployments that do not conform to security policies.

Meet you where you are on your security journey

Start today by incorporating the SLSA framework to adopt an incremental pathway toward holistic software supply chain security. No matter where you are on your journey, our open and pluggable tools can help.

Key features

Strengthen software supply chain security throughout the software life cycle

Comprehensive vulnerability scanning for improved image security

Scan images for vulnerabilities with on-demand scanning, which gives you granular control over the images you want to scan at various stages of the software development life cycle. For example, you can scan packages or base images before investing any development effort. You can also use the automated scanning feature to ensure every image has scan results available upon repository push.

Managed CI/CD pipelines with enhanced security measures

Use Cloud Build to access managed CI/CD pipelines with support for private networks and isolated and ephemeral build environments. You can also integrate vulnerability scanning for policy-based governance. Need a more controlled rollout? Cloud Build works with Google Cloud Deploy, which offers approval gates between environments (for example, dev, stage, and prod) and fine-grained access control.

Automated security enforcement at and after deployment time

Get policy-based security enforcement with Binary Authorization. You can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. Running images may then be continuously validated post-deployment to ensure they are constantly conforming to the policies in place.

Auto-generated build provenance for easy security verification

Quickly generate and verify an artifact’s build provenance with Cloud Build. Build provenance is a collection of verifiable data about where, when, and how build artifacts were created. Cloud Build automatically generates signed provenance, which provides a verifiable record of the build information. It can also help you meet Supply-chain Levels for Software Artifacts (SLSA) level 2 assurance.

Runtime environments built with security best practices

Improve the security of runtime environments with GKE or Cloud Run — both come with easy integration with Binary Authorization. In addition, Protect for GKE, currently in preview, provides in-depth guidance into the security posture of your clusters and workloads. And Cloud Run, our serverless platform, lets you run containers in isolated sandboxes for better security.