Software supply chain security
Google Cloud improves end-to-end software supply chain security with dedicated tooling and built-in automation for policy enforcement, while enabling you to adopt industry standards in a flexible and incremental way.
Benefits
Software supply chain security at cloud-native speed and scale
Shift left on security through software life cycle
Catch security issues early in the process with a holistic solution that spans the entire software life cycle, including developer tools, CI/CD pipelines, artifact repositories, and runtime environments.
Improve security with proven best practices
Enable software supply chain security with dedicated tooling and automation for high-velocity environments. Automatically block deployments that do not conform to security policies.
Meet you where you are on your security journey
Start today by incorporating the SLSA framework to adopt an incremental pathway toward holistic software supply chain security. No matter where you are on your journey, our open and pluggable tools can help.
Key features
Strengthen software supply chain security throughout the software life cycle
Comprehensive vulnerability scanning for improved image security
Scan images for vulnerabilities with on-demand scanning, which gives you granular control over the images you want to scan at various stages of the software development life cycle. For example, you can scan packages or base images before investing any development effort. You can also use the automated scanning feature to ensure every image has scan results available upon repository push.
Managed CI/CD pipelines with enhanced security measures
Use Cloud Build to access managed CI/CD pipelines with support for private networks and isolated and ephemeral build environments. You can also integrate vulnerability scanning for policy-based governance. Need a more controlled rollout? Cloud Build works with Google Cloud Deploy, which offers approval gates between environments (for example, dev, stage, and prod) and fine-grained access control.
Automated security enforcement at and after deployment time
Get policy-based security enforcement with Binary Authorization. You can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. Running images may then be continuously validated post-deployment to ensure they are constantly conforming to the policies in place.
Auto-generated build provenance for easy security verification
Quickly generate and verify an artifact’s build provenance with Cloud Build. Build provenance is a collection of verifiable data about where, when, and how build artifacts were created. Cloud Build automatically generates signed provenance, which provides a verifiable record of the build information. It can also help you meet Supply-chain Levels for Software Artifacts (SLSA) level 2 assurance.
Runtime environments built with security best practices
Improve the security of runtime environments with GKE or Cloud Run — both come with easy integration with Binary Authorization. In addition, Protect for GKE, currently in preview, provides in-depth guidance into the security posture of your clusters and workloads. And Cloud Run, our serverless platform, lets you run containers in isolated sandboxes for better security.
Learn about software supply chain security and how Google can help
Related services
Software supply chain security products and integrations
Documentation
Learn how to improve software supply chain security in your organization
Software supply chain threats
Understand the attack surface of the software supply chain spanning all the way from source, build, publish, and dependencies to deploy.
Protect your software supply chain
Learn best practices that help protect your software across processes and systems in your software supply chain
Secure software supply chains on Google Kubernetes Engine
Learn how to ensure that your software supply chain follows a known and secure path before your code is deployed in a GKE cluster.
What's new