Skip to content

Software Supply Chain Security

Certification

A foundational aspect of the Contain Platform's security posture is our rigorous management of the software supply chain. We understand that to trust the platform, you must be able to trust every component that runs on it. This document outlines the formal, multi-phase process we use to vet, curate, and package the open-source software that comprises our managed Components.

Our methodology is designed to provide you with the assurance that the software running your workloads is secure, compliant, and reliable. It combines the innovation of open source with the operational and security excellence of a managed service.

The Component Lifecycle: From Upstream to Your Cluster

We manage the entire lifecycle of a component to ensure it is secure, stable, and reliable. This process can be understood in three key phases relevant to supply chain security.

Component Lifecycle PhasesUpstream Project Due DiligenceIntegration and HardeningMonitoring and UpdatesSBOMsLicensesCommunity HealthGovernanceOperational ReadinessPoliciesObservabilityReputabilityRe-VettingVulnerability ScanningControlled Rollouts
Hold "Alt" / "Option" to enable pan & zoom

Phase 1: Upstream Project Due Diligence

Before any software is considered for inclusion in the platform, it undergoes a comprehensive due diligence process. Our security and engineering teams analyze the upstream open-source project's posture across several key domains:

  • Supply Chain Security: We investigate the project's software bill of materials (SBOM) and origin, check for the use of signed commits and signed container images, and assess its overall security posture.
  • License Compliance: We perform a thorough analysis of the project's software license and the licenses of all its dependencies to ensure they are compliant with both our legal standards and enterprise use cases.
  • Community Health and Governance: We assess the activity, responsiveness, and governance model of the upstream community. This ensures the project is actively maintained, has a healthy contributor base, and is viable for long-term production use.
  • Operational Readiness: We conduct a technical review of the project's architecture, configuration options, resource footprint, and overall compatibility to ensure it can be operated efficiently, securely, and reliably on our platform.

Phase 2: Secure Integration and Hardening

Once an upstream project passes our due diligence process, it is packaged as a managed platform Component. This is not a simple repackaging; it is an extensive integration and hardening process designed to align the software with our strict security standards.

  • Security Hardening: We apply strict securityContext settings to all containers, create default-deny network policies to enforce the principle of least privilege, and configure the software to run with the minimum set of permissions required (RBAC).
  • Image Hardening: We build our container images on minimal, vetted base images (like distroless), remove unnecessary packages, and ensure containers run as non-root users to significantly reduce the attack surface.
  • Integrating Observability: We ensure the component exposes the necessary metrics, logs, and traces to seamlessly integrate with our central monitoring, logging, and alerting systems. This is critical for maintaining visibility and enabling auditability.
  • Creating a Secure, Verifiable Package: The final component is packaged as a signed, verifiable software artifact. We generate cryptographic attestations that provide a non-repudiable record of the component's origin, contents (via an SBOM), and integrity. All component container images are scanned for vulnerabilities and stored in our secure, private registry.

Phase 3: Continuous Monitoring and Secure Updates

Our commitment to security does not end after a component is initially packaged. We continuously monitor upstream projects for new versions, security advisories, and changes in their security posture.

When a new version of an upstream component is released, our process begins again:

  • Full Re-Vetting: The new version undergoes the same comprehensive due diligence process as a brand new component. We re-assess its supply chain security, license compliance, and community health to ensure it still meets our standards.
  • Vulnerability Scanning: The new container images are scanned for known vulnerabilities (CVEs), and we do not release components with critical or high-severity vulnerabilities that have available fixes.
  • Controlled Rollouts: Once vetted and packaged, updates are rolled out in a controlled, progressive manner across the platform to mitigate risk and ensure stability.

This continuous lifecycle management ensures that the components on the platform are not only secure at the time of installation but remain secure as they evolve.

This structured process ensures that every component on the Contain Platform is built upon a foundation of security and trust, providing you with a verifiable and secure environment for your applications.