CleanStart and Sysdig Partner on Supply Chain Security
CleanStart, a provider of hardened container images, and security firm Sysdig have announced a strategic partnership. The collaboration aims to deliver continuous software supply chain verification by combining SLSA-aligned build integrity with eBPF-based runtime intelligence. This allows enterprises to monitor software from the build process through to live execution.
- Software supply chain attacks are a growing threat where adversaries inject malicious code into a trusted software component, such as a container image or an open-source dependency. This partnership addresses this by creating a verifiable link between the software's build process and its behavior when it's live. - CleanStart focuses on the "build integrity" phase by creating "hardened" container images from source code. These images come with a Software Bill of Materials (SBOM) and a signed, verifiable SLSA (Supply-chain Levels for Software Artifacts) provenance attestation, which acts as a tamper-proof record of how the image was created. - Sysdig provides the "runtime intelligence" by using eBPF technology to monitor what the container is actually doing in production. eBPF allows Sysdig to get deep visibility into system calls, network traffic, and file system activity directly from the Linux kernel in a secure and efficient way. - The combined solution aims to create a "continuous verification loop." This means an enterprise can first verify the integrity of a CleanStart image using its cryptographic signature and then use Sysdig to monitor its runtime behavior to ensure it matches the trusted build-time record, detecting any deviations or suspicious activity in real-time. - For developers, this approach means starting with a near-zero-vulnerability base image from CleanStart, which reduces the noise of vulnerability alerts and allows security scans to focus on the application code itself. The runtime monitoring from Sysdig can then provide context on which vulnerabilities are actually being used by running applications. - The SLSA framework, central to CleanStart's approach, is an industry standard from the Open Source Security Foundation (OpenSSF) and Google, designed to protect against tampering by securing the build process itself. - The use of eBPF by Sysdig is a modern approach to security and observability that avoids the need for sidecar containers or modifying the application's code. It provides a more performant and less intrusive way to gain deep insights into running workloads. - According to CleanStart's CTO, Biswajit De, "Build-time trust without runtime validation leaves a critical gap, and runtime visibility without provenance lacks proof." This partnership aims to close that gap by connecting the two stages.
