Google Brings Voucher To Secure The Container Supply Chain

Voucher is an open-source tool to help you secure the container supply chain.

Recently, Google announced an open-source addition to the secure software supply chain toolbox dubbed Voucher. 

Voucher, developed by Software Supply Chain Security team at Shopify to work with Google Cloud tools, evaluates container images created by  CI/CD pipelines and signs those images if they meet certain predefined security criteria. 

Google said that Voucher is open source from the get-go, following the Grafeas specification. And, the signatures it generates, can be enforced by either Binary Authorization or the open-source Kritis admission controller. 

The solution lets infrastructure engineers use Binary Authorization policies to enforce security requirements, such as provenance and block vulnerable images. Users can also extend Voucher to support additional security and compliance checks or integrate it with their CI/CD tool of choice. 

Source: Google

Voucher comes with a pre-supplied set of security checks, and all users have to do is specify their signing policies in Binary Authorization. Once started, Voucher automates the attestation generation.