Chainguard’s Trail of Bits security assessment
In February, we partnered with Trail of Bits, a leading security research company, to review the security of Chainguard's production environment. This partnership culminated in a formal threat model for Chainguard and a detailed security assessment. Trail of Bits' goal was to find a way to disrupt or introduce malicious packages into Chainguard's supply chain.
We are pleased to report that Trail of Bits found no critical issues as part of their security assessment. Even so, they provided us with code review findings and security recommendations, which we have since taken action on.
Code review findings
Command injection through Actions input [HIGH]
Description: The "Provision Prod Infrastructure" GitHub Action is vulnerable to command injection through unsafe handling of malicious input.
Status: FIXED. We have since removed this internal Terraform workflow. Command injection attacks are prevalent with GitHub Action workflows, so we also audited other repositories for them.
Insufficient redaction of CloudEvents [MEDIUM]
Description: The IdentityProvider, Cluster, and Policy protobuf message types are not redacted in CloudEvents, leading to potential leakage of sensitive data via CloudEvent subscriptions.
Status: FIXED. We audited our codebase and found that only IdentityProvider was capable of hosting sensitive data. We've updated our code to redact this message type.
Additional recommendations
After thoroughly reviewing our code base, Trail of Bits provided additional recommendations for securing our code base. While there is still work to be done, we've strengthened our security significantly since the report in the following ways:
Dramatically reduced our use of long-lived GitHub credentials through Octo STS
Deployed StepSecurity to provide security monitoring for GitHub Actions
Access to all GitHub organizations requires a FIDO security key for 2FA
The few remaining virtual machines now require uncached FIDO security key actuation
GitHub PAT usage is monitored for anomalies using Elastic Security
Employee access to our production network alerts an on-call engineer. Read more about this in our blog post on audited least privilege.
Looking ahead
As part of our commitment to providing our customers with the highest level of security possible, Chainguard undergoes an independent security assessment every six months. In the meantime, we continue to work behind the scenes to reduce our surface area further and increase the number of safeguards we have to protect our users and customers. To download the complete Trail of Bits security assessment, please visit the Chainguard Trust Center.
Share this article
Related articles
- security
5 security myths that Mythos ended (as told by a CISO)
Quincy Castro, CISO
- security
Preparing for Mythos: Practical advice for engineering teams
Adrian Mouat, Staff DevRel Engineer
- security
Mini Shai-Hulud npm Attack: AntV Ecosystem Compromise (May 2026)
Mandy Hubbard, Sr. Technical Product Marketing Manager
- security
Canada's CPCSC and Bill C-8 are coming. Here's what you need to do.
Chris Carty, Enterprise Solutions Engineer
- security
Node-ipc compromised: Credential stealer targets package with 500k+ weekly downloads
Quincy Castro, CISO
- security
Luck isn't a security control: What happened with mini Shai-Hulud and what you need to do
David Henry, Staff Product Marketing Manager