Kubernetes' co-founders Craig McLuckie and Joe Beda, who left Google to start Heptio in 2016, have now gone separate ways. In 2018, they sold Heptio to VMware and left the company in 2022. McLuckie has founded a new startup, called Stacklok, which aims to provide tools and services that focus on software supply chain security. McLuckie has teamed up with Luke Hinds, the CTO of the company, who is also the founder of the Sigstore project. Sigstore has become the default open-source project that sits at the core of supply chain stacks.

Sigstore helps developers sign and verify their project libraries. Today, Sigstore is part of the Linux Foundation's Open-Source Security Foundation (OpenSSF), where software supply chain security is a priority across software ecosystems. The tool helps developers use trustworthy packages and verify their work. The two co-founders wouldn't say anything about Stacklok's product plans just yet, but Sigstore will be a core project, and the company will be building on top of it.

Stacklok has raised $17.5 million in a Series A funding round, with participation from Madrona Venture Group, a leading venture capital firm in the Pacific Northwest. The company is planning to provide developers with a clear and precise set of insights needed to start producing better software. This includes a better understanding of dependencies and operating preferences so that there is a better understanding of how software behaves when it is produced.

The company expects to build tools that surface provenance data directly to developers so that the technology is transparent and accessible. McLuckie hinted that the team will likely start building integration with GitHub first, but he kept the company's plans wrapped up until it's ready to launch a beta. The aim is to create a virtuous cycle of flywheel engagement that will be a commercial success.

According to Madrona Venture Group, the software supply chain security market is fragmented, with no clear platform leader.

The team believes Stacklok is uniquely positioned to win in this market, given its unique background and ability to create a proactive and remediative platform solution across the entire DevSecOps process. This will provide an elegant and effective approach to CodeSec, which is expanding naturally over time, and AppSec scenarios.

The launch of Stacklok is seen as a sign of the importance of software supply chain security, which has become a priority across software ecosystems. According to Executive Order 14028, made by the US government, supply chain security is a national priority. Stacklok aims to create a trust foundation for secure software, which is more important than ever before, given the increasing danger posed by hackers.