GUAC - Aggregates Software Security Metadata Into A High Fidelity Graph Database

Note: GUAC is under active development - if you are interested in contributing, please look at contributor guide and the "express interest" issue Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance. Conceptually, GUAC occupies the “aggregation and synthesis” layer of the software supply chain transparency logical model: A few examples of questions answered by GUAC include: Quickstart Refer to the Setup + Demo document to learn how to prepare your environment and try GUAC out! Architecture Here is an overview of the architecture of GUAC: Supported input formats CycloneDX Dead Simple Signing Envelope In-toto ITE6 OpenSSF Scorecard SLSA SPDX Additional References GUAC Intro Slides GUAC Design Doc Communication We encourage discussions to be done on github issues. We also have a public slack channel on the OpenSSF slack. For security issues or code of conduct concerns, an e-mail should be sent to guac-maintainers@googlegroups.com. Governance Information about governance can be found here. Download Guac

Jan 28, 2023 - 03:30

0 7

Note: GUAC is under active development - if you are interested in contributing, please look at contributor guide and the "express interest" issue

Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.

Conceptually, GUAC occupies the “aggregation and synthesis” layer of the software supply chain transparency logical model: