Google announced Wednesday that: 0.1 beta Utilize GUAC (short for Graph for Understanding Artifact Composition) for organizations to secure their software supply chain.
To this end, search giants are making open source frameworks available as APIs for developers to integrate their own tools and policy engines.
The purpose of GUAC is to aggregate software security metadata from various sources into a graph database, illustrating the relationships between software and helping organizations determine how one software impacts another. is to
“The Graph for Understanding Artifact Composition (GUAC) provides systematic and actionable insight into the security posture of the software supply chain,” Google said in a document.
“GUAC captures software security metadata such as SBOM and maps the relationships between software to provide a complete understanding of the software security landscape.”
In other words, integrate software bill of materials (SBOM) documents, SLSA certificates, OSV vulnerability feeds, deps.dev insights, and your company’s internal private metadata to better understand your risk profile and visualize relationships. It is designed to be made Between artifacts, packages and repositories.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
With such a setup in place, the goal is to tackle high-profile supply chain attacks, create patch plans, and quickly respond to security breaches.
“For example, GUAC can be used to prove that a builder has been compromised (e.g., by leaking credentials or ingesting malware) and querying affected artifacts,” Google said.
“This will [chief information security officer] Easily create policies that prohibit the use of software within blast radius. “
