GUAC 0.1 Beta: Google’s Breakthrough Framework for Secure Software Supply Chains


Google on Wednesday announced the **0.1 Beta version** of [GUAC]() (short for Graph for Understanding Artifact Composition) for organizations to secure their software supply chains.

To that end, the search giant is [making available]() the open source framework as an API for developers to integrate their own tools and policy engines.

[GUAC]() aims to aggregate software security metadata from different sources into a graph database that maps out relationships between software, helping organizations determine how one piece of software affects another.

“Graph for Understanding Artifact Composition ([GUAC]()) gives you organized and actionable insights into your software supply chain security position,” Google [says]() in its documentation.


“GUAC ingests software security metadata, like SBOMs, and maps out the relationship between software so that you can fully understand your software security position.”

In other words, it’s designed to bring together Software Bill of Materials (SBOM) documents, [SLSA attestations](), [OSV vulnerability feeds](), [ insights](), and a company’s internal private metadata to help create a better picture of the risk profile and visualize the relationships between artifacts, packages, and repositories.

With such a setup in place, the goal is to tackle high-profile supply chain attacks, generate a patch plan, and swiftly respond to security compromises.

“For example, GUAC can be used to certify that a builder is compromised (e.g., via credential leakage or ingestion of malware) and then query for affected artifacts,” Google said.

“This enables the [chief information security officer] to easily create a policy to forbid use of any software from within the blast radius.”

Found this article interesting? Follow us on [Twitter __]() and [LinkedIn]() to read more exclusive content we post.Read More

Back to Main

Subscribe for the latest news: