Google on Wednesday announced the 0.1 Beta version of GUAC (short for Graph for Understanding Artifact Composition) for organizations to secure their software supply chains.
To that end, the search giant is making available the open source framework as an API for developers to integrate their own tools and policy engines.
GUAC aims to aggregate software security metadata from different sources into a graph database that maps out relationships between software, helping organizations determine how one piece of software affects another.
“GUAC ingests software security metadata, like SBOMs, and maps out the relationship between software so that you can fully understand your software security position.”
In other words, it’s designed to bring together Software Bill of Materials (SBOM) documents, SLSA attestations, OSV vulnerability feeds, deps.dev insights, and a company’s internal private metadata to help create a better picture of the risk profile and visualize the relationships between artifacts, packages, and repositories.
With such a setup in place, the goal is to tackle high-profile supply chain attacks, generate a patch plan, and swiftly respond to security compromises.
“For example, GUAC can be used to certify that a builder is compromised (e.g., via credential leakage or ingestion of malware) and then query for affected artifacts,” Google said.
“This enables the [chief information security officer] to easily create a policy to forbid use of any software from within the blast radius.”