Google is teaming up with top technology providers on a new way for auditing and governing the modern software supply chain. Grafeas, which means “scribe” in Greek, is an open-source initiative for tracking and enforcing policies across software teams and pipelines. It was developed in collaboration with Google, JFrog, Red Hat, IBM, Black Duck, Twistlock, Aqua Security and CoreOS.
“Grafeas standardizes how you store, query and retrieve metadata attached to software artifacts. In particular, it provides rich auditing capabilities and acts as a central source of truth for organizations, especially those that must track the development of many software artifacts used and created by many different teams,” Elad Yaakov, product manager at JFrog, wrote in a post.
According to Google, organizations often struggle with the growing, fragmented landscape of tools; open-source software adoption; the push for accelerated development; hybrid cloud deployments; and microservices. These challenges make it harder for an organization to track all the pieces of their software, follow best practices and standards, and maintain visibility across their operations.
“Organizations generate vast quantities of metadata, all in different formats from different vendors and are stored in many different places. Without uniform metadata schemas or a central source of truth, CIOs struggle to govern their software supply chains, let alone answer foundational questions like: ‘Is software component X deployed right now?’ ‘Did all components deployed to production pass required compliance tests?’ and ‘Does vulnerability Y affect any production code?’ “ Stephen Elliott, product manager of developer platforms and Jianing Guo, product manager of container security at Google, wrote in a post.
Grafeas is designed to combat those challenges with its central, structured knowledge base of critical metadata, its built-in security controls for the software supply chain, and its immutable infrastructure to establish “preventive security postures.”
“To give a comprehensive, unified view of this metadata, we built Grafeas to promote cross-vendor collaboration and compatibility; we’ve released it as open source, and are working with contributors from across the ecosystem to further develop the platform,” Elliott and Guo wrote.
In addition, JFrog announced plans to implement the Grafeas API into JFrog Xray, and Black Duck announced integration with Grafeas and the Google artifact metadata API.
Google also announced a new Kubernetes policy engine as part of the Grafeas launch. Kritis, which means “judge” in Greek, is a policy engine designed bring security to software supply chain policies.
“Using Grafeas as the central source of truth for container metadata has allowed the security team to answer these questions [such as is the container deployed to production? And, does this container contain any security vulnerabilities] and flesh out appropriate auditing and lifecycling strategies for the software we deliver to users at Shopify,” ” Jonathan Pulsifer, senior security engineer at Shopify, wrote in a post. “Using tools like Grafeas and Kritis has allowed us to inject security controls into the DNA of Shopify’s cloud platform to provide software governance techniques at scale alongside our developers, unlocking the velocity of all the teams.”