Description

Know your software supply chain

GUAC projects give you directed, actionable insights into the security of your software supply chain.

    GUAC projects

    Core projects

    GUAC

    GUAC (Graph for Understanding Artifact Composition) aims to fill in the gaps by ingesting software metadata, like SBOMs, and mapping out relationships between software. When you know how one piece of software affects another, you’ll be able to fully understand your software security position and act as needed.

    Trustify

    The Trustify project is a collection of software components that enables you to store and retrieve Software Bill of Materials (SBOMs), and advisory documents. Developers can use this information to learn about common security vulnerabilities and dependency changes within their software supply chain.

    Additional projects

    For all repositories, see the guacsec GitHub organization.

    GUAC is an OpenSSF Incubating Project!

    The Graph for Understanding Artifact Composition (GUAC) maintainers are pleased to announce the project has joined the Open Source Security Foundation (OpenSSF) as an Incubating Project in the Supply Chain Integrity Working Group.

    Learn More

    In Open Source collaboration with

    Google

    Kusari

    Red Hat

    Purdue University
    Citi

    and many open source contributors...