Know your software supply chain

GUAC gives you directed, actionable insights into the security of your software supply chain.

Find out more Now in Beta!

    The current problem with software supply chain security

    Software supply chain attacks are on the rise and it’s hard to know what your software is at risk for and how to protect it. Many tools are available to help you generate Software Bills of Materials (SBOMs), signed attestations, and vulnerability reports, but they stop there, leaving you to figure out how they all fit together.

    Our Vision

    GUAC (Graph for Understanding Artifact Composition) aims to fill in the gaps by ingesting software metadata, like SBOMs, and mapping out relationships between software. When you know how one piece of software affects another, you’ll be able to fully understand your software security position and act as needed.

    GUAC Beta is now open!

    In the Beta, you can run GUAC internally in your organization to take active steps to manage risk. Currently, you can query SLSA provenance, SBOMs, and OpenSSF Scorecards. In the future, GUAC aims to run as a public service where high-fidelity supply chain security metadata can be attained for every software ecosystem.

    Check out Beta

    In Open Source collaboration with



    What does GUAC do?

    Establishes connections between your software catalog

    Unveils gaps in the software supply chain data using other data sources

    Identifies threats in your supply chain and provides a path to remediation

    How GUAC can help you

    These are just a few examples of insights that GUAC can give you to improve your software security posture


  • Find the most used critical components in a software supply chain ecosystem
  • Find weaknesses in overall security posture
  • Prevent supply chain compromises before they happen
  • Find exposures to risky dependencies
  • Operational

  • Look for evidence that the application you're about to deploy meets your organization's policies
  • Track if all binaries in production trace back to a securely managed repository
  • Reactive

  • Find which parts of your organization's inventory are affected by a new vulnerability
  • Track a suspicious project lifecycle event back to the risk that was introduced into your organization
  • Learn how an open source project deprecation affects you
  • What people are saying about GUAC!

    Hear what our community and partners have to say about GUAC!

    With the growing number of software supply chain security (SSCS) data, tools that allow us to find relevant information are crucial. Guac, providing graph representation of software packages, dependencies, vulnerabilities, attestations, etc. is a great tool for use cases in this domain. With mechanisms to ingest and certify data from various sources and GraphQL API to later query those data, we see it as a good foundation for our current and future SSCS efforts. Being a true open source initiative with a welcoming community is just a plus.
    Dejan Bosanac
    Engineer at Red Hat
    At Yahoo, we have found immense value and significant efficiency by utilizing the open source project GUAC. GUAC has allowed us to streamline our processes and increase efficiency in a way that was not possible before. It allows us to ingest large number of SBOMs and also provides an interface to visualize the current state of images & packages used at Yahoo in real time. We look forward to continuing to utilize GUAC and contribute to its growth in any way we can.
    Hemil Kadakia
    Sr. Mgr. Software Dev Engineering, Paranoids, Yahoo.
    As the CTO of ClearAlpha, I can't recommend GUAC enough for companies looking to boost their software security. GUAC's innovative approach to software supply chain security helps uncover hidden gaps and threats as we’re downloading dependencies and building apps, making it a perfect fit for our “solve it earlier” mindset at ClearAlpha. It also lines up with our commitment to transparency, open-source principles, and continuous learning. GUAC works well in teams practicing the rugged software manifesto, focusing on strong coding practices, constant testing, and automated tools to enhance security. Plus, its ability to trace risks back to their source aligns with our proactive risk awareness goals, enabling companies to spot and tackle potential issues early on. GUAC is just a fantastic tool to help any organization improve their software security with principles we all should value. If you're a tech founder, you'll definitely want to have GUAC on your team!
    Sean Terretta
    CTO at ClearAlpha
    GUAC came along as an open-source software at the right time helping us pivot away from building a bespoke solution and involving ourselves with the best minds behind the project. The value we see with GUAC is its flexibility and plugin architecture leading up to helping the users achieve compliance at different levels. The biggest benefit of GUAC has been producing it in the open with a widespread community behind it, from Google to Kusari and others. As the industry progresses, the threats to the software supply chain will become more complex, and relying on a tool backed by people with many years of experience in the area would make things easier for Guidewire to consume.
    Anoop Gopalakrishnan
    Vice President Of Engineering at Guidewire Software

    What's next?

    Learn more about GUAC

    Github Demos