Ending GUAC community meetings
Ben Cotton
09 Jul 2025
With the recent release of GUAC 1.0, the GUAC Maintainers have decided this is a good time to end the monthly community meetings.
When the project started, the monthly community meetings were the main venue for people interested in GUAC to have high-bandwidth discussion. Users and contributed shared use cases, discussed design ideas, and sought help with using pre-1.0 GUAC.
Since the weekly maintainer meetings became public last year, we’ve seen a lot of community members join. This seems to have come at the expense of topics and attendance for the community meeting. It makes sense that if people have something to discuss, they’d rather do it at the next weekly meeting than to wait weeks for the next community meeting. To us, that’s a success.
The weekly maintainer meetings are staying put. If you have something you want to discuss, you’re always welcome to join on Mondays or ask in the #guac channel on the OpenSSF Slack. See the community page for details. Notes from past community meetings will remain available on GitHub and the recordings are on the GUAC YouTube channel.
GUAC Update: June 2025
Ben Cotton
04 Jul 2025
Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.
The big news, of course, is that we released GUAC 1.0! This represents contributions from over 400 people representing more than 90 organizations including Kusari, Google, Purdue University, Microsoft, and Red Hat. Download GUAC v1.0 to get started!
Community
New contributors
- Gagan H R fixed an issue in GUAC Visualizer that prevented us from moving to Next 15+. (guac-visualizer#140)
- Ritesh Udgata contributed REST API documentation to the GUAC docs. (guac-docs#164)
- Emmanuel Ferdman fixed a CI warning in GUAC. (guac#2688)
Events
Several members of the GUAC community presented at Open Source Summit North America in Denver:
- Mihai Maruseac was part of a panel “Panel Discussion: Strengthening Software Supply Chains: Harmonizing SLSA Provenance and SPDX SBOM for Better Adoption”
- Brandt Keller presented “Enhancing Supply Chain Security: Integrating Zarf and GUAC for Seamless SBOM Generation and Delivery” at OpenSSF Community Day
- Mihai Maruseac presented “Taming the Wild West of ML: Practical Model Signing With Sigstore on Kaggle” at OpenSSF Community Day
Coming up
Some members of the GUAC community will be presenting at Open Source Summit and OpenSSF Community Day Europe in Amsterdam at the end of August. A detailed listing will be in next month’s GUAC update.
In addition, we’re working to finalize the legal necessities for welcoming the Trustify project under the GUAC umbrella. Stay tuned for details.
In the meantime, be sure to join us in the weekly Maintainer Meetings or on Slack to participate in the conversation.
Tags: guac-update | community | events
GUAC v1.0 released
GUAC Maintainers
12 Jun 2025
Big news in supply chain security: GUAC v1.0 is now available! Started by Kusari, Google, and Purdue University, GUAC has contributions from over 400 people representing more than 90 organizations including Microsoft and Red Hat. GUAC v1.0 brings several bug fixes since the v0.14.0 release, but is primarily a marker of what’s considered stable.
What’s stable
Users can rely on the behavior of the elements listed blow not changing in an incompatible way. Future releases in the version 1 series may add support for new features so long as those changes don’t break existing stable workflows. Compatibility-breaking changes to stable elements will go into a future release series (e.g. version 2).
- GraphQL API
- Parsers for CSAF, OpenVEX, CycloneDX, DSSE, Intoto ITE6, SPDX, and OpenSSF Scorecard
- Ingestion using Azure Blog Storage, Google Cloud Storage, Amazon S3, Memblob,and regular file system blobs
- Ingestion-time enrichment from OSV, ClearlyDefined, and Deps.Dev
- Certifiers for OSV and ClearlyDefined
- The filesystem collector
- Ent of Postgresql for persistent storage
Other features remain available in GUAC, such as the OCI collector and end-of-life certifier, but they are considered experimental. Experimental features are subject to compatibility-breaking changes within the version 1 release series.
Who GUAC 1.0 is for
GUAC v1.0 is for developers and platform engineering teams who:
- Have tens to thousands of SBOMs
- Need an extensible, powerful storage and enrichment tool for building a software supply chain solution
- Are comfortable self-hosting infrastructure
- Are comfortable writing queries against GraphQL APIs
Join us
GUAC v1.0 is only the beginning! If you’re interesting in joining our community or contributing, we’d love to have you run GUAC, explore the ontology, and give us feedback on the problems GUAC solves (and doesn’t solve) for you.
Tags: releases
June 2025 Community Meeting
Ben Cotton
11 Jun 2025
Join the GUAC community Thursday at 1PM Eastern (1700 UTC) for the June Community Meeting.
Topics include:
- Contributor ladder climbs
- GUAC 1.0 release
- Plus your topics!
Even though, as of this writing, GUAC 1.0 isn’t quite out the door, we’re close. So bring some guacamole and chips and let’s all come together to celebrate this huge milestone!
Zoom link and meeting notes are on the OpenSSF Calendar.
If you can’t make it, the recording will be posted to our YouTube channel.
GUAC Update: May 2025
Ben Cotton
06 Jun 2025
Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.
We’re putting the final touches on the GUAC 1.0 release.
As part of that, the Helm charts developed by Kusari are now in the guacsec organization.
The CNCF is looking at using GUAC to gain insights into the software supply chain across its wide portfolio of projects. We’re excited to work with them on this.
Community
New contributors
- Maximilian Combüchen fixed handling of empty package namespaces in GUAC Visualizer.
Events
Several members of the GUAC community will be presenting at Open Source Summit North America in Denver:
- Mihai Maruseac will be part of a panel “Panel Discussion: Strengthening Software Supply Chains: Harmonizing SLSA Provenance and SPDX SBOM for Better Adoption”
- Brandt Keller will present “Enhancing Supply Chain Security: Integrating Zarf and GUAC for Seamless SBOM Generation and Delivery]” at OpenSSF Community Day
- Mihai Maruseac will present “Taming the Wild West of ML: Practical Model Signing With Sigstore on Kaggle” at OpenSSF Community Day
Coming up
Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours to participate in the conversation.
Tags: guac-update | community | events
GUAC Helm charts moved
Ben Cotton
30 May 2025
The GUAC Helm charts are now under the guacsec organization on GitHub. You can find the Helm charts in https://github.com/guacsec/helm-charts.
If you have previously deployed GUAC using the Helm charts when they were hosted in the kusaridev organization, you will need to change any reference from the old location (kusaridev/helm-charts) to the new location (guacsec/helm-charts).
Consult the documentation for your tooling for specific instructions.
The GUAC Docs have all been updated with the new location. If you see anything incorrect in the docs, please open an issue.
Community Meetings rescheduled
Ben Cotton
14 May 2025
The GUAC Community Meeting for Thursday 15 May is cancelled. Since the June Community Meeting would fall on the U.S. Juneteenth holiday, the June Community Meeting will happen a week early: Thursday 12 June. See the OpenSSF Calendar for details.
GUAC Update: April 2025
Ben Cotton
02 May 2025
Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.
We’re putting the final touches on the GUAC 1.0 release. Plus, we’re working on merging with the Trustify project to create a unified effort to address the challenges of consuming, processing, and utilizing supply chain security metadata at scale. Stay tuned for updates.
Community
New contributors
- Brian Demers fixed the download links for Apple silicon in the Docs.
Events
Ben Cotton presented How to Use The Open Source Project Security Baseline to Better Navigate Standards & Regulations as an OpenSSF Tech Talk on 24 April.
Several members of the GUAC community will be presenting at Open Source Summit North America in Denver:
- Mihai Maruseac will be part of a panel “Panel Discussion: Strengthening Software Supply Chains: Harmonizing SLSA Provenance and SPDX SBOM for Better Adoption”
- Brandt Keller will present “[Enhancing Supply Chain Security: Integrating Zarf and GUAC for Seamless SBOM Generation and Delivery(https://openssfcdna2025.sched.com/event/1zhnb)]” at OpenSSF Community Day
- Mihai Maruseac will present “Taming the Wild West of ML: Practical Model Signing With Sigstore on Kaggle” at OpenSSF Community Day
Coming up
Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours to participate in the conversation.
Tags: guac-update | community | events
April 2025 Community Meeting
Ben Cotton
16 Apr 2025
Join the GUAC community Thursday at 1PM Eastern (1700 UTC) for the March Community Meeting.
Topics include:
- Contributor ladder climbs
- Kubescape collector added in v0.14.0
- GUAC 1.0 technical overview and feedback
- GUAC & Trustification community discussion
- Plus your topics!
Zoom link and meeting notes are on the OpenSSF Calendar.
If you can’t make it, the recording will be posted to our YouTube channel.
GUAC Update: March 2025
Ben Cotton
04 Apr 2025
Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.
Releases
GUAC v0.14.0 was released. It adds a Kubescape colletor for run-time SBOMs.
Community
New contributors
Ladder climbs
- Ben Cotton was made a Reviewer for the Front-end area.
Events
Several members of the GUAC community spoke at KubeCon EU in London:
- Michael Lieberman presented a keynote “Cutting Through The Fog: Clarifying CRA Compliance in Cloud Native” with Eddie Knight
- Jeff Mendoza presented a talk “Why Don’t We Have Both? Track Build- and Run-time Information for Security With Kubescape and GUAC” with Ben Hirschberg
- Michael Lieberman presented a talk “Bridging Supply Chain Policy with Git-less GitOps and GUAC” with Andrew Martin.
Ben Cotton will be presenting How to Use The Open Source Project Security Baseline to Better Navigate Standards & Regulations as an OpenSSF Tech Talk on 24 April.
Coming up
Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours to participate in the conversation.
Tags: guac-update | community | events