GUAC Blog

GUAC v0.14.0 is now available. This release adds:

• Kubescape collector
  • See the accompanying blog post
• Improvements to the ClearlyDefined certifier
  • Retry failed requests for more error codes
  • Improve Go package name translation
• Endpoint changes to REST API
  • Dependency search queries are now under the versioned “/v0/…” path
• Improvements to the End of Life certifier logic
  • The parsing of purls now uses standard helper methods and the check for whether a node has EOL data is now more specific to mitigate false positives
• Connect equivalent nodes representing container images with an IsOccurrence node.

The v0.14.0 release page has full details of this release. If you’re interesting in joining our community or contributing, we’d love to have you be a part of the next release.

With the release of GUAC v0.14.0, GUAC includes a Kubescape collector that can be run inside your Kubernetes cluster to watch for new scan results from Kubescape and ingest those results into the GUAC supply chain graph.

Kubescape is an open-source Kubernetes security platform that provides comprehensive security coverage, from left to right across the entire development and deployment lifecycle. It offers hardening, posture management, and runtime security capabilities to ensure robust protection for Kubernetes environments.

When Kubescape is installed as an Operator in your Kubernetes cluster, it can continuously scan all running containers for contents and vulnerabilities. These scan results can be accessed as Kubernetes API server custom resources. Additionally, Kubescape can filter the SBOM scan results based on relevancy based on eBPF observation.

With GUAC being the prime system resource for collating and correlating data from across your supply chain, it only made sense to enable GUAC to incorporate these Kubescape results. GUAC’s new ability to analyze both build-time and run-time SBOMs in a single GraphQL API enables exciting new insights. We will explore some of those in our Kubecon EU session “Why Don’t We Have Both? Track Build- and Run-time Information for Security With Kubescape and GUAC”. Please join us there or look out for the recording.

Join the GUAC community Thursday at 1PM Eastern (1800 UTC) for the March Community Meeting.

Topics include:

• More discussion of a GUAC 2.0 architecture
• Upcoming conferences
• Plus your topics!

Zoom link and meeting notes are on the OpenSSF Calendar.

If you can’t make it, the recording will be posted to our YouTube channel.

Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

It’s been a relatively quiet month, but we have a few interesting things brewing. Ria Farrell Schalnat spoke at the Community Meeting about how she used GUAC and ClearlyDefined to improve license compliance. The maintainers continue to discuss plans for a new architecture. And we’re looking forward to evaluating GUAC against the newly-released Open Source Project Security Baseline.

Events

• Ben Cotton will attend DevOpsDays Chicago on March 18.
• KubeCon Europe (1-4 April in London)
  • Michael Lieberman is presenting a keynote “Cutting Through The Fog: Clarifying CRA Compliance in Cloud Native” with Eddie Knight
  • Jeff Mendoza is presenting a talk “Why Don’t We Have Both? Track Build- and Run-time Information for Security With Kubescape and GUAC” with Ben Hirschberg
  • Michael Lieberman is presenting a talk “Bridging Supply Chain Policy with Git-less GitOps and GUAC” with Andrew Martin.
  • Plus you can stop by the Kusari booth S482 for some GUAC stickers.
  • Join Kusari and friends for the DevSec on the Rocks party.

Coming up

Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours to participate in the conversation.

Join the GUAC community Thursday at 1PM Eastern (1800 UTC) for the February Community Meeting.

Topics include:

• Major releases since the last meeting
• FOSDEM recap
• Ria Farrell Schalnat’s license compliance use case
• Plus your topics!

Zoom link and meeting notes are on the OpenSSF Calendar.

If you can’t make it, the recording will be posted to our YouTube channel.

Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

Releases

We had a handful of GUAC releases in January. The highlight is

• GUAC
  • v0.12.4
  • v0.13.0 (blog post)
  • v0.13.1
  • v0.13.2

Events

Several members of the GUAC community spoke at FOSDEM in Brussels:

• Brandon Lum and Marco Deicas presented A retrospective on Google’s SBOM implementation
• Jeff Mendoza and Qing Tomlinson presented Discover Dependency License Information Using SBOMs and ClearlyDefined
• Michael Lieberman presented The Breadth and Depth of SBOMs

And we have some events coming up as well:

• Ben Cotton will attend DevOpsDays Chicago on March 18.
• KubeCon Europe (1-4 April in London)
  • Michael Lieberman is presenting a keynote “Cutting Through The Fog: Clarifying CRA Compliance in Cloud Native” with Eddie Knight
  • Jeff Mendoza is presenting a talk “Why Don’t We Have Both? Track Build- and Run-time Information for Security With Kubescape and GUAC” with Ben Hirschberg
  • Michael Lieberman is presenting a talk “Bridging Supply Chain Policy with Git-less GitOps and GUAC” with Andrew Martin.
  • Plus you can stop by the Kusari booth S482 for some GUAC stickers.

Coming up

Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours to participate in the conversation.

2024 was a big year for GUAC, from becoming an OpenSSF incubating project in March to mentions in three KubeCon NA keynotes in November. What happened in between?

Community

The community is the lifeblood of any open source project, and GUAC is no different. 33 people attended at least one of the monthy community meetings. We also saw a 23% increase in members of the #GUAC channel on the OpenSSF Slack.

GUAC welcomed many new contributors in 2024. According to Cauldron.io data, new contributors represented 62% of commit authors, 66% of issue authors, and 55% of issue authors. Several of those new contributors have advanced up the contributor ladder, along with contributors who were here before:

• Dejan Bosanac was granted Reviewer status for the Backend area.
• Marco Rizzi was granted Owner status for the Backend area.
• Robbie Cronin was granted Reviewer status for the CLI and Collectors areas.
• Nathan Naveen was granted Reviewer status for the CLI area.
• Ben Cotton was granted Owner status for the Website and Docs areas.

Not only did we grow the community in 2024, we also grew our community infrastructure and communication. The weekly maintainer meetings are now public, with recordings on YouTube and notes in the governance repo. The monthly community calls are now also posted to YouTube with notes in the governance repo.

In order to better share news with the broader community, we started publishing monthy GUAC update blog posts and now our first year-in-review post.

Development and releases

Development work was pretty steady for most of the year, with a big increase at the end of the year. This was due to new contributors as well as new interest driven by the KubeCon keynote mentions.

With all of the new interest, we saw a corresponding increase in issues opened. Fortuntely, we were able to still be faster at closing issues than in the earlier part of the year.

We had, by my count, 23 releases of GUAC in 2024, starting with GUAC v0.4.0 and ending with v0.12.3. Along the way, we added a bunch of new features:

• A key-value backend used for demos and testing
• A REST API
• Metrics publication via Prometheus (OpenTelemetry support was added in early 2025)
• Persistent storage via Ent and PostgreSQL
• A ClearlyDefined certifier to add license information
• An certifier for endoflife.date to add support period information
• A collector for OCI container registries

Of course, we’ve also done a significant number of performance improvements and bug fixes.

The GUAC Visualizer also had two releases. These added an information pane to see more data about the selected package. We also reduced the container image size significantly.

Forward to 2025

We start 2025 looking at final items for a 1.0 release. Discussions are underway for a new architecture that will allow GUAC to provide easier answers to the basic questions while still being powerful enough for deeper analysis. We hope to see you around the [community]/community/.

GUAC v0.13.0 is now available. This release adds supporting for optionally sending OpenTelemetry metrics. When using the --enable-otel command line switch, the following will publish to a user-specified OpenTelemetry server:

• HTTP GQL server in guacgql
• SQL library underneath the Ent/Postgres backend
• HTTP client for: OSV, ClearlyDefined, GitHub, endoflife.date
• GRPC client for Deps.dev

In addition, this release fixes two bugs related to missing flags in command line tools:

• --add-eol-on-ingest missing from guacone (#2390)
• --use-csub missing from the OCI collector (#2423)

The v0.13.0 release page has full details of this release. If you’re interesting in joining our community or contributing, we’d love to have you be a part of the next release.

Join the GUAC community Thursday at 1PM Eastern (1800 UTC) for the January Community Meeting.

Topics include:

• What to do about 1.0? What should go in it? Should we jump directly to the refactor? We’ll have an update on the conversations about a new architecture for GUAC.
• A look at the pending DataDog certifier (PR #2366)
• Ideas for a 2024 year-in-review post
• Recognition of contributors who advanced up the contributor ladder
• Major releases since the last meeting

Zoom link and meeting notes are on the OpenSSF Calendar.

If you can’t make it, the recording will be posted to our YouTube channel.

Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you’re a regular reader, you may have noticed a change in the naming convention: GUAC Update posts are now (and retroactively) titled based on the month they’re about, not the month they publish. We had some feedback that the old pattern was confusing, so this will hopefully make it more clear. If you have other feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

Contributor ladder climbs

The GUAC Maintainers approved several advancements up the contributor ladder in recognition of the hard work done by our community members:

• Robbie Cronin was granted Reviewer status for the CLI and Collectors areas.
• Nathan Naveen was granted Reviewer status for the CLI area.
• Ben Cotton was granted Owner status for the Docs area.

Thanks to these contributors and everyone else who participate in the GUAC community.

Releases

We closed the year strong in GUAC, with several releases. The highlight is GUAC v0.12.0, which added a certifier that records end-of-life information from endoflife.date and a collector for OCI container registries. In addition, the GUAC Visualizer has a much smaller container image and also displays the version of GUAC it is connected to.

• GUAC
  • v0.12.0 (blog post)
  • v0.12.1
  • v0.12.2
  • v0.12.3
• GUAC Visualizer
  • v0.4.10 (blog post)

Events

Several members of the GUAC community will be speaking at FOSDEM in Brussels:

• Brandon Lum and Marco Deicas will present A retrospective on Google’s SBOM implementation
• Jeff Mendoza and Qing Tomlinson will present Discover Dependency License Information Using SBOMs and ClearlyDefined
• Michael Lieberman will present The Breadth and Depth of SBOMs

Coming up

Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours to participate in the conversation.