Community Meetings rescheduled
Ben Cotton
14 May 2025
The GUAC Community Meeting for Thursday 15 May is cancelled. Since the June Community Meeting would fall on the U.S. Juneteenth holiday, the June Community Meeting will happen a week early: Thursday 12 June. See the OpenSSF Calendar for details.
GUAC Update: April 2025
Ben Cotton
02 May 2025
Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.
We’re putting the final touches on the GUAC 1.0 release. Plus, we’re working on merging with the Trustify project to create a unified effort to address the challenges of consuming, processing, and utilizing supply chain security metadata at scale. Stay tuned for updates.
Community
New contributors
- Brian Demers fixed the download links for Apple silicon in the Docs.
Events
Ben Cotton presented How to Use The Open Source Project Security Baseline to Better Navigate Standards & Regulations as an OpenSSF Tech Talk on 24 April.
Several members of the GUAC community will be presenting at Open Source Summit North America in Denver:
- Mihai Maruseac will be part of a panel “Panel Discussion: Strengthening Software Supply Chains: Harmonizing SLSA Provenance and SPDX SBOM for Better Adoption”
- Brandt Keller will present “[Enhancing Supply Chain Security: Integrating Zarf and GUAC for Seamless SBOM Generation and Delivery(https://openssfcdna2025.sched.com/event/1zhnb)]” at OpenSSF Community Day
- Mihai Maruseac will present “Taming the Wild West of ML: Practical Model Signing With Sigstore on Kaggle” at OpenSSF Community Day
Coming up
Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours to participate in the conversation.
Tags: guac-update | community | events
April 2025 Community Meeting
Ben Cotton
16 Apr 2025
Join the GUAC community Thursday at 1PM Eastern (1700 UTC) for the March Community Meeting.
Topics include:
- Contributor ladder climbs
- Kubescape collector added in v0.14.0
- GUAC 1.0 technical overview and feedback
- GUAC & Trustification community discussion
- Plus your topics!
Zoom link and meeting notes are on the OpenSSF Calendar.
If you can’t make it, the recording will be posted to our YouTube channel.
GUAC Update: March 2025
Ben Cotton
04 Apr 2025
Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.
Releases
GUAC v0.14.0 was released. It adds a Kubescape colletor for run-time SBOMs.
Community
New contributors
Ladder climbs
- Ben Cotton was made a Reviewer for the Front-end area.
Events
Several members of the GUAC community spoke at KubeCon EU in London:
- Michael Lieberman presented a keynote “Cutting Through The Fog: Clarifying CRA Compliance in Cloud Native” with Eddie Knight
- Jeff Mendoza presented a talk “Why Don’t We Have Both? Track Build- and Run-time Information for Security With Kubescape and GUAC” with Ben Hirschberg
- Michael Lieberman presented a talk “Bridging Supply Chain Policy with Git-less GitOps and GUAC” with Andrew Martin.
Ben Cotton will be presenting How to Use The Open Source Project Security Baseline to Better Navigate Standards & Regulations as an OpenSSF Tech Talk on 24 April.
Coming up
Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours to participate in the conversation.
Tags: guac-update | community | events
GUAC v0.14.0 released
GUAC Maintainers
24 Mar 2025
GUAC v0.14.0 is now available. This release adds:
- Kubescape collector
- See the accompanying blog post
- Improvements to the ClearlyDefined certifier
- Retry failed requests for more error codes
- Improve Go package name translation
- Endpoint changes to REST API
- Dependency search queries are now under the versioned “/v0/…” path
- Improvements to the End of Life certifier logic
- The parsing of purls now uses standard helper methods and the check for whether a node has EOL data is now more specific to mitigate false positives
- Connect equivalent nodes representing container images with an IsOccurrence node.
The v0.14.0 release page has full details of this release. If you’re interesting in joining our community or contributing, we’d love to have you be a part of the next release.
Tags: releases
GUAC now supports runtime Kubernetes SBOMs using Kubescape
Jeff Mendoza, Ben Hirschberg
24 Mar 2025
With the release of GUAC v0.14.0, GUAC includes a Kubescape collector that can be run inside your Kubernetes cluster to watch for new scan results from Kubescape and ingest those results into the GUAC supply chain graph.
Kubescape is an open-source Kubernetes security platform that provides comprehensive security coverage, from left to right across the entire development and deployment lifecycle. It offers hardening, posture management, and runtime security capabilities to ensure robust protection for Kubernetes environments.
When Kubescape is installed as an Operator in your Kubernetes cluster, it can continuously scan all running containers for contents and vulnerabilities. These scan results can be accessed as Kubernetes API server custom resources. Additionally, Kubescape can filter the SBOM scan results based on relevancy based on eBPF observation.
With GUAC being the prime system resource for collating and correlating data from across your supply chain, it only made sense to enable GUAC to incorporate these Kubescape results. GUAC’s new ability to analyze both build-time and run-time SBOMs in a single GraphQL API enables exciting new insights. We will explore some of those in our Kubecon EU session “Why Don’t We Have Both? Track Build- and Run-time Information for Security With Kubescape and GUAC”. Please join us there or look out for the recording.
Tags: community | events | guac-does-that
March 2025 Community Meeting
Ben Cotton
19 Mar 2025
Join the GUAC community Thursday at 1PM Eastern (1800 UTC) for the March Community Meeting.
Topics include:
- More discussion of a GUAC 2.0 architecture
- Upcoming conferences
- Plus your topics!
Zoom link and meeting notes are on the OpenSSF Calendar.
If you can’t make it, the recording will be posted to our YouTube channel.
GUAC Update: February 2025
Ben Cotton
07 Mar 2025
Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.
It’s been a relatively quiet month, but we have a few interesting things brewing. Ria Farrell Schalnat spoke at the Community Meeting about how she used GUAC and ClearlyDefined to improve license compliance. The maintainers continue to discuss plans for a new architecture. And we’re looking forward to evaluating GUAC against the newly-released Open Source Project Security Baseline.
Events
- Ben Cotton will attend DevOpsDays Chicago on March 18.
- KubeCon Europe (1-4 April in London)
- Michael Lieberman is presenting a keynote “Cutting Through The Fog: Clarifying CRA Compliance in Cloud Native” with Eddie Knight
- Jeff Mendoza is presenting a talk “Why Don’t We Have Both? Track Build- and Run-time Information for Security With Kubescape and GUAC” with Ben Hirschberg
- Michael Lieberman is presenting a talk “Bridging Supply Chain Policy with Git-less GitOps and GUAC” with Andrew Martin.
- Plus you can stop by the Kusari booth S482 for some GUAC stickers.
- Join Kusari and friends for the DevSec on the Rocks party.
Coming up
Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours to participate in the conversation.
Tags: guac-update | community | events
February 2025 Community Meeting
Ben Cotton
19 Feb 2025
Join the GUAC community Thursday at 1PM Eastern (1800 UTC) for the February Community Meeting.
Topics include:
- Major releases since the last meeting
- FOSDEM recap
- Ria Farrell Schalnat’s license compliance use case
- Plus your topics!
Zoom link and meeting notes are on the OpenSSF Calendar.
If you can’t make it, the recording will be posted to our YouTube channel.
GUAC Update: January 2025
Ben Cotton
07 Feb 2025
Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.
Releases
We had a handful of GUAC releases in January. The highlight is
Events
Several members of the GUAC community spoke at FOSDEM in Brussels:
- Brandon Lum and Marco Deicas presented A retrospective on Google’s SBOM implementation
- Jeff Mendoza and Qing Tomlinson presented Discover Dependency License Information Using SBOMs and ClearlyDefined
- Michael Lieberman presented The Breadth and Depth of SBOMs
And we have some events coming up as well:
- Ben Cotton will attend DevOpsDays Chicago on March 18.
- KubeCon Europe (1-4 April in London)
- Michael Lieberman is presenting a keynote “Cutting Through The Fog: Clarifying CRA Compliance in Cloud Native” with Eddie Knight
- Jeff Mendoza is presenting a talk “Why Don’t We Have Both? Track Build- and Run-time Information for Security With Kubescape and GUAC” with Ben Hirschberg
- Michael Lieberman is presenting a talk “Bridging Supply Chain Policy with Git-less GitOps and GUAC” with Andrew Martin.
- Plus you can stop by the Kusari booth S482 for some GUAC stickers.
Coming up
Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours to participate in the conversation.
Tags: guac-update | community | events