Big news in supply chain security: GUAC v1.0 is now available! Started by Kusari, Google, and Purdue University, GUAC has contributions from over 400 people representing more than 90 organizations including Microsoft and Red Hat. GUAC v1.0 brings several bug fixes since the v0.14.0 release, but is primarily a marker of what’s considered stable.
What’s stable
Users can rely on the behavior of the elements listed blow not changing in an incompatible way. Future releases in the version 1 series may add support for new features so long as those changes don’t break existing stable workflows. Compatibility-breaking changes to stable elements will go into a future release series (e.g. version 2).
- GraphQL API
- Parsers for CSAF, OpenVEX, CycloneDX, DSSE, Intoto ITE6, SPDX, and OpenSSF Scorecard
- Ingestion using Azure Blog Storage, Google Cloud Storage, Amazon S3, Memblob,and regular file system blobs
- Ingestion-time enrichment from OSV, ClearlyDefined, and Deps.Dev
- Certifiers for OSV and ClearlyDefined
- The filesystem collector
- Ent of Postgresql for persistent storage
Other features remain available in GUAC, such as the OCI collector and end-of-life certifier, but they are considered experimental. Experimental features are subject to compatibility-breaking changes within the version 1 release series.
Who GUAC 1.0 is for
GUAC v1.0 is for developers and platform engineering teams who:
- Have tens to thousands of SBOMs
- Need an extensible, powerful storage and enrichment tool for building a software supply chain solution
- Are comfortable self-hosting infrastructure
- Are comfortable writing queries against GraphQL APIs
Join us
GUAC v1.0 is only the beginning! If you’re interesting in joining our community or contributing, we’d love to have you run GUAC, explore the ontology, and give us feedback on the problems GUAC solves (and doesn’t solve) for you.