Google has teamed up with the likes of IBM, Red Hat and JFrog to launch a new open source initiative aimed at defining a uniform way for auditing and governing software supply chains.
The new application processing interface (API), named Grafeas – or ‘scribe’ in Greek, provides users with a central source of information for tracking and enforcing policies across sets of software development teams and pipelines.
The open source project was a joint effort between Google, JFrog, Red Hat, IBM, Black Duck, Twistlock, Aqua Security and CoreOS, with Google saying it built Grafeas to promote cross-vendor collaboration and compatibility.
“At each stage of the software supply chain (code, build, test, deploy and operate), different tools generate metadata about various software components,” Google said in a blog post.
“Examples include the identity of the developer, when the code was checked in and built, what vulnerabilities were detected, what tests were passed or failed, and so on. This metadata is then captured by Grafeas.”
According to Google, the API can provide visibility for software development, test and operations teams, as well as CIOs.
Build, auditing and compliance tools can use the Grafeas API to store, query and retrieve comprehensive metadata on software components of all kinds, according to Google.
“Grafeas offers a central, structured knowledge-base of the critical metadata organisations need to successfully manage their software supply chains,” Google said.
“It reflects best practices Google has learned building internal security and governance solutions across millions of releases and billions of containers.”
As part of Grafeas, Google is also introducing Kritis, a Kubernetes policy engine that is designed to help users enforce more secure software supply chain policies.
Kritis is aimed at facilitating real-time enforcement of container properties at deploy time for Kubernetes clusters based on attestations of container image properties.
“Grafeas and Kritis actually help us achieve better security while letting developers focus on their code. We look forward to more companies integrating with the Grafeas and Kritis projects,” Shopify senior security engineer, Jonathan Pulsifer, said.
