Graph for Understanding Artifact Composition (GUAC) adds persistent storage in v0.6.0 release

Open source supply chain observability tool standardizes on PostgreSQL

Jeff Mendoza

Dejan Bosanac

May 6, 2024

The GUAC community is thrilled to announce – GUAC is persistent! Following a year-long effort of significant collaboration and development, GUAC has standardized on and fully supports the popular open source database system, PostgreSQL, for its persistent backend storage.

GUAC is an innovative Open Source Security Foundation (OpenSSF) Incubating Project. It empowers organizations to identify and mitigate potential risks posed by zero-day vulnerabilities and yet-to-be-released threats. As a software supply chain observability tool, GUAC ingests software security metadata, including software bills of materials (SBOMs), SLSA attestations, vulnerability reports, VEX statements, OpenSSF Scorecards, and more. That information now is stored in a persistent graph database, which you query to get rapid information about your software in a consolidated and precise view.

PostgreSQL support is a critical step for GUAC, enabling the project to store and map software supply chain data to better meet the needs of enterprise users. With PostgreSQL, GUAC can keep software supply chain security, integrations, and plug-ins data intact. The choice of PostgreSQL aligns with earlier GUAC community decisions to use top open source components, like the GraphQL query language. The existing ephemeral reference implementations will be maintained for demo usage. 

Getting Started

Shipping with GUAC release v0.6.0 are several companion elements to help with setup and deployment, including:

Please give the new setup guide a try! We’d love to hear feedback in the #guac channel on the OpenSSF Slack or on GitHub issues.

Community Shout Outs

We are thankful to many community teams for their support and commitment in developing release v0.6.0, including:

  • Those that researched and explored numerous persistent backend options, helping us arrive at a final standardization decision
  • The additional contributors and reviewers who spent their time working on this release
  • The entire Entity Framework for Go project - your library was easy to use and work with; it saved us a ton of time   

For significant individual achievements, we thank GUAC community members:

The GUAC project community is excited to reach this important milestone and continue adding capabilities toward a v1.0 release. We’d love to have you join us. See the Contributor Guide for how to get started, and register for an upcoming program below.

Additional Resources:

Like what you read? Share it with others.

Other blog posts 

The latest industry news, interviews, technologies, and resources.

View all posts


No older posts


No newer posts

Want to have a conversation about your software supply chain?

We’d love to hear from you.  Get in touch and we'll get back to you.

Say Hello
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.