Graph for Understanding Artifact Composition (GUAC) adds persistent storage in v0.6.0 release

The GUAC community is thrilled to announce – GUAC is persistent! Following a year-long effort of significant collaboration and development, GUAC has standardized on and fully supports the popular open source database system, PostgreSQL, for its persistent backend storage.

‍

GUAC is an innovative Open Source Security Foundation (OpenSSF) Incubating Project. It empowers organizations to identify and mitigate potential risks posed by zero-day vulnerabilities and yet-to-be-released threats. As a software supply chain observability tool, GUAC ingests software security metadata, including software bills of materials (SBOMs), SLSA attestations, vulnerability reports, VEX statements, OpenSSF Scorecards, and more. That information now is stored in a persistent graph database, which you query to get rapid information about your software in a consolidated and precise view.

‍

PostgreSQL support is a critical step for GUAC, enabling the project to store and map software supply chain data to better meet the needs of enterprise users. With PostgreSQL, GUAC can keep software supply chain security, integrations, and plug-ins data intact. The choice of PostgreSQL aligns with earlier GUAC community decisions to use top open source components, like the GraphQL query language. The existing ephemeral reference implementations will be maintained for demo usage. 

‍

Getting Started

Shipping with GUAC release v0.6.0 are several companion elements to help with setup and deployment, including:

‍

• Complete PostgreSQL support
• A new Setup guide
• A docker-compose.yaml including all the persistent components
• Helm chart

‍

Please give the new setup guide a try! We’d love to hear feedback in the #guac channel on the OpenSSF Slack or on GitHub issues.

‍

Community Shout Outs

We are thankful to many community teams for their support and commitment in developing release v0.6.0, including:

‍

• Those that researched and explored numerous persistent backend options, helping us arrive at a final standardization decision
• The additional contributors and reviewers who spent their time working on this release
• The entire Entity Framework for Go project - your library was easy to use and work with; it saved us a ton of time   

‍

For significant individual achievements, we thank GUAC community members:

‍

• Ivan Vanderbyl - for initiating the first PR and nodes implementations 
• Marco Rizzi - your incredible marathon of contributions are the foundation of this release
• Parth Patel - we appreciate your hard work and determination in the final sprint

‍

The GUAC project community is excited to reach this important milestone and continue adding capabilities toward a v1.0 release. We’d love to have you join us. See the Contributor Guide for how to get started, and register for an upcoming program below.

‍

Additional Resources:

• May 16 | 10am Pacific, 1pm Eastern - GUAC Community Meeting
• June 6 | 10am Pacific, 1pm Eastern - Proactive Supply Chain Security with GUAC 
• June 11 | 9am Pacific, 12pm Eastern - GUAC 101: Dip into the Delicious World of Software Supply Chain Security 

‍