GUAC v0.1 Beta Release

Kusari is excited to announce the v0.1 beta release of GUAC — Graph for Understanding Artifact Composition.

Tim Miller

May 23, 2023

Kusari is excited to announce the v0.1 beta release of GUAC — Graph for Understanding Artifact Composition. This open-source tool, created in partnership with Google and with valuable input from Purdue University and Citi, is set to change the game in software supply chain analysis.

GUAC’s mission is simple: to be the source of truth for what’s going on in your supply chain. GUAC accomplishes this by ingesting and analyzing software supply chain metadata from a myriad of internal and external sources and multiple common metadata document types. A key part of this process involves taking in Software Bill of Materials (SBOMs) in both SPDX and CycloneDX formats. It transforms them into data nodes and relationships, providing insights into software and its dependencies. GUAC can also ingest and transform SLSA attestations into their constituent facts, offering crucial information about the provenance and integrity of software components.

Flexible and extensible, GUAC can ingest data from local file systems, AWS S3 buckets, Google Cloud Buckets, and external package repositories like GitHub Releases. It even embraces additional metadata from sources like the and OSV APIs. These integrations are just the tip of the iceberg and we are working to integrate with even more data sources and feeds. GUAC’s built-in GraphQL API is a key feature, supporting both document ingestion and data querying. This makes GUAC an effective tool for managing third-party risks and incident responses and allows for seamless integration with your existing tools.

We at Kusari are immensely proud of co-leading the design, architecture, and development of GUAC. We’re eager to share this tool with the broader tech community and are excited to see how it can revolutionize the way we understand and manage software supply chains.

We’re inviting all contributors, end users, and organizations to explore GUAC and join our growing community. We’re particularly interested in hearing from end users with unique use cases. In addition, we’re reaching out to organizations interested in discovering more about the support and products we’re developing around GUAC.

To dive into GUAC, visit the official site at, the docs at, or the source code repository at ( Give us a star while you’re there! ).

Stay tuned in the coming weeks for additional updates on GUAC, including some announcements of additional GUAC-related tooling for ease of operation and integration!

Like what you read? Share it with others.

Other blog posts 

The latest industry news, interviews, technologies, and resources.

View all posts


No older posts


No newer posts

Want to have a conversation about your software supply chain?

We’d love to hear from you.  Get in touch and we'll get back to you.

Say Hello
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.