GUAC v0.1 Beta Release

Kusari is excited to announce the v0.1 beta release of GUAC — Graph for Understanding Artifact Composition. This open-source tool, created in partnership with Google and with valuable input from Purdue University and Citi, is set to change the game in software supply chain analysis.

GUAC’s mission is simple: to be the source of truth for what’s going on in your supply chain. GUAC accomplishes this by ingesting and analyzing software supply chain metadata from a myriad of internal and external sources and multiple common metadata document types. A key part of this process involves taking in Software Bill of Materials (SBOMs) in both SPDX and CycloneDX formats. It transforms them into data nodes and relationships, providing insights into software and its dependencies. GUAC can also ingest and transform SLSA attestations into their constituent facts, offering crucial information about the provenance and integrity of software components.

Flexible and extensible, GUAC can ingest data from local file systems, AWS S3 buckets, Google Cloud Buckets, and external package repositories like GitHub Releases. It even embraces additional metadata from sources like the deps.dev and OSV APIs. These integrations are just the tip of the iceberg and we are working to integrate with even more data sources and feeds. GUAC’s built-in GraphQL API is a key feature, supporting both document ingestion and data querying. This makes GUAC an effective tool for managing third-party risks and incident responses and allows for seamless integration with your existing tools.

We at Kusari are immensely proud of co-leading the design, architecture, and development of GUAC. We’re eager to share this tool with the broader tech community and are excited to see how it can revolutionize the way we understand and manage software supply chains.

We’re inviting all contributors, end users, and organizations to explore GUAC and join our growing community. We’re particularly interested in hearing from end users with unique use cases. In addition, we’re reaching out to organizations interested in discovering more about the support and products we’re developing around GUAC.

To dive into GUAC, visit the official site at https://guac.sh, the docs at https://docs.guac.sh, or the source code repository at https://github.com/guacsec/guac ( Give us a star while you’re there! ).

Stay tuned in the coming weeks for additional updates on GUAC, including some announcements of additional GUAC-related tooling for ease of operation and integration!

‍