Software Supply Chain Security
With the rise of software supply chain attacks, along with Executive Order, government memo and finally the recent Bill for Securing Open Source Software Act of 2022, there has been a strong signal for organizations and the open source community to start generating secure and trustworthy artifacts whose provenance is known. Kusari and the open source communities (within the Linux Foundation) have rallied together to address these with the creation of tools such as FRSCA (Secure Builder) and GUAC (Knowledge Graph).
FRSCA: Factory for Repeatable Secure Creation of Artifacts provides a simple-to-install solution that aims to help secure the supply chain by building secure pipelines. It also provides abstractions and definitions with security guardrails ensuring all builds follow supply chain security best practices.
GUAC: Graph for Understanding Artifact Composition leverages metadata to provide deeper visibility and enable users to quickly understand security issues throughout the software supply chain, their blast radius, and how to remediate their root causes. Learn more as we build this out in the open source with our blog article.