Google Launches GUAC Project for Software Supply Chain Security

Google is seeking contributors to a new open source initiative called Graph for Understanding Artifact Composition (GUAC), as part of its efforts to help secure the software supply chain.

The free tool, which can be found on GitHub, brings together different sources of software security metadata including SLSA provenance, SBOMs, and OpenSSF Scorecards, says the announcement from the Google Open Source Security Team. “GUAC aggregates and synthesizes software security metadata at scale and makes it meaningful and actionable.” 

“GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding,” according to the announcement.

“Conceptually, GUAC occupies the “aggregation and synthesis” layer of the software supply chain transparency logical model,” which generally includes the following:

  • Policy and insight
  • Aggregation and synthesis
  • Software attestations
  • Trust foundation

Read more at Google Open Source.