Google and a team of partners that includes IBM as well as Red Hat, are offering a new software supply chain tracker they say will provide “strong governance.”

It’s called Grafeas, the Greek word for “scribe.”

Google describes Grafeas “an open source initiative to define a uniform way for auditing and governing the modern software supply chain.”

“Grafeas offers a vendor agnostic, open API for integrations into software build processes, resulting in provenance and auditing improvements,” explains Chris Wright, CTO at Red Hat, the world leader in Open Source Linux software and services.  

JFrog, Black Duck, Twistlock, Aqua Security and CoreOS are also partners in the new project.

“Build, auditing and compliance tools can use the Grafeas API [application programming interface] to store, query and retrieve comprehensive metadata on software components of all kinds,” say Google’s Stephen Elliott and Jianing Guo. Elliott is product manager for developer platforms. Guo is product manager for container security.

Jason McGee, vice president of IBM Cloud Platform, points out in an IBM blog: “Grafeas defines the central source of truth for organizations that must track and enforce policies across an ever growing set of software development teams and pipelines. Build, auditing and compliance tools can use the Grafeas API to store, query, and retrieve comprehensive metadata on software components of all kinds.”

The Grafeas approach

Google’s duo explains the Grafeas approach:

“Grafeas offers a central, structured knowledge-base of the critical metadata organizations need to successfully manage their software supply chains. It reflects best practices Google has learned building internal security and governance solutions across millions of releases and billions of containers.”

Highlights include:

  • Using immutable infrastructure (e.g., containers) to establish preventative security postures against persistent advanced threats
  • Building security controls into the software supply chain, based on comprehensive component metadata and security attestations, to protect production deployments
  • Keeping the system flexible and ensuring interoperability of developer tools around common specifications and open-source software

The project also includes Kritis (“judge” in Greek), which is designed to enable real-time enforcement.

Grafeas is designed to address problems created by:

  • Growing, fragmented toolsets: As an organization grows in size and scope, it tends to use more development languages and tools, making it difficult to maintain visibility and control of its development lifecycle.
  • Open-source software adoption: While open-source software makes developers more productive, it also complicates auditing and governance.
  • Decentralization and continuous delivery: The move to decentralize engineering and ship software continuously (e.g., “push on green”) accelerates development velocity, but makes it difficult to follow best practices and standards.
  • Hybrid cloud deployments: Enterprises increasingly use a mix of on-premises, private and public cloud clusters to get the best of each world, but find it hard to maintain 360-degree visibility into operations across such diverse environments.
  • Microservice architectures: As organizations break down large systems into container-based microservices, it becomes harder to track all the pieces.

According to Google:

  • Red Hat will enhance the security features and automation of Red Hat Enterprise Linux container technologies in OpenShift with Grafeas.
  • IBM will deliver Grafeas and Kristis as part of the IBM Container Service on IBM Cloud, and to integrate our Vulnerability Advisor and DevOps tools with the Grafeas API.

Red Hat is based in Raleigh.

IBM operates one of its largest corporate campuses in RTP.

Read more at: