The GUAC: Graph for Understanding Artifact Composition project aims to create a means to ingest, validate and parse artifact information (i.e. in-toto attestations, SBOM, etc.) from various data sources and represent and store them in a knowledge graph, where users can query information about artifacts or request evidence of certain properties of an artifact. The purpose of this aims to satisfy the use case of being a monitor for public supply chain and security documents as well as for internal use by organizations to query information about artifacts that they use.
A few examples of questions answered by GUAC include:
Here is an overview of the architecture of GUAC:
All communication should be done through issues, unless it is a private matter. In that case, an e-mail should be sent to guac-maintainers@googlegroups.com.
Information about governance can be found here.