Skip to content
forked from guacsec/guac

GUAC aggregates software security metadata into a high fidelity graph database.

License

Notifications You must be signed in to change notification settings

pombredanne/guac

 
 

Repository files navigation

GUAC: Graph for Understanding Artifact Composition

Note: GUAC is under active development - if you are interested in contributing, please look at contributor guide and the "express interest" issue

Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.

Conceptually, GUAC occupies the “aggregation and synthesis” layer of the software supply chain transparency logical model:

image

A few examples of questions answered by GUAC include:

image

Quickstart

Refer to the Setup + Demo document to learn how to prepare your environment and try GUAC out!

Architecture

Here is an overview of the architecture of GUAC:

image

Supported input formats

Additional References

Communication

We encourage discussions to be done on github issues. We also have a public slack channel on the OpenSSF slack.

For security issues or code of conduct concerns, an e-mail should be sent to guac-maintainers@googlegroups.com.

Governance

Information about governance can be found here.

About

GUAC aggregates software security metadata into a high fidelity graph database.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 99.5%
  • Other 0.5%