Explore the Graph for Understanding Artifact Composition (GUAC) in this informative conference talk. Discover how GUAC integrates metadata about software projects, artifacts, and attestations to provide a comprehensive view of the software supply chain. Learn how organizations can leverage GUAC to quickly identify vulnerabilities, determine necessary package updates, and assess their software ecosystem's security. Understand the process of ingesting SBOMs and attestations from various sources into a GraphQL-abstracted graph database. Gain insights into how GUAC utilizes identity information and trust policies to identify counterfactuals and answer critical security queries. Explore the integration of OSV, deps.dev, and Scorecards to enrich the graph with essential information for a complete overview of the software supply chain. Discover how this extensive dataset, combined with GraphQL, enables automated policies to determine artifact authorization for production environments.
Where Is the GUAC? - Understanding Artifact Composition in Software Supply Chains
Overview
Syllabus
Where Is the GUAC? - Parth Patel, Kusari & Mihai Maruseac, Google
Taught by
Linux Foundation
Tags
Related Courses
-
GUAC Verification for Software Supply Chain Security
-
Supply Chain Security: Building a Knowledge Graph for Artifact Relationships
-
Proactive Supply Chain Security with GUAC
-
Eliminating the Unknowns: Using GUAC to Better Understand Your Software Supply Chain
-
GUAC 101 - Introduction to Graph for Understanding Artifact Composition
-
Fresh SLSA and GUAC - Understanding Open Source Package Risks and Transparency
