Google has announced the beta release of guac 0.1 beta (Graph for Understanding Artifact Composition) designed to safeguard the software supply chain. The tech giant has offered an open-source API platform to developers to integrate their tools and policy mechanisms. Guac amalgamates metadata software from various sources such as SBOM, into a graphic database which exhibits the relationship between different programs. By doing this, it can help organizations in determining how one part affects the other.
According to the documentation by Google, Guac furnishes systematic and useful information about the security state of the supply chain. Guac combines Software Bill of Materials (SBOM), SLSA certificates, OSV vulnerabilities, deps.dev information and internal private metadata of the company to give companies a comprehensive picture of their risk profile and interconnections between artifacts, packages, and repositories.
The primary aim of Guac is to prevent loud attacks on the supply chain, create a correction plan, and respond quickly to incidents. An example of how Guac can be used is to ascertain if the collector is compromised and request vulnerable artifacts. Such a system can allow the Chief Information Security Officer (CISO) to come up with a policy that prohibits using any software within the radius of infection.
In conclusion, Guac is an efficient tool designed to protect the software supply chain and create a deeper understanding of how different parts of the software interact with each other. This will enable organizations to better understand their risk profile and respond to incidents promptly.