Where Is the GUAC? - Understanding Artifact Composition in Software Supply Chains

Explore the Graph for Understanding Artifact Composition (GUAC) in this informative conference talk. Discover how GUAC integrates metadata about software projects, artifacts, and attestations to provide a comprehensive view of the software supply chain. Learn how organizations can leverage GUAC to quickly identify vulnerabilities, determine necessary package updates, and assess their software ecosystem's security. Understand the process of ingesting SBOMs and attestations from various sources into a GraphQL-abstracted graph database. Gain insights into how GUAC utilizes identity information and trust policies to identify counterfactuals and answer critical security queries. Explore the integration of OSV, deps.dev, and Scorecards to enrich the graph with essential information for a complete overview of the software supply chain. Discover how this extensive dataset, combined with GraphQL, enables automated policies to determine artifact authorization for production environments.

Where Is the GUAC? - Parth Patel, Kusari & Mihai Maruseac, Google