Menu
Global vendors join forces for software supply chain API

Global vendors join forces for software supply chain API

Teams up with IBM, Red Hat, JFrog and others

Google has teamed up with the likes of IBM, Red Hat and JFrog to launch a new open source initiative aimed at defining a uniform way for auditing and governing software supply chains.

The new application processing interface (API), named Grafeas – or ‘scribe’ in Greek, provides users with a central source of information for tracking and enforcing policies across sets of software development teams and pipelines.

The open source project was a joint effort between Google, JFrog, Red Hat, IBM, Black Duck, Twistlock, Aqua Security and CoreOS, with Google saying it built Grafeas to promote cross-vendor collaboration and compatibility.

“At each stage of the software supply chain (code, build, test, deploy and operate), different tools generate metadata about various software components,” Google said in a blog post.

“Examples include the identity of the developer, when the code was checked in and built, what vulnerabilities were detected, what tests were passed or failed, and so on. This metadata is then captured by Grafeas.”

According to Google, the API can provide visibility for software development, test and operations teams, as well as CIOs.

Build, auditing and compliance tools can use the Grafeas API to store, query and retrieve comprehensive metadata on software components of all kinds, according to Google.

“Grafeas offers a central, structured knowledge-base of the critical metadata organisations need to successfully manage their software supply chains,” Google said.

“It reflects best practices Google has learned building internal security and governance solutions across millions of releases and billions of containers.”

As part of Grafeas, Google is also introducing Kritis, a Kubernetes policy engine that is designed to help users enforce more secure software supply chain policies.

Kritis is aimed at facilitating real-time enforcement of container properties at deploy time for Kubernetes clusters based on attestations of container image properties.

“Grafeas and Kritis actually help us achieve better security while letting developers focus on their code. We look forward to more companies integrating with the Grafeas and Kritis projects,” Shopify senior security engineer, Jonathan Pulsifer, said.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Tags GoogleIBMRed HatJFrog

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments