Menu
Global vendors join forces for software supply chain API

Global vendors join forces for software supply chain API

Teams up with IBM, Red Hat, JFrog and others

Google has teamed up with the likes of IBM, Red Hat and JFrog to launch a new open source initiative aimed at defining a uniform way for auditing and governing software supply chains.

The new application processing interface (API), named Grafeas – or ‘scribe’ in Greek, provides users with a central source of information for tracking and enforcing policies across sets of software development teams and pipelines.

The open source project was a joint effort between Google, JFrog, Red Hat, IBM, Black Duck, Twistlock, Aqua Security and CoreOS, with Google saying it built Grafeas to promote cross-vendor collaboration and compatibility.

“At each stage of the software supply chain (code, build, test, deploy and operate), different tools generate metadata about various software components,” Google said in a blog post.

“Examples include the identity of the developer, when the code was checked in and built, what vulnerabilities were detected, what tests were passed or failed, and so on. This metadata is then captured by Grafeas.”

According to Google, the API can provide visibility for software development, test and operations teams, as well as CIOs.

Build, auditing and compliance tools can use the Grafeas API to store, query and retrieve comprehensive metadata on software components of all kinds, according to Google.

“Grafeas offers a central, structured knowledge-base of the critical metadata organisations need to successfully manage their software supply chains,” Google said.

“It reflects best practices Google has learned building internal security and governance solutions across millions of releases and billions of containers.”

As part of Grafeas, Google is also introducing Kritis, a Kubernetes policy engine that is designed to help users enforce more secure software supply chain policies.

Kritis is aimed at facilitating real-time enforcement of container properties at deploy time for Kubernetes clusters based on attestations of container image properties.

“Grafeas and Kritis actually help us achieve better security while letting developers focus on their code. We look forward to more companies integrating with the Grafeas and Kritis projects,” Shopify senior security engineer, Jonathan Pulsifer, said.


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags JFrogGoogleIBMRed Hat

Featured

Slideshows

Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
HP re-imagines education through Auckland event launch

HP re-imagines education through Auckland event launch

HP New Zealand held an inaugural Evolve Education event at Aotea Centre in Auckland, welcoming over 70 principals, teachers and education experts to explore ways of shaping and enhancing learning using technology.

HP re-imagines education through Auckland event launch
Show Comments