GUAC 0.1 Beta: Google’s Revolutionary Software Supply Chain Security Platform
Google has launched a beta version of a single knowledge center for software interactions.
Google announced beta version GUAC 0.1 Beta (Graph for Understanding Artifact Composition), which is designed to protect the software supply chain. Google has provided developers with an open source platform as an API to integrate their own policy tools and mechanisms.
GUAC seeks to combine software security metadata (such as SBOM) from various sources into a graphical database that displays relationships between programs, helping organizations determine how one piece of software affects another.
According to documentation google, GUAC gives you organized and useful information about the security status of your software supply chain.
In other words, GUAC is designed to bring together Software Bill of Materials (SBOM) documents, SLSA attestations, OSV vulnerability feeds, deps.dev information, and company internal private metadata to help create a better risk profile picture and visualize relationships between artifacts, packages, and repositories.
The goal of the project is to counter high-profile attacks on the supply chain, create a remediation plan, and respond quickly to incidents.
For example, GUAC can be used to confirm that a collector has been compromised (for example, by a leaked credential or malware infection) and then request vulnerable artifacts. Such a system allows the Chief Information Security Officer (CISO) to easily create a policy that prohibits the use of any software within the infection radius.