Google, IBM launch open API for auditing and governing software pipelines

Grafeas provides an open-source API for enforcing security policies across the software supply chain.
Written by Tas Bindi, Contributor

Google and IBM have announced the launch of Grafeas, an open-source project providing developers with a standardised way of auditing and governing their software supply chains.

The project provides an open API that collects and aggregates the metadata generated at each stage of software supply chain, according to Google's blog post.

Using the API, developers are able to keep a record of when and where code was changed as well as who changed it, whether the code passed or failed a security scan, what vulnerabilities were detected, and whether Q&A signed off on it -- before the code is pushed into production.

Google said Grafeas addresses a number of modern-day challenges such as the growing number of fragmented toolsets, decentralisation of engineering, expectation of continuous deployments, difficulty of maintaining visibility into operations across hybrid cloud environments, and replacement of large systems with hundreds of microservices.

"Without uniform metadata schemas or a central source of truth, CIOs struggle to govern their software supply chains, let alone answer foundational questions like: 'Is software component X deployed right now?' 'Did all components deployed to production pass required compliance tests?' and 'Does vulnerability Y affect any production code?'" Google's product manager for Developer Platforms Stephen Elliott and product manager for Container Security Jianing Guo wrote in the blog post.

An additional component of the project is Kritis, which enables developers to create Kubernetes governance policies based on metadata stored in Grafeas.

"Kritis acts as a real-time enforcement chokepoint at the container deploy time for Kubernetes clusters, and demonstrates how to build strong governance tools with Grafeas as the foundation," Jason McGee, VP of IBM Cloud Platform, wrote in a blog post.

Grafeas, with its Kritis component, acts as a unified metadata store that works across on-premises, public cloud, and hybrid environments. IBM said it also makes it easy to add new producers and types of metadata, as well as understand those new sources.

Additional features include strong access controls and rich query ability that acts across components.

IBM said it plans to deliver Grafeas and Kristis as part of the IBM Container Service on IBM Cloud, and to integrate its Vulnerability Advisor and DevOps tools with the Grafeas API.

In addition to IBM, Red Hat, JFrog, Black Duck, Twistlock, Aqua Security, and CoreOS are also looking to contribute to the Grafeas project.

An early adopter of Grafeas is Shopify, which said it builds more than 6,000 containers every day and keeps 330,000 images in its primary container registry.

"By integrating Grafeas and Kritis into our Kubernetes pipeline, we are now able to automatically store vulnerability and build information about every container image that we create and strictly enforce a built-by-Shopify policy: our Kubernetes clusters only run images signed by our builder," Shopify said in a blog post.

"Grafeas and Kritis actually help us achieve better security while letting developers focus on their code. We look forward to more companies integrating with the Grafeas and Kritis projects."

Editorial standards