Google, IBM and others launch an open-source API for keeping tabs on software supply chains

Google, IBM and others launch an open-source API for keeping tabs on software supply chains

By | October 15th, 2017
No Comments on Google, IBM and others launch an open-source API for keeping tabs on software supply chains

Google, JFrog, Red Hat, IBM, Black Duck, Twistlock, Aqua Security and

CoreOS today announced Grafeas (“scribe” in Greek), a new joint

open-source project that provides users with a standardized way for

auditing and governing their software supply chain.


														
							

In addition, Google also launched another new project, Kritis (“judge” in Greek, because after the success of Kubernetes, it would surely be bad luck to pick names in any other language for new Google open-source projects). Kritis allows businesses to enforce certain container properties at deploy time for Kubernetes clusters.

Grafeas basically defines an API that collects all of the metadata around code deployments and build pipelines. This means keeping a record of authorship and code provenance, recording the deployment of each piece of code, marking whether code passed a security scan, which components it uses (and whether those have known vulnerabilities) and whether Q&A signed off on it. So before a new piece of code is deployed, the system can check all of the info about it through the Grafeas API and if it’s certified and free of vulnerabilities (at least to the best knowledge of the system), then it can get pushed into production.

At first glance, this all may seem rather bland, but there’s a real need for projects like this. With the advent of continuous integration, decentralization, microservices, an increasing number of toolsets and every other buzzworthy technology, enterprises are struggling to keep tabs on what’s actually happening in their data centers.

Source

Google
Nisheeth Bhakuni