Google and IBM recently joined forces to create and open source the Grafeas project, with an aim to provide developers a structured way of auditing and governing the modern software supply chains.
Grafeas provides an open API that collects and aggregates the metadata generated at various stages of software supply chain. The metadata store and enforcement point help in gaining visibility into development environments and in enforcing policies without slowing down the development teams.
IBM has an in-built Vulnerability Advisor into its Container service as a part of DevOps process that scans the container images and detects software package vulnerability and poor software configurations. It further makes a risk assessment for the contained software.
To build a more comprehensive security and governance model, the data can now be combined with other metadata in an open manner using the Grafeas API.
The new project includes the security and governance solutions from Google which will be useful across millions of releases and billions of containers.
The security and governance solutions from Google include- using the immutable infrastructure to establish preventative security postures against persistent advanced threats, building security controls into the software supply chain to protect production deployments, and keeping the system flexible and ensuring interoperability of developer tools around common specifications and open-source software.
Google has also introduced Kristis as an additional component which enables developers creating Kubernetes governance policies on the basis of metadata stored in Grafeas.
Organizations can now store metadata about components from several repositories. Grafeas is hybrid cloud-friendly, and pluggable which helps adding new metadata producers and customers.
Grafeas provides structured metadata schemas, strong access controls, and rich query ability, helping organizations in modern software development environments.
IBM will deliver Grafeas and Kristis as part of IBM Container Service on IBM Cloud. Along with IBM, many well-established organizations including JFrog, Red Hat, Black Duck, Twistlock, Aqua Security, and CoreOS will be contributing to new Grafeas project.