Connect with us

Hi, what are you looking for?


Application Security

Google’s GUAC Open Source Tool Centralizes Software Security Metadata

Google announces GUAC, an open source tool to help organizations better understand software supply chains by centralizing build, security, and dependency metadata.

Google today introduced Graph for Understanding Artifact Composition (GUAC), an open source tool for centralizing build, security, and dependency metadata.

Developed in collaboration with Kusari, Purdue University, and Citi, the new project is meant to help organizations better understand software supply chains.

GUAC aggregates metadata from different sources, including supply chain levels for software artifacts (SLSA) provenance, software bills of materials (SBOM), and vulnerabilities, to provide a more comprehensive view over them.

“Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high-fidelity graph database—normalizing entity identities and mapping standard relationships between them,” Google says.

By querying this graph, organizations can improve their audit processes and risk management, can better meet policy requirements, and even provide developer assistance.

GUAC, the internet giant explains, has four areas of functionality, including metadata collection (from public, first-person, and third-party sources), ingestion of data (on artifacts, resources, vulnerabilities, and more), data assembly into a coherent graph, and user query for metadata attached to entities within the graph.

By aggregating software security metadata and making it meaningful and actionable, GUAC can help identify risks, discover critical libraries within open source software, and gather information on software dependencies, to improve supply chain security.

Advertisement. Scroll to continue reading.

The open source project is in its early stages, with a proof of concept (PoC) now available on GitHub, offering support for the ingestion of SLSA, SBOM, and Scorecard documents and for simple queries for software metadata.

“The next efforts will focus on scaling the current capabilities and adding new document types for ingestion. We welcome help and contributions of code or documentation,” Google says.

The internet giant has created a group of ‘Technical Advisory Members’ that includes SPDX, CycloneDX Anchore, Aquasec, IBM, Intel, and others, to help expand the project towards consuming data from many different sources and formats.

Related: Google Launches Bug Bounty Program for Open Source Projects

Related: Academics Devise Open Source Tool For Hunting Node.js Security Flaws

Related: Google Open Sources ‘Paranoid’ Crypto Testing Library

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...