As organizations break down large systems into container-based microservices, it becomes harder to track all the pieces.To handle this,Google, JFrog, Red Hat, IBM, Black Duck, Twistlock, Aqua Security and CoreOS recently announced Grafeas , a new joint open-source project that provides users with a standardized way for auditing and governing for computing components & their software supply chain.
Grafeas offers a central, structured knowledge-base of the critical metadata organizations need to successfully manage their software supply chains.
- Using immutable infrastructure (e.g., containers) to establish preventative security postures against persistent advanced threats
- Building security controls into the software supply chain, based on comprehensive component metadata and security attestations, to protect production deployments
- Keeping the system flexible and ensuring interoperability of developer tools around common specifications and open-source software
Grafeas defines metadata API spec for computing components (e.g., VM images, container images, jar files, scripts) that can assist with aggregations over your metadata. This means keeping a record of authorship and code provenance, recording the deployment of each piece of code, marking whether code passed a security scan, which components it uses and whether Q&A signed off on it.
So before a new piece of code is deployed, the system can check all of the info about it through the Grafeas API and if it’s certified and free of vulnerabilities, then it can get pushed into production.
To learn more about Grafeas,visit GitHub