Google and IBM, together with a few other partners, released an open-source project that gathers metadata that developers can use to secure their software.
According to an IBM blog post, the goal of the project is to help developers keep security standards, while microservices and containers cut the software supply chain.
Grafeas was built as a container security API. IBM, on the other hand, will add its own container scanning tool, Vulnerability Advisor, into Grafeas. IBM said it will be a “central source of truth”, when it comes to enforcing security policies.
The API will collect the metadata defining a user’s software environment. One of its main advantages is that it can give devs a better view into when and where the code is being changed, and who’s changing it.
"Grafeas defines the central source of truth for organisations that must track and enforce policies across an ever growing set of software development teams and pipelines," the post said. "Build, auditing and compliance tools can use the Grafeas API to store, query, and retrieve comprehensive metadata on software components of all kinds."
Grafeas is paired with Kritis, another open-source project allowing devs to create Kubernetes governance policies based on Grafeas metadata. "Kritis acts as a real-time enforcement chokepoint at the container deploy time for Kubernetes clusters, and demonstrates how to build strong governance tools with Grafeas as the foundation," the post said.
Besides Google and IBM, JFrog, Red Hat, Black Duck, Twistlock, Aqua Security and CoreOS worked on the project.
Image Credit: Ken Wolter / Shutterstock