Google LLC is teaming up with a host of tech players large and small to tackle some of the headaches around software supply chain governance and audits.

The internet giant’s long list of friends includes JFrog Ltd., Red Hat Inc., IBM Corp., Black Duck Software Inc., Twistlock Ltd, Aqua Security Software Ltd. and CoreOS Inc. They’ve all joined forces to create a new application programming interface called Grafeas, which is an open source initiative to “define a uniform way for auditing and governing the modern software supply chain.”

The new project comes at a time when modern DevOps techniques are rapidly evolving the way companies build and deploy their software. These days, companies are increasingly building their applications using microservices, which is a software architecture approach that enables greater agility by breaking applications down into smaller components. This greater agility means that quarterly updates are being replaced by new “continuous updates” that can occur several times in a single day. These new kinds of applications are also being built atop of a new kind of architecture – software containers so applications can run unchanged in different computer environments – further speeding things up.

In short, software development is becoming more rapid, distributed and dynamic, and that’s having a big impact on companies’ need to understand and control their software supply chains, Google said in its blog post today announcing Grafeas.

The problem with this new approach to software development is that businesses need to know who built what and where. They also need to know if their software is compliant with their processes and regulations, and if it’s vulnerable or secure. And they need to understand what applications are running right now and where they’re running, and also maintain control over when this changes.

This is what Grafeas is all about. The software is intended to provide a central, structured knowledge base of the critical metadata that’s needed to govern software supply chains.

“Grafeas provides organizations with a central source of truth for tracking and enforcing policies across an ever growing set of software development teams and pipelines,” Stephen Elliott, product manager for developer platforms and Jianing Guo, product manager for container security, wrote on Google’s blog. “Build, auditing, and compliance tools can use the Grafeas API to store, query, and retrieve comprehensive metadata on software components of all kinds.”

The diagram below sheds more light on what Grafeas actually does. As Elliot and Guo noted, metadata is generated by various tools and software programs at each stage of the software supply chain, which includes coding, building, testing, deployment and operations. This metadata might refer to the name of the developer, the date the code was checked in, vulnerabilities that were detected, tests passed and failed, and so on. Grafeas’ job is to capture all of this metadata and make it accessible to users, providing greater visibility into the entire software supply chain.

Alongside Grafeas, the companies have also built a second tool designed to work with it called Kritis. They say Kritis is a “Kubernetes policy engine” that’s designed to help enforce policies applied to software supply chains. With Kritis, users can apply real-time enforcement of container properties when they’re deployed in Kubernetes container clusters, based on the polices stored in Grafeas.

The announcement of both tools underlines how quickly the overall Kubernetes ecosystem is maturing, said Holger Mueller, vice president and principal analyst at Constellation Research Inc.

“We’re seeing the next level of Kubernetes’ evolution, where projects are being created around deployments and scale,” Mueller said. “It’s good to see the wide approach across technology vendors and enterprises, as this gives it a higher level of validation and confidence that these will be successful initiatives.”

Grafeas and Kritis have both been made available under an open-source license, and are available to download via GitHub.

Image: geralt/pixabay