Google & Partners Secure 'Software Supply Chain'

Mitch Wagner

Google and partners are launching Grafeas, an open source API to help organizations manage security and policies on their "software supply chain."

Google (Nasdaq: GOOG), along with Red Hat Inc. (NYSE: RHT), IBM Corp. (NYSE: IBM) and other companies, are working on Grafeas to provide a means of "auditing and governing the modern software supply chain," according to a blog post from Google announcing the initiative Thursday.

Grafeas includes Kritis, a Kubernetes policy engine to help customers enforce software supply chain policies. Using Kritis, organizations can enforce container policies at deployment for Kubernetes clusters, Google says.

Shopify is using Grafeas and Kritis to manage its 6,000-plus daily builds and registry over more than 330,000 container images. The ecommerce provider uses Grafeas and Kritis to "automatically store vulnerability and build information about every container image that we create and strictly enforce a built-by-Shopify policy," Jonathan Pulsifer, Shopify senior security engineer, says in Google's blog post. Shopify's Kubernetes clusters only run images signed by its builder.

"Grafeas and Kritis actually help us achieve better security while letting developers focus on their code," Pulsifer says.

Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.

Other companies participating in the Grafeaas partnership are JFrog, BlackDuck, Twistlock, Aqua Security and CoreOS.

Several software trends are driving the need for tools like Grafeas and Kritis (which, by the way, mean "scribe" and "judge," respectively), Google says. Among these are growing, fragmented toolsets, including more languages and tools; open source software adoption, which makes developers more productive but also complicates auditing and governance; decentralized and continuous delivery; hybrid cloud deployments spreading software over multiple locations; and microservices architectures -- more pieces to track.

"Large monoliths are being replaced with dozens or hundreds of microservices," Jason McGee, IBM fellow, vice president and chief technology officer, for IBM Cloud Platform, says in a blog post announcing IBM's participation in the initiative. "Quarterly updates are being replaced with continuous deployments happening dozens of times a day. Servers that you love and maintain are switched for ephemeral containers that are constantly replaced."

Says Google, "Without uniform metadata schemas or a central source of truth, CIOs struggle to manage and secure their software supply chains, let alone answer foundational questions like: 'Is software component X deployed right now?' 'Did all components deployed to production pass required compliance tests?' and 'Does vulnerability Y affect any production code?'"

Grafeas is available as a Github project and more information is available at

Related posts:

— Mitch Wagner Follow me on Twitter Visit my LinkedIn profile Visit my blog Follow me on Facebook Editor, Enterprise Cloud News

(3)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
10/21/2017 | 3:30:11 PM
Re: Executives
And as a Github project it should find plenty of folks interested in joining with others to promote and make futher progress, while moving the capabilities of better security available to all along the way.
Susan Fourtané
Susan Fourtané
10/16/2017 | 9:30:31 PM
Grafeas has really good features. One that caught my attention was about scanning and coming across vulnerabilities. A security scanning provider would create notes in the customer’s project showing vulnerabilities.
10/12/2017 | 1:14:34 PM
Interesting read. 

I can see how this would be valuable for deciscion-making excutives. I've never put a lot of thought into this idea of software supply chains, but it certainly makes sense. 
More Blogs from Wagner’s Ring
We're packing our bags for Dallas, for our cleverly named Network Virtualization and SDN Americas conference, but first we sat down to talk about NV, SDN and our favorite travel snack.
Will Apple's new iPhone 11 grow telco profits? Will Apple TV+ compete in a crowded OTT market? And why does everybody have fabulous hair in an Apple TV+ series where civilization has collapsed because everybody in the world is blind?
After years of defending itself against US spying accusations, Huawei claims the US government is spying on it.
The satellite network operator is looking to the Open Networking Automaton Platform (ONAP) to automate connecting its space-based network with terrestrial operators.
VMware's been shopping this summer, buying three cloud and networking startups that will bolster its telco strategy.
Featured Video
Upcoming Live Events
October 1-2, 2019, New Orleans, Louisiana
October 10, 2019, New York, New York
October 22, 2019, Los Angeles, CA
November 5, 2019, London, England
November 7, 2019, London, UK
November 14, 2019, Maritim Hotel, Berlin
December 3, 2019, New York, New York
December 3-5, 2019, Vienna, Austria
March 16-18, 2020, Embassy Suites, Denver, Colorado
May 18-20, 2020, Irving Convention Center, Dallas, TX
All Upcoming Live Events
Partner Perspectives - content from our sponsors
Edge Computing, the Next Great IT Revolution
By Rajesh Gadiyar, Vice President & CTO, Network & Custom Logic Group, Intel Corp
Innovations in Home Media Terminals for the Upcoming 5G Era
By Tang Wei, Vice President, ZTE Corporation
All Partner Perspectives