Google & Partners Secure 'Software Supply Chain'

The open source Grafeas and Kritis projects are designed for securing and certify modern, complex software rollouts.

Mitch Wagner, Executive Editor, Light Reading

October 12, 2017

3 Min Read
Google & Partners Secure 'Software Supply Chain'

Google and partners are launching Grafeas, an open source API to help organizations manage security and policies on their "software supply chain."

Google (Nasdaq: GOOG), along with Red Hat Inc. (NYSE: RHT), IBM Corp. (NYSE: IBM) and other companies, are working on Grafeas to provide a means of "auditing and governing the modern software supply chain," according to a blog post from Google announcing the initiative Thursday.

Grafeas includes Kritis, a Kubernetes policy engine to help customers enforce software supply chain policies. Using Kritis, organizations can enforce container policies at deployment for Kubernetes clusters, Google says.

Shopify is using Grafeas and Kritis to manage its 6,000-plus daily builds and registry over more than 330,000 container images. The ecommerce provider uses Grafeas and Kritis to "automatically store vulnerability and build information about every container image that we create and strictly enforce a built-by-Shopify policy," Jonathan Pulsifer, Shopify senior security engineer, says in Google's blog post. Shopify's Kubernetes clusters only run images signed by its builder.

"Grafeas and Kritis actually help us achieve better security while letting developers focus on their code," Pulsifer says.

Figure 1: Photo by Steve Jurvetson (CC BY 2.0). Photo by Steve Jurvetson (CC BY 2.0).

Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.

Other companies participating in the Grafeaas partnership are JFrog, BlackDuck, Twistlock, Aqua Security and CoreOS.

Several software trends are driving the need for tools like Grafeas and Kritis (which, by the way, mean "scribe" and "judge," respectively), Google says. Among these are growing, fragmented toolsets, including more languages and tools; open source software adoption, which makes developers more productive but also complicates auditing and governance; decentralized and continuous delivery; hybrid cloud deployments spreading software over multiple locations; and microservices architectures -- more pieces to track.

"Large monoliths are being replaced with dozens or hundreds of microservices," Jason McGee, IBM fellow, vice president and chief technology officer, for IBM Cloud Platform, says in a blog post announcing IBM's participation in the initiative. "Quarterly updates are being replaced with continuous deployments happening dozens of times a day. Servers that you love and maintain are switched for ephemeral containers that are constantly replaced."

Says Google, "Without uniform metadata schemas or a central source of truth, CIOs struggle to manage and secure their software supply chains, let alone answer foundational questions like: 'Is software component X deployed right now?' 'Did all components deployed to production pass required compliance tests?' and 'Does vulnerability Y affect any production code?'"

Grafeas is available as a Github project and more information is available at

Related posts:

— Mitch Wagner Follow me on Twitter Visit my LinkedIn profile Visit my blog Follow me on Facebook Editor, Enterprise Cloud News

About the Author(s)

Mitch Wagner

Executive Editor, Light Reading

San Diego-based Mitch Wagner is many things. As well as being "our guy" on the West Coast (of the US, not Scotland, or anywhere else with indifferent meteorological conditions), he's a husband (to his wife), dissatisfied Democrat, American (so he could be President some day), nonobservant Jew, and science fiction fan. Not necessarily in that order.

He's also one half of a special duo, along with Minnie, who is the co-habitor of the West Coast Bureau and Light Reading's primary chewer of sticks, though she is not the only one on the team who regularly munches on bark.

Wagner, whose previous positions include Editor-in-Chief at Internet Evolution and Executive Editor at InformationWeek, will be responsible for tracking and reporting on developments in Silicon Valley and other US West Coast hotspots of communications technology innovation.

Beats: Software-defined networking (SDN), network functions virtualization (NFV), IP networking, and colored foods (such as 'green rice').

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like