Containers offer many advantages over monolithic applications, packaged as VMs. Most importantly, a container image is immutable, easily built and deployed without reliance on permanent infrastructure. Nevertheless, containers are a challenge to IT operations teams, who need full visibility and control of their software supply chain to implement security and governance policies. To address this problem, today Google announced Grafeas, an Open Source Project that provides a flexible verification framework to connect components deployed in production with their origins. Grafeas is a metadata API that aggregates information about all the software components in a container, including package descriptions, build and deployment histories, and known component vulnerabilities. The Grafeas API can be used to store, query, and retrieve comprehensive metadata on software components of all kinds.
According to a Cloud Foundry study, 22% of organizations have mainstreamed containers and 64% are expected to do so in the next year. But the biggest concern that has prevented adoption is the perception of security risk and a lack of visibility and control. By using Grafeas, organizations gain visibility into all the components that go into a container — from custom code to integrated open source components and container build information. Alongside Grafeas, Google has also introduced Kritis, which allows organizations to set Kubernetes governance policies based on metadata stored in Grafeas. Kritis acts as a real-time policy enforcement layer for Kubernetes clusters which you can use to automatically stop deployment of containers that have Black Duck-identified security vulnerabilities.
Grafeas introduces a chain of provenance through the entire software supply chain to improve trust and adoption of container technologies. Synopsys has been working with Google on the development and testing of the Grafeas API over the last year, and we are continuing to work with Google to deliver on the vision of improving visibility into open source vulnerabilities before they hit production environments. Because many of our customers want to see the results of open source scans in the consoles of their primary development and deployment tools, you’ll continue to see improvements in Black Duck integrations with Google Cloud Platform, including the Grafeas API and other new Google platform features.