Containers offer many advantages over monolithic applications, packaged as VMs. Most importantly, a container image is immutable, easily built and deployed without reliance on permanent infrastructure. Nevertheless, containers are a challenge to IT operations teams, who need full visibility and control of their software supply chain to implement security and governance policies. To address this problem, today Google announced Grafeas, an Open Source Project that provides a flexible verification framework to connect components deployed in production with their origins. Grafeas is a metadata API that aggregates information about all the software components in a container, including package descriptions, build and deployment histories, and known component vulnerabilities. The Grafeas API can be used to store, query, and retrieve comprehensive metadata on software components of all kinds.
According to a Cloud Foundry study, 22% of organizations have mainstreamed containers and 64% are expected to do so in the next year. But the biggest concern that has prevented adoption is the perception of security risk and a lack of visibility and control. By using Grafeas, organizations gain visibility into all the components that go into a container — from custom code to integrated open source components and container build information. Alongside Grafeas, Google has also introduced Kritis, which allows organizations to set Kubernetes governance policies based on metadata stored in Grafeas. Kritis acts as a real-time policy enforcement layer for Kubernetes clusters which you can use to automatically stop deployment of containers that have Black Duck-identified security vulnerabilities.
Grafeas introduces a chain of provenance through the entire software supply chain to improve trust and adoption of container technologies. Synopsys has been working with Google on the development and testing of the Grafeas API over the last year, and we are continuing to work with Google to deliver on the vision of improving visibility into open source vulnerabilities before they hit production environments. Because many of our customers want to see the results of open source scans in the consoles of their primary development and deployment tools, you’ll continue to see improvements in Black Duck integrations with Google Cloud Platform, including the Grafeas API and other new Google platform features.
Find out more about our integrations with Google Cloud Platform on our partner page, or try Black Duck on GCP. To try Grafeas or to join the project, please visit https://github.com/grafeas.
Mr. Goldman’s background encompasses 25 years of product management, marketing, and business development experience at a variety of technology vendors. Prior to Black Duck, he was a principal product manager at EMC and previously was vice president of product management and marketing at Gryphon Networks. Mr. Goldman has held a variety of senior marketing and product management positions at such companies as Akamai, FTP Software, and Symantec. In addition to his product management experience, he has been an industry analyst at the Yankee Group and managed corporate development for Dr. Solomon’s Software, where he managed strategic alliances, technology licensing, and mergers and acquisitions. He is the author of "The Complete Idiot's Pocket Reference to the Internet." Mr. Goldman holds an undergraduate degree from Tufts University and an MBA from the University of North Carolina, Chapel Hill. Neal’s passion is sailboat racing. You can find him racing at MIT from April to October and in the harbor any given Saturday throughout the winter.