Metadata for software supply chain

Metadata for software supply chain

Software supply chains can be described by distinct stages in the software lifecycle, including but not limited to: source, build, test, static analysis (e.g. compliance, vulnerabilities), deploy, and production monitoring. Grafeas provides a canonical representation of metadata for each of the stages. The details of the representation of each stage are determined by the standard formats in the industry, where applicable. For example, Compliance metadata supports representing CIS benchmarks, and can be easily extended for other types of compliance benchmarks in the industry. Easily add new metadata types and providers as your software supply chain grows and evolves. Bring over metadata for analysis from different tools used across different stages of the software development lifecycle.

Universal Artifact Metadata Store

Universal artifact metadata

Store, query, and derive metadata about all of your software artifacts, regardless of their type and where they are located: container and VM images, binaries, files, packages on a local machine or private, hybrid or multi-cloud environments.


Grafeas makes it easy to write complex queries for supply chain information. Some examples are:

  • Find all images that are built from a particular Github commit that is known to have introduced a security problem.
  • Find all images that were built by a certain version of a certain builder when that builder is known to have been compromised.
  • Find all images in my project that are impacted by CVE-1234.
  • Generate a software bill of materials for my image that I will publish externally.

Horizontal and vertical querying

Grafeas enables both kinds of queries for metadata across artifacts. Horizontal query is a query across all artifacts with a specific property, e.g. "Find all images that are built from a particular Github commit that is known to have introduced a security problem". Vertical query is a query about metadata across software development lifecycle for a specific artifact, e.g. "Find all source, build, test, and vulnerabilities metadata for a container image."

Rich query-ability

Flexible storage

Grafeas API can store metadata in a wide variety of storage backends: there are implementations with PostgreSQL, BoltDB, Spanner, and OracleDB.

Vendor agnostic

Grafeas makes it easy to keep essential details about the software supply chain, without the vendor lock-in. So the switch from one CI/CD vendor to another, or migration from public cloud to hybrid doesn't result in the loss of metadata about the software artifacts. For example, Build metadata as defined in Grafeas can be used to represent details of builds on Travis, CircleCI, and Jenkins, as it stores only the necessary details about the source, build commands, and the builder itself that are common across all builds, in a generic way.

Want to learn more?

Watch the Software Supply Chain with Grafeas and Kritis talk.

Get started by learning Grafeas concepts and trying the reference implementation.