guac
by guacsec
GUAC aggregates and normalizes software security metadata into a high fidelity graph database to enable comprehensive supply chain transparency and risk management.
GUAC aggregates software security metadata into a high fidelity graph database.
Primary Use Case
GUAC is used by security teams, auditors, and developers to aggregate diverse software supply chain metadata into a unified graph, enabling risk assessment, compliance auditing, and security automation. It helps organizations query and analyze software artifact relationships to improve governance, risk management, and compliance efforts.
- Aggregates software security metadata into a graph database
- Normalizes entity identities and maps standard relationships
- Supports multiple input document formats like CycloneDX, SPDX, SLSA, OSV, and more
- Provides a consistent GraphQL API with pluggable backend support
- Enables audit, policy enforcement, risk management, and developer assistance
- OpenSSF incubating project focused on supply chain integrity
- Includes demos and use cases for quick adoption
- Docker Compose quickstart for easy deployment
Installation
- Visit https://docs.guac.sh/ for detailed documentation
- Start GUAC services using the docker compose quickstart available at https://docs.guac.sh/setup/
- Refer to the contributor guide (CONTRIBUTING.md) for development setup
Usage
>_ docker compose upStarts the GUAC services using the provided Docker Compose configuration
- Integrate GUAC with CI/CD pipelines to automate supply chain risk assessments and enforce compliance policies before deployment.
- Leverage GUAC's graph database to visualize and trace software component relationships for faster incident investigation and root cause analysis.
- Use GUAC's normalized metadata to enhance threat hunting by correlating supply chain artifacts with known vulnerabilities and exposures.
- Combine GUAC with vulnerability management tools to prioritize patching based on software supply chain risk context.
- Employ GUAC in purple team exercises to simulate supply chain attacks and validate detection and response capabilities across development and security teams.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about guac. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours
Related Tools
unleash
Unleash/unleash
Open-source feature management platform
the-practical-linux-hardening-guide
trimstray/the-practical-linux-hardening-guide
This guide details creating a secure Linux production system. OpenSCAP (C2S/CIS, STIG).
how-to-secure-anything
veeral-patel/how-to-secure-anything
How to systematically secure anything: a repository about security engineering
404StarLink
knownsec/404StarLink
404StarLink - 推荐优质、有意义、有趣、坚持维护的安全开源项目
steampipe
turbot/steampipe
Zero-ETL, infinite possibilities. Live query APIs, code & more with SQL. No DB required.
Security-101
microsoft/Security-101
8 Lessons, Kick-start Your Cybersecurity Learning.