Google Grafeas can handle the truth: Web giant and pals emit tool to wrangle containers

Open-source project aspires to spare you from dependency hell

Grafeas diagram from Google

Managing software applications in large organizations can be quite complicated, particularly for codebases with lots of dependencies.

Add in virtualized machines, containers, clusters, multiple service providers, multiple development teams, deployment pipelines, external partners, policy requirements, and other contextual considerations, and the challenge looks even more daunting.

Some of the largest cloud computing vendors in the space believe they can make life a bit better for those overseeing complex IT systems.

On Thursday, Google, with the backing of Aqua Security, Black Duck, CoreOS, IBM, Red Hat, and Twistlock, released an open-source project called Grafeas, which provides an API to describe the metadata associated with the software build processes.

According to Google product managers Stephen Elliott and Jianing Guo, Grafeas functions as a structured repository for the metadata necessary to manage software supply chains. It reflects, they say, the lessons Google has learned building internal security and governance systems for millions of releases and billions of containers.

Grafeas – "scribe" in Greek – aspires to be the central, vendor-neutral source of truth for software auditing, building, and compliance tools.

It has some conceptual similarities to an open-source project called Istio, released by Google, IBM, and Lyft earlier this year to simplify the management of microservices.

Shopify has been using Grafeas to help its security team understand which containers have been deployed to production, the time those containers were downloaded from its registry, the packages installed, the security vulnerabilities, if any, and whether the container complies with security requirements.

The e-commerce platform biz runs Grafeas in conjunction with a Google-made Kubernetes policy engine called Kritis, which checks stored metadata to authorize binary deployments in the cloud.

An organization might use such software to craft a policy that would prevent an experimental build from being accidentally deployed to a production cluster, for example.

In essence, Grafeas and Kritis expand the scope of mechanized software management.

"With that deep understanding of what's inside a container, we can automate policy activities based on that information," said Chris Wright, veep and CTO at Red Hat.

IBM, for its part, said it expects to integrate Grafeas and Kristis with its Vulnerability Advisor and DevOps tools and to make the melange available through its cloud container service. ®


Biting the hand that feeds IT © 1998–2017