The software we run has never been more difficult to vouchsafe than it is today. It is scattered between local deployments and cloud services, built with open source components that aren’t always a known quantity, and delivered on a fast-moving schedule, making it a challenge to guarantee safety or quality.

The end result is software that is hard to audit, reason about, secure, and manage. It is difficult not just to know what a VM or container was built with, but what has been added or removed or changed and by whom. , originally devised by Google, is intended to make these questions easier to answer.

What is Grafeas?

Grafeas is an open source project that defines a metadata API for software components. It is meant to provide a uniform metadata schema that allows VMs, containers, JAR files, and other software artifacts to describe themselves to the environments they run in and to the users that manage them. The goal is to allow processes like auditing the software used in a given environment, and auditing the changes made to that software, to be done in a consistent and reliable way.

Grafeas provides APIs for two kinds of metadata, notes and occurrences:

 for creating such a process.

Grafeas clients and third-party support

Right now, Grafeas exists mainly as a spec and a reference implementation, . Clients for , , and are all available, , so clients for other languages shouldn’t be hard to produce.

One key way Google plans to allow Grafeas to be widely used is through Kubernetes. A policy engine for Kubernetes, called Kritis, allows actions to be taken on containers based on their Grafeas metadata.

and are planning to add Grafeas integrations to their container products and services.