Grafeas is an open artifact metadata API that offers comprehensive solutions for auditing and governing your software supply chain. With Grafeas, you can effectively manage the various stages of your software's lifecycle, including source, build, test, static analysis, deploy, and production monitoring. Each stage is represented with canonical metadata, using standard industry formats where applicable.

The flexibility of Grafeas allows you to effortlessly add new metadata types and providers as your software supply chain grows and evolves. Furthermore, Grafeas offers universal artifact metadata capabilities, allowing you to store, query, and derive metadata for all types of software artifacts, regardless of their location. Whether it's container and VM images, binaries, files, or packages in local or cloud environments, Grafeas has you covered.

The power of Grafeas lies in its ability to provide valuable insights through complex queries. You can easily retrieve information such as images built from a specific Github commit with known security issues, images built by compromised builders, and images impacted by specific vulnerabilities. Grafeas supports both horizontal and vertical querying techniques, enabling you to search for metadata across all artifacts or focus on specific artifacts throughout the software development lifecycle.

Additionally, Grafeas offers flexible storage options with compatibility for various backends, including PostgreSQL, BoltDB, Spanner, and OracleDB. One of the key advantages of Grafeas is its vendor-agnostic approach, allowing you to retain essential software supply chain details without being locked into a specific CI/CD vendor or cloud provider. This ensures that you don't lose any metadata when transitioning between vendors or migrating to hybrid environments.

To delve deeper into the capabilities of Grafeas, you can explore the Software Supply Chain with Grafeas and Kritis talk. You can also get started by learning about Grafeas concepts and trying the reference implementation. For more resources and community support, you can visit Grafeas on GitHub