A large amount of modern software development involves re-using components from older applications, open-source projects, and across teams within a company. Keeping track of those components can get very hard very fast, and a new project led by Google, Red Hat, IBM, and others hopes to streamline that process.
The companies unveiled Grafeas (which means “scribe” in Greek) Thursday, which helps organizations that have embraced containers as part of their software development strategies understand what is running on their networks and how it got there. It’s an API that users can access in order to determine how a particular application component came to be part of the final product, which is vital for a lot of companies with strict compliance requirements.
As developers build applications, they generate data around the code they’re creating; the author, the time it was created, and bugs that were flagged along the way. In the age of containers — lightweight application packages that can be created and shut down in seconds — companies that lack the software development expertise of Google or Red Hat need a way to make sure they’re auditing that data.
And that’s where Grafeas comes in. It tracks and surfaces that data for team leaders who are responsible for signing off on their software supply chains, so to speak. Companies working in regulated industries like health care need to be able to verify the integrity of their software development process, and just about every company could stand to benefit from a better understanding of how their software arrived at its final destination.
Several tech companies worked with Google on this project, including JFrog, Red Hat, IBM, Black Duck, Twistlock, Aqua Security, and CoreOS. As part of this project, Google also released Kritis, which allows companies using Kubernetes (apparently all Google projects are now Greek) to set automated policies around their software supply chains.