Grafeas
Definition
Grafeas is an open-source project that provides an API for auditing and governing the metadata of software components. It allows users to track and manage metadata related to software supply chain security, such as build provenance, vulnerability occurrences, and deployment status. Grafeas is designed to integrate with CI/CD pipelines, enabling organizations to enforce security policies and ensure compliance throughout the software development lifecycle.
Secure Settings Example
apiVersion: grafeas.io/v1
kind: Note
metadata:
name: secure-build-note
spec:
type: BUILD
build:
builderVersion: "1.0.0"
signature:
publicKey: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."
signature: "MEUCIQDf..."
provenance:
id: "build-1234"
projectId: "secure-project"
createTime: "2023-10-01T12:00:00Z"
Insecure Settings Example
apiVersion: grafeas.io/v1
kind: Note
metadata:
name: insecure-build-note
spec:
type: BUILD
build:
builderVersion: "1.0.0"
signature:
publicKey: ""
signature: ""
provenance:
id: "build-1234"
projectId: "insecure-project"
createTime: "2023-10-01T12:00:00Z"