On Thursday, Google and IBM launched Grafeas, an open source project that collects and aggregates specific metadata that developers can use to secure their software, according to an IBM blog post. The goal is to help developers maintain proper security standards, even with the shortened software supply chain brought about by microservices and containers.

Google has been building Grafeas as a container security API. As part of the partnership, IBM will integrate its own container scanning tool, Vulnerability Advisor, into the product. Grafeas will provide a “central source of truth” for enforcing security policies, the post said.

The joint offering provides an open API that collects the metadata that defines a user’s software environment. It gives developers a better view into when and where the code is being changed, while also providing visibility into what data is actually accessing the code, an IBM spokesperson said.

SEE: Network security policy template (Tech Pro Research)

“Grafeas defines the central source of truth for organizations that must track and enforce policies across an ever growing set of software development teams and pipelines,” the post said. “Build, auditing and compliance tools can use the Grafeas API to store, query, and retrieve comprehensive metadata on software components of all kinds.”

An additional component of Grafeas is Kritis, which lets developers create Kubernetes governance policies based on Grafeas metadata. “Kritis acts as a real-time enforcement chokepoint at the container deploy time for Kubernetes clusters, and demonstrates how to build strong governance tools with Grafeas as the foundation,” the post said.

The Grafeas product, with its Kritis component, will act as a universal metadata store, and will work with on-premises, cloud, and hybrid environments. It also offers a simple method for developers to add new sources or producers of metadata, the post said.

Structured metadata schemas for common metadata types will make it even easier for users to add in new providers or types of metadata. This also helps Grafeas to more quickly understand this data once it has been inserted.

Additional features include strong access controls and a strong query ability that acts across components.

On the IBM side of things, Grafeas and Kritis will be available as part of the IBM Container Service on IBM Cloud, the post said. Grafeas will also integrate with other DevOps tools from the company as well.

The 3 big takeaways for TechRepublic readers

  1. IBM and Google are launching Grafeas, a new open source project that acts as a metadata hub for enforcing security policies across the software development lifecycle.
  2. With Grafeas, developers can better understand when and where code is being changed, along with what data is actually interacting with what part of the code.
  3. Kritis is a component of Grafeas that lets developers create Kubernetes governance policies based on Grafeas metadata.