Home Explore Blog CI



kubernetes
1st chunk of `content/en/blog/_posts/2017-11-00-Securing-Software-Supply-Chain-Grafeas.md`
0c2f4fb9232df74f08fd74d3184e0bf62a28be631d5b276e00000001000009e5
---
title: " Securing Software Supply Chain with Grafeas "
date: 2017-11-03
slug: securing-software-supply-chain-grafeas
url: /blog/2017/11/Securing-Software-Supply-Chain-Grafeas
author: >
  Kelsey Hightower (Google),
  Sandra Guo (Google)
---

Kubernetes has evolved to support increasingly complex classes of applications, enabling the development of two major industry trends: hybrid cloud and microservices. With increasing complexity in production environments, customers—especially enterprises—are demanding better ways to manage their software supply chain with more centralized visibility and control over production deployments.  

On October 12th, Google and partners [announced](https://cloudplatform.googleblog.com/2017/10/introducing-grafeas-open-source-api-.html) Grafeas, an open source initiative to define a best practice for auditing and governing the modern software supply chain. With Grafeas (“scribe” in Greek), developers can plug in components of the CI/CD pipeline into a central source of truth for tracking and enforcing policies. Google is also working on [Kritis](https://github.com/Grafeas/Grafeas/blob/master/case-studies/binary-authorization.md) (“judge” in Greek), allowing devOps teams to enforce deploy-time image policy using metadata and attestations stored in Grafeas.  

Grafeas allows build, auditing and compliance tools to exchange comprehensive metadata on container images using a central API. This allows enforcing policies that provide central control over the software supply process.  


[![](https://2.bp.blogspot.com/-TDD4slMA7gg/WfzDeKVLr2I/AAAAAAAAAGw/dhfWOrCMdmogSNhGr5RrA2ovr02K5nn8ACK4BGAYYCw/s400/Screen%2BShot%2B2017-11-03%2Bat%2B12.28.13%2BPM.png)](https://2.bp.blogspot.com/-TDD4slMA7gg/WfzDeKVLr2I/AAAAAAAAAGw/dhfWOrCMdmogSNhGr5RrA2ovr02K5nn8ACK4BGAYYCw/s1600/Screen%2BShot%2B2017-11-03%2Bat%2B12.28.13%2BPM.png)  


## Example application: PaymentProcessor

Let’s consider a simple application, _PaymentProcessor_, that retrieves, processes and updates payment info stored in a database. This application is made up of two containers: a standard ruby container and custom logic.  


Due to the sensitive nature of the payment data, the developers and DevOps team really want to make sure that the code meets certain security and compliance requirements, with detailed records on the provenance of this code. There are CI/CD stages that validate the quality of the PaymentProcessor release, but there is no easy way to centrally view/manage this information:
Title: Securing Software Supply Chain with Grafeas
Summary
This blog post introduces Grafeas, an open-source initiative by Google and partners for auditing and governing the modern software supply chain. Grafeas provides a central API for build, auditing, and compliance tools to exchange metadata on container images, enabling centralized policy enforcement. The post uses a PaymentProcessor application example to illustrate the need for a centralized view and management of code provenance and security compliance in the CI/CD pipeline.