Google, IBM, and Others Introduce Grafeas Open Source API

Google, IBM, along with a number of other technology companies have announced Grafeas, an open source API that stores, queries, and retrieves crucial metadata on all types of software components. Using the Grafeas API, companies can combine data with other metadata to build a comprehensive model for security and governance at scale.

Governance and security at scale present many challenges for organizations whether they are large enterprises or SMBs. This is because of several trends such as the increase in the adoption of open-source software, the move to decentralization and Continuous Delivery, and the rise of Microservice architectures. The number of companies using a growing number of fragmented toolsets and hybrid cloud deployments is also increasing.

Because of the above trends, organizations are generating massive volumes of metadata, and this metadata comes in different formats, is stored in multiple places, and comes from a variety of vendors. Google along with Aqua Security, Black Duck, CoreOS, IBM, JFrog, Red Hat, and Twistlock are working together on Grafeas, an open source project that aims to define a uniform way for companies to audit and govern their software supply chains.

The primary focus of the project is the development of the open source Grafeas API which is an open source artifact metadata API. Technology companies involved with the project are developing the API so that it is pluggable and structured, has strong access controls and rich query ability, and enables universal artifact metadata. The ability to store, query, and retrieve software artifact metadata regardless of where that data is stored or the software artifact type allows companies to get a 360-degree view across different environments.

For more information about the Grafeas open-source artifact metadata API, visit

Be sure to read the next Security article: Recent API Security Incidents Show Perils of Ignoring Best Practices