Grafeas

It is a new joint open-source project that provides users with a standardized way for auditing and governing their software supply chain. Grafeas basically defines an API that collects all of the metadata around code deployments and build pipelines. This means keeping a record of authorship and code provenance, recording the deployment of each piece of code, marking whether code passed a security scan, which components it uses (and whether those have known vulnerabilities) and whether Q&A signed off on it. So before a new piece of code is deployed, the system can check all of the info about it through the Grafeas API and if it’s certified and free of vulnerabilities (at least to the best knowledge of the system), then it can get pushed into production.