IBM and Google combine forces to open source Grafeas project, helping developers solve security challenges when building with containers
Containers and microservices are changing the way software is built and deployed. Large monoliths are being replaced with dozens or hundreds of microservices. Quarterly updates are being replaced with continuous deployments happening dozens of times a day. Servers that you love and maintain are switched for ephemeral containers that are constantly replaced.
In short, software development today is more rapid, more distributed and more dynamic. However, these changes do not eliminate the need to understand and control the software supply chain: you still need to know who built what.
You need to understand if your software is vulnerable, complaint with your processes and regulations, and secure. And you need to know what is running right now, where it is running, and to be able to control when it changes.
Combining these two realities requires new tools and techniques. This is why we are joining forces with Google to create and open source the Grafeas project, with the goal to offer a central, structured knowledge base of the critical metadata you need to govern your software supply chain.
This is a strong step forward in our ongoing work with Google. Together, we’ve launched and are continuing to build technologies which draw on the power of the open community to redefine how developers are building with cloud and data. Last year, we joined forces to launch the OpenPOWER Foundation, and just a few months ago we launched Istio, which is helping developers connect, secure and simplify vast networks of microservices.
As our next collaboration, Grafeas provides an open API to collect all the of dynamic metadata that defines your software environment. Grafeas defines the central source of truth for organizations that must track and enforce policies across an ever growing set of software development teams and pipelines. Build, auditing and compliance tools can use the Grafeas API to store, query, and retrieve comprehensive metadata on software components of all kinds.
As part of Grafeas, we are also building Kritis, a component which allows organizations to set Kubernetes governance policies based on metadata stored in Grafeas. Kritis acts as a real-time enforcement chokepoint at the container deploy time for Kubernetes clusters, and demonstrates how to build strong governance tools with Grafeas as the foundation.
Using this metadata store and enforcement point, you can gain visibility into your environments and enforce policies without slowing down your teams. IBM has pioneered vulnerability analysis as part of the DevOps process and has Vulnerability Advisor built into our Container service. Vulnerability Advisor scans your container images and detects software package vulnerability and poor software configurations, and then makes a risk assessment for the contained software. With the Grafeas API, we can now easily combine that data with other metadata in an open manner to build a more comprehensive security and governance model.
The open ecosystem that Grafeas will enable, combined with the enforcement in Kristis, ultimately provides the following benefits:
- Universal coverage and hybrid cloud friendly: Grafeas serves as a central, universal metadata store about any kind of software component, wherever it is – on-premises or on the cloud.
- Pluggable: Grafeas makes it easy to add new metadata producers and consumers (for example, if you decide to add or change security scanners, or to add or new build systems).
- Structured: Grafeas provides structured metadata schemas for common metadata types (such as vulnerability, build, attestation, and package index metadata), so that you can add new metadata types and providers. This enables the tools that depend on Grafeas to immediately understand those new sources.
- Strong access controls: Grafeas allows you to carefully control access for multiple metadata producers and consumers.
- Rich query-ability: Grafeas makes it easy to query all metadata across all of your components, so you don’t have to parse monolithic reports on each component.
IBM plans to deliver Grafeas and Kristis as part of the IBM Container Service on IBM Cloud, and to integrate our Vulnerability Advisor and DevOps tools with the Grafeas API. This work, combined with the ecosystem building around Grafeas, will enable a powerful, secure, and modern software supply chain to be realized on the IBM Cloud.