-
Notifications
You must be signed in to change notification settings - Fork 14
/
index.html
139 lines (132 loc) · 6.38 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
---
layout: landing
title: Grafeas
---
{% include home.html %}
<div class="nav-hero-container">
<div class="hero">
<div class="container">
<h1 class="hero-title">Grafeas</h1>
<img class="hero-logo" alt="Grafeas" src="{{home}}/img/grafeas-logo.svg" />
<h1 class="hero-lead">An open artifact metadata API to audit and govern your software supply chain</h1>
<span class="hero-down-arrow fa fa-2 fa-caret-down"></span>
</div>
</div>
</div>
<section class="hero-wrapper">
<div class="jumbotron resilience">
<div class="container-fluid">
<img class="landing-image pull-right" src="{{home}}/img/pluggable.png" alt="Metadata for software supply chain">
<div class="section-content pull-left">
<h2>Metadata for software supply chain</h2>
<p>
Software supply chains can be described by distinct stages in the software lifecycle,
including but not limited to: source, build, test, static analysis (e.g. compliance, vulnerabilities),
deploy, and production monitoring. Grafeas provides a canonical representation of metadata
for each of the stages. The details of the representation of each stage are determined by the standard
formats in the industry, where applicable. For example, Compliance metadata supports representing
<a href="https://www.cisecurity.org/cis-benchmarks/">CIS benchmarks</a>, and can be easily extended
for other types of compliance benchmarks in the industry.
Easily add new metadata types and providers as your software supply chain grows and evolves.
Bring over metadata for analysis from different tools used across different stages
of the software development lifecycle.
</p>
</div>
</div>
</div>
</section>
<section class="hero-wrapper">
<div class="jumbotron traffic">
<div class="container-fluid">
<img class="landing-image pull-left" src="{{home}}/img/universal-metadata.png" alt="Universal Artifact Metadata Store">
<div class="section-content pull-right">
<h2>Universal artifact metadata</h2>
<p>
Store, query, and derive metadata about all of your software artifacts,
regardless of their type and where they are located: container and VM images,
binaries, files, packages on a local machine or private, hybrid or multi-cloud environments.
</p>
</div>
</div>
</div>
</section>
<section class="hero-wrapper">
<div class="jumbotron resilience">
<div class="container-fluid">
<div class="section-content pull-left">
<h2>Insights</h2>
<p>
Grafeas makes it easy to write complex queries for supply chain information. Some examples are:
<ul>
<li>Find all images that are built from a particular Github commit that is known to have introduced a security problem.</li>
<li>Find all images that were built by a certain version of a certain builder when that builder is known to have been compromised.</li>
<li>Find all images in my project that are impacted by CVE-1234.</li>
<li>Generate a software bill of materials for my image that I will publish externally.</li>
</ul>
</p>
</div>
</div>
</div>
</section>
<section class="hero-wrapper">
<div class="jumbotron policy">
<div class="container-fluid">
<div class="section-content pull-right">
<h2>Horizontal and vertical querying</h2>
<p>
Grafeas enables both kinds of queries for metadata across artifacts.
Horizontal query is a query across all artifacts with a specific property,
e.g. "Find all images that are built from a particular Github commit that is
known to have introduced a security problem". Vertical query is a query about
metadata across software development lifecycle for a specific artifact,
e.g. "Find all source, build, test, and vulnerabilities metadata for a container image."
</p>
</div>
</div>
</div>
</section>
<section class="hero-wrapper">
<div class="jumbotron reporting">
<div class="container-fluid">
<img class="landing-image pull-right" src="{{home}}/img/rich-querying.png" alt="Rich query-ability">
<div class="section-content pull-left">
<h2>Flexible storage</h2>
<p>
Grafeas API can store metadata in a wide variety of storage backends:
there are implementations with PostgreSQL, BoltDB, Spanner, and OracleDB.
</p>
</div>
</div>
</div>
</section>
<section class="hero-wrapper">
<div class="jumbotron policy">
<div class="container-fluid">
<div class="section-content pull-right">
<h2>Vendor agnostic</h2>
<p>
Grafeas makes it easy to keep essential details about the software supply chain,
without the vendor lock-in. So the switch from one CI/CD vendor to another,
or migration from public cloud to hybrid doesn't result in the loss of metadata
about the software artifacts. For example, Build metadata as defined in Grafeas
can be used to represent details of builds on Travis, CircleCI, and Jenkins,
as it stores only the necessary details about the source, build commands,
and the builder itself that are common across all builds, in a generic way.
</p>
</div>
</div>
</div>
</section>
<div id="doc-call" class="container-fluid doc-call-container ">
<div class="row doc-call-row">
<div class="col-md-10 nofloat center-block">
<div class="col-sm-9 text-center nofloat center-block">
<h2 class="doc-call-title">Want to learn more?</h2>
<p class="doc-call-text">Watch the <a href="https://www.infoq.com/presentations/supply-grafeas-kritis">Software Supply Chain with Grafeas and Kritis</a> talk.</p>
<p class="doc-call-text">Get started by learning Grafeas concepts and trying the reference implementation.</p>
<a href="https://github.com/grafeas/grafeas"><button class="btn btn-grafeas">GRAFEAS
ON GITHUB</button></a>
</div>
</div>
</div>
</div>