Thanks to receptacles and microservices, the way we are building software is quickly changing. But as with all change, these new models also introduce new problems. You likely still want to know who actually built a dedicated container and what’s running in it. To get a handle on this, Google, JFrog, Red Hat, IBM, Black Duck, Twistlock, Aqua Security and CoreOS today announced Grafeas( “scribe” in Greek ), a new joint open-source project that provides users with a standardized route for auditing and governing their software supplying chain.
In addition, Google also launched another new project, Kritis( “judge” in Greek, because after the success of Kubernetes, it would surely be bad luck to pick names in any other speech for new Google open-source projects ). Kritis allows businesses to enforce certain receptacle properties at deploy period for Kubernetes clusters.
Grafeas basically defines an API that collects all of the metadata around code deployments and construct pipelines. This entails maintaining a record of authorship and code provenance, recording the deployment of each piece of code, marking whether code passed a security scan, which components it utilizes( and whether those have known vulnerabilities) and whether Q& A signed off on it. So before a new piece of code is deployed, the system can check all of the info about it through the Grafeas API and if it’s certified and free of vulnerabilities( at least to the best knowledge of the system ), then it can get pushed into production.
At first glance, this all may seem rather bland, but there’s a real need for projects like this. With the advent of continuous integrating, decentralization, microservices, an increasing number of toolsets and every other buzzworthy technology, enterprises are struggling to keep tabs on what’s actually happening in the middle their data centers. It’s fairly hard to stick to your security and governance policies if you don’t exactly know what software you’re actually operating. Currently, all of the different tools that developers use can record their own data, of course, but Grafeas represents an agreed-upon route for collecting and accessing this data across tools.
Like so many of Google’s open-source projects, Grafeas basically simulates how Google itself handles these issues. Thanks to its massive scale and early adoption of containers and microservices, Google, after all, find many of these problems long before they became an issue for the industry at large. As Google notes in today’s proclamation, the basic tenants of Grafeas reflect the best practises that Google itself developed for its build systems.
All of the various partners involved here are bringing different pieces to the table, but JFrog, for example, will implement this system in its Xray API. Red Hat will use it to enhance its security and automation features in OpenShift( its container platform) and CoreOS will integrate it into its Tectonic Kubernetes platform.
One of the early testers of Grafeas is Shopify, which currently constructs about 6,000 containers per day and which keeps 330,000 images in its primary container registry. With Grafeas, it can now know whether a devoted container is currently being used in production, for example, when it was downloaded from the registry, what packages are running in it and whether any of the components in the container include any known security vulnerabilities.
“Using Grafeas as the central source of truth for receptacle metadata has allowed the security team to answer these issues and flesh out appropriate auditing and lifecycling strategies for the software we deliver to users at Shopify, ” the company writes in today’s announcement.
Make sure to visit: CapGeneration.com