Key takeaways
- The aggregation layer of the supply-chain trust stack — GUAC ingests what SLSA, in-toto, OpenSSF Scorecard, SBOM generators, and vulnerability feeds produce and turns it into one queryable GraphQL knowledge graph
- Institutionally durable backing: created by Google, Kusari, Purdue University, and Citi; an OpenSSF incubating project since March 2024 with supporters including Yahoo, Microsoft, and Red Hat
- Crossed v1.0 in June 2025 but moves at a deliberate pace — roughly two to three releases per year and ~1,500 GitHub stars as of June 2026, with persistent deployments requiring you to run and feed a graph database yourself
FAQ
What is GUAC?
GUAC (Graph for Understanding Artifact Composition) is an open-source tool that aggregates software supply-chain metadata — SBOMs, SLSA attestations, OpenSSF Scorecard results, vulnerability data — into a graph database you can query over GraphQL or REST.
How much does GUAC cost?
GUAC is free and Apache-2.0 licensed. Kusari, whose co-founder is a GUAC core contributor, sells commercial supply-chain security products and support built around it.
How does GUAC work?
Collectors pull documents (SPDX, CycloneDX, in-toto/SLSA attestations, OpenVEX/CSAF, Scorecard, deps.dev, OSV), an ingestion pipeline normalizes entity identities and relationships, and the resulting graph is served from an in-memory keyvalue store or PostgreSQL backend via GraphQL.
How is GUAC different from OWASP Dependency-Track?
Dependency-Track manages and analyzes SBOMs per project; GUAC builds a cross-cutting knowledge graph across many evidence types (attestations, scorecards, VEX, vulnerabilities) so you can ask transitive, organization-wide questions like "which deployed artifacts are reachable from this compromised package?"
Executive Summary
GUAC — Graph for Understanding Artifact Composition — is an open-source tool that aggregates software security metadata into a high-fidelity graph database, normalizing entity identities and mapping standard relationships between them.[1][2] Where the rest of the supply-chain trust stack produces evidence — SBOMs, SLSA provenance, in-toto attestations, Scorecard ratings, VEX statements — GUAC is the layer that consumes all of it, linking the documents into one queryable knowledge graph so an organization can answer questions like "which of our deployed artifacts depend on this compromised package, and do any of them have an attestation saying the vulnerability is unreachable?"[3]
The project was created by Google, Kusari, Purdue University, and Citi, and joined the OpenSSF as an incubating project under the Supply Chain Integrity Working Group in March 2024, with supporters including Yahoo, Microsoft, Red Hat, Guidewire, and ClearAlpha Technologies.[4][5] Written in Go and Apache-2.0 licensed, the repo holds 1,502 stars and 203 forks as of June 2026, with active pushes through June 9, 2026.[2] GUAC crossed v1.0.0 in June 2025 and shipped v1.1.0 in March 2026 — stable, but a deliberate two-to-three-releases-per-year cadence.[6]
| Attribute | Detail |
|---|---|
| Creator | Google, Kusari, Purdue University, Citi[4] |
| Governance | OpenSSF incubating project (since March 2024)[4] |
| Repo created | June 2022[2] |
| GitHub stars | 1,502 (June 2026)[2] |
| License | Apache-2.0[2] |
| Language | Go[2] |
| Current release | v1.1.0 (March 13, 2026)[6] |
Product Overview
GUAC sits downstream of every other tool in the trust stack. Collectors fetch supply-chain documents from filesystems, object stores, and APIs; an ingestion pipeline parses and normalizes them; and the resulting graph is exposed through GraphQL and REST APIs for querying, visualization, and policy decisions.[3][2] The docs frame the core workflow as ingesting SBOMs, enriching them with deps.dev source data, OpenSSF Scorecard results, and OSV vulnerability intelligence, then "searching the GUAC graph for any paths leading to any known vulnerabilities."[3]
Key Capabilities
| Capability | Description |
|---|---|
| Multi-format ingestion | SPDX, CycloneDX, in-toto ITE6/SLSA attestations, DSSE envelopes, CSAF/CSAF VEX, OpenVEX, OpenSSF Scorecard, OSV, deps.dev API[2] |
| Identity normalization | Resolves the same package/artifact appearing in different documents into one graph node[2] |
| Transitive queries | Path-finding across dependencies to known vulnerabilities; blast-radius analysis[3] |
| Enrichment certifiers | Pulls Scorecard, deps.dev, and OSV data to augment ingested SBOMs[3] |
| Query APIs | GraphQL and REST[2] |
Product Surfaces
| Surface | Description | Availability |
|---|---|---|
guacone CLI | One-shot ingestion, certification, and query commands[3] | Open source |
guaccollect CLI | Long-running collectors for continuous ingestion[3] | Open source |
| GraphQL / REST API | Programmatic graph queries[2] | Open source |
| GUAC Visualizer | Graph exploration UI[5] | Open source |
Technical Architecture
GUAC deploys as a set of Go services — collectors, ingestion pipeline, GraphQL server — typically via Docker Compose for evaluation, with PostgreSQL as the documented persistent backend.[3][2] The default keyvalue backend is in-memory and non-persistent (zero infrastructure, but data vanishes on restart); the supported persistent path is Ent with PostgreSQL, while ArangoDB, Neo4j/openCypher, Redis, and TiKV backends exist as experimental and unsupported.[2]
Key Technical Details
| Aspect | Detail |
|---|---|
| Deployment | Self-hosted; Docker Compose for trial, services + PostgreSQL for production[3] |
| Backends | In-memory keyvalue (default, non-persistent); Ent + PostgreSQL (supported); ArangoDB/Neo4j/Redis/TiKV (experimental)[2] |
| Integrations | deps.dev, OSV.dev, OpenSSF Scorecard, cosign/slsa-verifier verification[3] |
| Open source | Yes — Apache-2.0, hosted on GitHub under guacsec with OpenSSF governance[2] |
Strengths
- Unique category role — GUAC is the only OpenSSF project whose job is aggregating the outputs of the others; it makes SBOMs, attestations, and scorecards collectively queryable instead of siloed documents.[3][4]
- Broad format coverage — SPDX, CycloneDX, in-toto ITE6, SLSA, DSSE, CSAF VEX, OpenVEX, Scorecard, OSV, and deps.dev in one ingestion pipeline.[2]
- Institutional backing — created by Google, Kusari, Purdue, and Citi; OpenSSF incubation since March 2024 with named supporters including Microsoft, Red Hat, and Yahoo gives it foundation-grade governance rather than single-vendor control.[4]
- Past the v1.0 line — a stable API surface as of June 2025, with continued releases (v1.0.1 September 2025, v1.1.0 March 2026) and pushes into June 2026.[6][2]
- Commercial escape hatch — Kusari, co-founded by GUAC core contributor Michael Lieberman, builds commercial products and support around the project for teams that don't want to operate it themselves.[4][5]
Cautions
- You are operating a graph database — the zero-setup default backend is in-memory and non-persistent; real deployments mean running PostgreSQL plus GUAC's collector/ingestion/API services, and the more interesting graph backends (Neo4j, ArangoDB) are explicitly unsupported.[2]
- Scarce expertise — early analyst coverage flagged that "most of the world's knowledge graph experts are working for one of the [tech] giants" (Jacques Chester, then at Shopify), and that conventional schemas risk destroying the historical information vulnerability analysis needs.[7] The governance concern raised in the same coverage was later resolved by OpenSSF incubation, but the operational-skills gap was not.[4]
- Garbage in, garbage graph — GUAC's value is bounded by the quality and completeness of the SBOMs and attestations fed into it; ingestion gaps in upstream tooling propagate directly into the graph.[3]
- Modest traction for its age — from 1,100+ stars at incubation (March 2024) to 1,502 in June 2026 is slow community growth for a four-year-old Google-originated project, and no production adopters are named in the repo itself.[4][2]
- Deliberate release cadence — three releases in the twelve months since v1.0.0 (June 2025); teams needing fast feature turnaround may find the pace conservative.[6]
Pricing & Licensing
| Tier | Price | Includes |
|---|---|---|
| Open source | Free | Full tool — collectors, ingestion, GraphQL/REST APIs, visualizer[2] |
| Kusari commercial | Not publicly listed | Commercial supply-chain security products and support from GUAC's co-creator company[5] |
Licensing model: Apache-2.0 under OpenSSF governance — no open-core split in the project itself.[2][4]
Hidden costs: the infrastructure and staff time to run PostgreSQL-backed GUAC services continuously and to produce the SBOMs/attestations that make the graph worth querying.[2]
Competitive Positioning
GUAC's nearest neighbors in the trust stack are mostly complements, not competitors: it ingests the provenance that SLSA defines, the attestations that in-toto formats, and the repo-health ratings that OpenSSF Scorecard produces — its category role is making those outputs jointly queryable.[2][3]
Direct Competitors
| Competitor | Differentiation |
|---|---|
| OWASP Dependency-Track | Per-project SBOM management and CVE analysis; GUAC builds a cross-document, cross-organization graph spanning attestations and VEX, not just SBOMs[2] |
| Commercial SCA (Snyk, Socket.dev) | Managed scanning and detection products; GUAC is self-hosted evidence aggregation — they can feed it rather than replace it |
| In-house graph builds | Large enterprises hand-roll similar graphs; GUAC offers a shared schema and OpenSSF-governed neutral ground[7] |
When to Choose GUAC Over Alternatives
- You already generate SBOMs and attestations and need to query across them, not manage them per project
- You want transitive blast-radius answers ("what depends on X?") within hours of the next XZ-style disclosure
- You require self-hosted, foundation-governed infrastructure rather than a SaaS scanner
- You have platform engineers comfortable operating Go services and PostgreSQL
Ideal Customer Profile
Best fit:
- Organizations with regulatory or executive-order SBOM mandates and thousands of artifacts to correlate
- Platform/security teams already invested in SLSA, in-toto, Sigstore, and Scorecard who need the aggregation layer
- Enterprises that want vendor-neutral, Apache-2.0 infrastructure with a commercial support option (Kusari)[5]
Poor fit:
- Small teams wanting a turnkey dependency scanner — a CVE scanner or SCA SaaS is far less work
- Organizations not yet producing SBOMs or attestations; GUAC has nothing to aggregate
- Teams unwilling to run persistent database infrastructure[2]
Viability Assessment
| Dimension | Assessment |
|---|---|
| Financial Health | No project funding needed — OpenSSF-governed with corporate contributor backing (Google, Kusari, Microsoft, Red Hat)[4] |
| Market Position | De facto open-source supply-chain knowledge graph; no direct OpenSSF-governed rival[4] |
| Innovation Pace | Steady but slow — v1.0.0 June 2025, v1.1.0 March 2026[6] |
| Community/Ecosystem | 50 contributors and 300 community members at incubation; 1,502 stars and 203 forks as of June 2026[4][2] |
| Long-term Outlook | Tied to SBOM/attestation mandates — if evidence generation keeps growing, the aggregation layer becomes mandatory |
GUAC is institutionally durable in a way star counts understate: foundation governance, multiple corporate sponsors, and a commercial company (Kusari) whose business depends on its survival.[4][5] The risk is not abandonment but stagnation at a pace slower than the SBOM ecosystem it aggregates.[6]
Bottom Line
GUAC occupies the slot the rest of the trust stack creates: SLSA, in-toto, Scorecard, and SBOM tooling all generate evidence, and GUAC is the open-source answer to "now what do we do with all of it?" Past v1.0, OpenSSF-governed, and backed by Google and Kusari, it is the safest open bet for supply-chain evidence aggregation — but it is infrastructure, not a product, and the operational bill (PostgreSQL, collectors, knowledge-graph skills that analysts note are concentrated at tech giants) is real.[2][7]
Recommended for: enterprises with SBOM mandates and existing attestation pipelines that need cross-cutting, transitive queries over their supply-chain evidence.
Not recommended for: teams without SBOM/attestation generation in place, or anyone wanting a managed scanner rather than self-hosted graph infrastructure.[2]
Outlook: durable but deliberate. Foundation governance and Kusari's commercial stake make abandonment unlikely; the open question is whether two to three releases a year keeps up with the evidence formats it exists to unify.[6][4]
Research by Ry Walker Research • methodology