OpenSec Atlas

guac: An Open Source Tool for Governance, Risk, and Compliance (GRC) | OpenSec Atlas

Governance, Risk, and Compliance (GRC)

Tool

guac

GUAC aggregates and normalizes software security metadata into a high fidelity graph database to enable comprehensive supply chain transparency and risk management.

Visit Website View on GitHub

About This Tool

GUAC aggregates software security metadata into a high fidelity graph database.

Primary Use Case

GUAC is used by security teams, auditors, and developers to aggregate diverse software supply chain metadata into a unified graph, enabling risk assessment, compliance auditing, and security automation. It helps organizations query and analyze software artifact relationships to improve governance, risk management, and compliance efforts.

Key Features

Aggregates software security metadata into a graph database
Normalizes entity identities and maps standard relationships
Supports multiple input document formats like CycloneDX, SPDX, SLSA, OSV, and more
Provides a consistent GraphQL API with pluggable backend support
Enables audit, policy enforcement, risk management, and developer assistance
OpenSSF incubating project focused on supply chain integrity
Includes demos and use cases for quick adoption
Docker Compose quickstart for easy deployment

Insights & Recommendations

GUAC is under active development and may encounter ingestion errors due to incomplete or inconsistent metadata identifiers; users are encouraged to report data quality issues. The tool supports multiple backends transparently via GraphQL, allowing flexibility in deployment. Familiarity with software supply chain standards and GraphQL querying will enhance effective use.

Installation

Visit https://docs.guac.sh/ for detailed documentation
Start GUAC services using the docker compose quickstart available at https://docs.guac.sh/setup/
Refer to the contributor guide (CONTRIBUTING.md) for development setup

Usage

docker compose up

Starts the GUAC services using the provided Docker Compose configuration

Smart Usage Notes

Integrate GUAC with CI/CD pipelines to automate supply chain risk assessments and enforce compliance policies before deployment.Leverage GUAC's graph database to visualize and trace software component relationships for faster incident investigation and root cause analysis.Use GUAC's normalized metadata to enhance threat hunting by correlating supply chain artifacts with known vulnerabilities and exposures.Combine GUAC with vulnerability management tools to prioritize patching based on software supply chain risk context.Employ GUAC in purple team exercises to simulate supply chain attacks and validate detection and response capabilities across development and security teams.