OpenSSF

GUAC (Graph for Understanding Artifact Composition)

GUAC aggregates software supply-chain security metadata (SBOMs, attestations, vulnerabilities, signatures) into a queryable graph. GUAC exposes a GraphQL API for supply-chain queries when self-hosted.

GitHub

Documentation

📖
Documentation
https://docs.guac.sh/

SDKs

📦
GitHubRepository
https://github.com/guacsec/guac

API entry from apis.yml

apis.yml Raw ↑ 
aid: openssf:guac-api
name: GUAC (Graph for Understanding Artifact Composition)
description: GUAC aggregates software supply-chain security metadata (SBOMs, attestations, vulnerabilities,
  signatures) into a queryable graph. GUAC exposes a GraphQL API for supply-chain queries when self-hosted.
humanURL: https://guac.sh/
baseURL: https://guac.sh
tags:
- SBOM
- Supply Chain
- GraphQL
properties:
- type: Documentation
  url: https://docs.guac.sh/
- type: GitHubRepository
  url: https://github.com/guacsec/guac