Skip to main content


OpenSSF Tech Talk: Proactive Supply Chain Security with GUAC

Thursday, June 6 | 10:00AM PT

Imagine having the power to proactively address critical vulnerabilities. Before a threat becomes a crisis, what if you could confidently answer the question, “Am I affected, and if so, where?” With Graph for Understanding Artifact Composition (GUAC), you can. Open Source Security Foundation (OpenSSF) Incubating Project GUAC is a software supply chain observability tool. It ingests software security metadata and stores it in a persistent graph database to query for consolidated information about your software. In this Tech Talk, you will meet the GUAC maintainers as they cover the project and its recent release, roadmap plans, and how you can contribute. Cybersecurity threats are constantly and quickly changing, but GUAC can help you stay ahead.

The GUAC Tech Talk will discuss: 

  • Ingests SBOMs, SLSA attestations, vulnerability reports, VEX, OpenSSF Scorecard, and more and store the data using PostgreSQL
  • Identifies the “blast radius” so you can determine the potential impact of a vulnerability and devise a tailored patch plan 
  • Maps threats to determine your risk, and thus minimize the window of exposure


David A Wheeler

David A. Wheeler (Moderator)
Director of Open Source Supply Chain Security, Linux Foundation

Brandon Lum,
Open Source Security Engineer, Google

Parth Patel
CPO/Co-Founder, Kusari