Grafeas ("scribe" in Greek) is an open-source artifact metadata API that provides a uniform way to audit and govern your software supply chain. Grafeas defines an API spec for managing metadata about software resources, such as container images, Virtual Machine (VM) images, JAR files, and scripts. You can use Grafeas to define and aggregate information about your project's components. Grafeas provides organizations with a central source of truth for tracking and enforcing policies across an ever growing set of software development teams and pipelines. Build, auditing, and compliance tools can use the Grafeas API to store, query, and retrieve comprehensive metadata on software components of all kinds.
Grafeas divides the metadata information into notes and occurrences. Notes are high-level descriptions of particular types of metadata. Occurrences are instantiations of notes, which describe how and when a given note occurs on the resource associated with the occurrence. This division allows third-party metadata providers to create and manage metadata on behalf of many customers. It also allows for fine-grained access control of different types of metadata.
- Read the Grafeas announcement
- Learn the Grafeas concepts and core design principles
- Run Grafeas locally following these instructions
- Once you have a running server, you can use the client libraries to experiment with creating notes and occurrences in Grafeas. There are client libraries available in Java, Go, Ruby, and Python.
- The authoritative API for grafeas is the protobuf files.
If you have questions, reach out to us on grafeas-users. For questions about contributing, please see the section below or use grafeas-dev.
Grafeas announcements will be posted to its @grafeasio Twitter account and to grafeas-users.
See CONTRIBUTING for details on how you can contribute.
See DEVELOPMENT for details on the development and testing workflow.
Grafeas is under the Apache 2.0 license. See the LICENSE file for details.