Black Duck & Google Grafeas: Improving Container Visibility & Security

Black Duck & Google Grafeas: Improving Container Visibility & Security

This post was co-authored by Neal Goldman | Senior Product Manager

Containers offer many advantages over monolithic applications, packaged as VMs. Most importantly, a container image is immutable, easily built and deployed without reliance on permanent infrastructure. Nevertheless, containers are a challenge to IT operations teams, who need full visibility and control of their software supply chain to implement security and governance policies. To address this problem, today Google announced Grafeas, an Open Source Project that provides a flexible verification framework to connect components deployed in production with their origins. Grafeas is a metadata API that aggregates information about all the software components in a container, including package descriptions, build and deployment histories, and known component vulnerabilities. The Grafeas API can be used to store, query, and retrieve comprehensive metadata on software components of all kinds.

According to a Cloud Foundry study, 22% of organizations have mainstreamed containers and 64% are expected to do so in the next year. But the biggest concern that has prevented adoption is the perception of security risk and a lack of visibility and control. By using Grafeas, organizations gain visibility into all the components that go into a container -- from custom code to integrated open source components and container build information. Alongside Grafeas, Google has also introduced Kritis, which allows organizations to set Kubernetes governance policies based on metadata stored in Grafeas. Kritis acts as a real-time policy enforcement layer for Kubernetes clusters which you can use to automatically stop deployment of containers that have Black Duck identified security vulnerabilities.

Grafeas introduces a chain of provenance through the entire software supply chain to improve trust and adoption of container technologies. Black Duck has been working with Google on the development and testing of the Grafeas API over the last year, and we are continuing to work with Google to deliver on the vision of improving visibility into open source vulnerabilities before they hit production environments. Because many of our customers want to see the results of open source scans in the consoles of their primary development and deployment tools, you’ll continue to see improvements in the Black Duck’s integrations with Google Cloud Platform, including the Grafeas API and other new Google platform features.

Find out more about our integrations with Google Cloud Platform on our partner page, or try Black Duck Hub on GCP for a 14 day free trial. To try Grafeas or to join the project, please visit

Free Trial: Black Duck Hub on Google Cloud Platform

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Black Duck Brings Open Source Vulnerability Detection to Kubernetes

| Feb 15, 2018

This week we released a new version of Black Duck OpsSight, a solution for vulnerability detection and alerting in production environments. When we introduced Black Duck OpsSight for OpenShift in November, we made it possible for customers who use Black Duck Hub as an integral part of their SDLC

| MORE >

3 Ways OpsSight Extends Open Source Security to Production

| Nov 9, 2017

Black Duck just announced the launch of a new product, Black Duck OpsSight. OpsSight enables IT operations organizations to scan containers being created, updated or deployed through their container orchestration platforms. The first implementation of OpsSight is for Red Hat OpenShift, but we've

| MORE >