Red Hat contributes Trustify project to OpenSSF’s GUAC community

Red Hat contributes Trustify project to OpenSSF’s GUAC community Managing software security data in the open About the author Red Hat More like this Blog post Blog post Blog post Browse by channel Automation Artificial intelligence Open hybrid cloud Security Edge computing Infrastructure Applications Virtualization Share With cyberattacks on the rise, increasing software supply chain visibility is crucial for organizations to proactively identify and mitigate vulnerabilities within their applications and infrastructure. However, handling diverse security data sources such as software bill of materials (SBOMs), critical vulnerabilities and exploits (CVEs), and vendor advisories remains a major challenge due to inconsistent formats, varying levels of detail, and the lack of standardized integration points. Addressing this challenge requires not only better tools, but also open collaboration across the entire ecosystem, demanding transparency and trust. In an effort to create a more unified and scalable solution for managing security metadata, Red Hat is proud to contribute Trustify to the Graph for Understanding Artifact Composition (GUAC), an Open Source Security Foundation (OpenSSF) incubating project. This contribution reflects Red Hat’s belief that transparent, upstream-first innovation is essential to building security solutions that are more scalable, interoperable, and community-driven. Under the OpenSSF umbrella, end-users will be able to contribute and collaborate to Trustify, helping to grow the project adoption and mature the technology. Trustify is an open source project, developed by Red Hat, that provides a high-performance, searchable backend for software supply chain metadata. It supports SBOM and advisory formats such as SPDX, CycloneDX, and OSV, and is designed for integration into modern continuous integration and continuous delivery (CI/CD) workflows. The GUAC open source project aggregates and connects software security metadata into a unified graph. It enables developers and security teams to answer complex questions about software provenance, vulnerability impact, and supply chain integrity at scale. Both Trustify and GUAC are designed to tackle the overwhelming challenge of managing vast amounts of software security data that can lead to unmanageable vulnerability handling for security engineers (also known as “alert fatigue”). While Trustify focuses on providing a single, searchable database for SBOMs, CVEs and advisories, GUAC's strength lies in its ability to normalize data from multiple sources into a rich graph database, providing deeper insights and actionable intelligence.