{"id":13345820,"url":"https://github.com/grafeas/grafeas","last_synced_at":"2025-05-13T20:19:10.106Z","repository":{"id":37782715,"uuid":"99028287","full_name":"grafeas/grafeas","owner":"grafeas","description":"Artifact Metadata API","archived":false,"fork":false,"pushed_at":"2025-05-12T19:08:43.000Z","size":14803,"stargazers_count":1537,"open_issues_count":60,"forks_count":295,"subscribers_count":67,"default_branch":"master","last_synced_at":"2025-05-12T20:28:20.561Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"http://grafeas.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/grafeas.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"code-of-conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-08-01T17:49:33.000Z","updated_at":"2025-05-12T19:08:47.000Z","dependencies_parsed_at":"2024-07-24T14:47:44.130Z","dependency_job_id":"282ffebb-1baa-49eb-a2fb-8691953e6fe6","html_url":"https://github.com/grafeas/grafeas","commit_stats":{"total_commits":826,"total_committers":94,"mean_commits":8.787234042553191,"dds":0.8837772397094431,"last_synced_commit":"220ed72376f81d0dd5233839d22c5627eb8d9494"},"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grafeas%2Fgrafeas","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grafeas%2Fgrafeas/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grafeas%2Fgrafeas/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grafeas%2Fgrafeas/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/grafeas","download_url":"https://codeload.github.com/grafeas/grafeas/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254020659,"owners_count":22000757,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-29T20:01:09.394Z","updated_at":"2025-05-13T20:19:10.076Z","avatar_url":"https://github.com/grafeas.png","language":"Go","readme":"# Grafeas: A Component Metadata API\n\n![Grafeas logo](logo/grafeas-logo-128.png)\n\nGrafeas (\"scribe\" in Greek) is an open-source artifact metadata API that provides a uniform way to audit and govern your software supply chain. Grafeas defines an API spec for managing metadata about software resources, such\nas container images, Virtual Machine (VM) images, JAR files, and scripts. You can use Grafeas to define and aggregate information about your project's components. Grafeas provides organizations with a central source of truth for tracking and enforcing policies across an ever growing set of software development teams and pipelines. Build, auditing, and compliance tools can use the Grafeas API to store, query, and retrieve comprehensive metadata on software components of all kinds.\n\nGrafeas divides the metadata information into [_notes_](docs/grafeas_concepts.md#notes) and\n[_occurrences_](docs/grafeas_concepts.md#occurrences). Notes are high-level descriptions of particular\ntypes of metadata. Occurrences are instantiations of notes, which describe how\nand when a given note occurs on the resource associated with the occurrence.\nThis division allows third-party metadata providers to create and manage\nmetadata on behalf of many customers. It also allows for fine-grained access\ncontrol of different types of metadata.\n\n## Getting Started\n\n* Watch the talk on [Software Supply Chain Management with Grafeas and Kritis](https://www.infoq.com/presentations/supply-grafeas-kritis/)\n* Read the Grafeas [announcement](https://grafeas.io/blog/introducing-grafeas)\n* Learn the [Grafeas concepts](docs/grafeas_concepts.md) and [core design\n  principles](docs/design_principles.md)\n* Run Grafeas locally following [these\ninstructions](docs/running_grafeas.md)\n* Once you have a running server, you can\nuse the [client libraries](https://github.com/grafeas) to experiment with\ncreating notes and occurrences in Grafeas. There are client libraries available in Java, Go, Ruby, and Python.\n* The authoritative API for grafeas is the [protobuf\nfiles](https://github.com/Grafeas/Grafeas/tree/master/proto/v1beta1).\n\n## Grafeas Architecture\n\nGrafeas project consists of\n\n* the Grafeas API,\n* a reference server implementation,\n* [3 community contributed storage backends](https://github.com/grafeas/grafeas/tree/master/go/v1beta1/storage):\nPostgreSQL, BoltDB, and in-memory storage.\n\nLonger-term, these are to be extracted into separate projects (see\n[#341](https://github.com/grafeas/grafeas/issues/341)).\n\nThe diagram below shows the boundaries between Grafeas API, server, its storage\nbackends and the clients:\n\n![Grafeas Architecture](docs/grafeas_architecture.png)\n\n##  Storage Backends\n\nThe following projects provide bindings for Grafeas API to different storage backends:\n\n* [grafeas-pgsql](https://github.com/grafeas/grafeas-pgsql)\n* [grafeas-oracle](https://github.com/judavi/grafeas-oracle)\n* [grafeas-elasticsearch](https://github.com/rode/grafeas-elasticsearch)\n* [grafeas-rds](https://github.com/theparanoids/grafeas-rds)\n\n## Roadmap\n\nPlease see the [Grafeas roadmap](https://www.slideshare.net/aysylu/binary-authorization-in-kubernetes/65)\nfor the future of the project development.\n\n## Support\n\nIf you have questions, reach out to us on\n[grafeas-users](https://groups.google.com/forum/#!forum/grafeas-users). For\nquestions about contributing, please see the [section](#contributing) below or\nuse [grafeas-dev](https://groups.google.com/forum/#!forum/grafeas-dev).\n\nGrafeas announcements will be posted to its\n[@grafeasio](https://twitter.com/Grafeasio) Twitter account and to\n[grafeas-users](https://groups.google.com/forum/#!forum/grafeas-users).\n\n## Contributing\n\nSee [CONTRIBUTING](CONTRIBUTING.md) for details on how you can contribute.\n\nSee [DEVELOPMENT](DEVELOPMENT.md) for details on the  development and testing workflow.\n\n## License\n\nGrafeas is under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.\n","funding_links":[],"categories":["Go","Container Operations","Dependency intelligence","Artifact signing and attestation","others","Identity Tools"],"sub_categories":["Deployment and Infrastructure","SCA and SBOM","Threat modelling"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgrafeas%2Fgrafeas","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgrafeas%2Fgrafeas","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgrafeas%2Fgrafeas/lists"}