Red Hat contributes Trustify project to OpenSSF’s GUAC community

With cyberattacks on the rise, increasing software supply chain visibility is crucial for organizations to proactively identify and mitigate vulnerabilities within their applications and infrastructure. However, handling diverse security data sources such as software bill of materials (SBOMs), critical vulnerabilities and exploits (CVEs), and vendor advisories remains a major challenge due to inconsistent formats, varying levels of detail, and the lack of standardized integration points. Addressing this challenge requires not only better tools, but also open collaboration across the entire ecosystem, demanding transparency and trust. 

In an effort to create a more unified and scalable solution for managing security metadata, Red Hat is proud to contribute Trustify to the Graph for Understanding Artifact Composition (GUAC), an Open Source Security Foundation (OpenSSF) incubating project. This contribution reflects Red Hat’s belief that transparent, upstream-first innovation is essential to building security solutions that are more scalable, interoperable, and community-driven. Under the OpenSSF umbrella, end-users will be able to contribute and collaborate to Trustify, helping to grow the project adoption and mature the technology.

Trustify is an open source project, developed by Red Hat, that provides a high-performance, searchable backend for software supply chain metadata. It supports SBOM and advisory formats such as SPDX, CycloneDX, and OSV, and is designed for integration into modern continuous integration and continuous delivery (CI/CD) workflows.

The GUAC open source project aggregates and connects software security metadata into a unified graph. It enables developers and security teams to answer complex questions about software provenance, vulnerability impact, and supply chain integrity at scale.

Managing software security data in the open

Both Trustify and GUAC are designed to tackle the overwhelming challenge of managing vast amounts of software security data that can lead to unmanageable vulnerability handling for security engineers (also known as “alert fatigue”). While Trustify focuses on providing a single, searchable database for SBOMs, CVEs and advisories, GUAC's strength lies in its ability to normalize data from multiple sources into a rich graph database, providing deeper insights and actionable intelligence.

By bringing the two together the GUAC community can enhance its own capabilities, creating a unified effort to address the challenges of consuming, processing, and utilizing supply chain security metadata at scale. This synergy is expected to create a more robust and comprehensive tool for developers and IT security teams. The combined effort is intended to help the open-source community better understand and enhance the security posture of their software, making the entire ecosystem more resilient.

Red Hat believes that the best technologies are built in the open, with transparent processes and a diverse community, where contributions are made not just as code, but as a way to build better systems together. We believe that Trustify as part of GUAC will continue to accelerate its technical evolution and its ability to strengthen the integrity and security of the software supply chain.

We invite anyone interested to try it out, provide feedback and help push the technology forward.