Learning to speak the common artifact language.
Grafeas (Greek for scribe) is the new open-source initiative backed by such influential entities as Google, JFrog, and Redhat among others. At its core – the project is an attempt to create a universal artifact metadata API spec. In a world where information systems and software components appear, change and evolve continuously – there’s a growing need for a universal metadata language.
A universal metadata language would offer :
- 360-degree visibility of binary artifacts all across our environments and deployment models.
- Enhanced auditing and governance of what gets built, verified and deployed.
- Seamless flow of data through the plethora of software delivery-related tools and systems.
This is what Grafeas was created for. According to the official documentation: Grafeas “defines metadata API spec for computing components (e.g., VM images, container images, jar files, scripts) that can assist with aggregations over your metadata. Grafeas uses two API concepts, a note and an occurrence. This division allows 3rd party metadata providers to create and manage metadata on behalf of many customers. Additionally, the division also allows implementation of access control settings that allow fine grain access control. “
The great thing about this is that the more systems will provide their artifact metadata in Grafeas format, the easier it will be to get a full view of all our artifact provenance as well as quality and security properties.
Such a view will also provide a very straight forward way of securing our software delivery pipeline by creating attestation metadata which would separate the ‘good’ artifacts from the ‘bad’ ones.
In fact the complementary part of Grafeas is the future Kubernetes component named Kritis. Kritis will govern the K8S deployment permission policies based on metadata provided in Grafeas notation. It is currently being alpha-tested inside Google with the promise of releasing the source code to the community when it becomes functional.
Codefresh + Metadata = Love
At Codefresh we’ve always been obsessed with artifact metadata. Each docker image created by Codefresh workflows gets decorated with all the information we can collect during and after its creation. We also provide the user with an easy way of enhancing that metadata with any custom values they may need.
For our users, Codefresh is one of the most critical components of their workflows, but it’s not the only component! There are lots of tools!
That’s why we are excited about the Grafeas initiative and are keen to provide support for the API specification even at this early stage.
The first logical step for us would be exposing the existing pipeline metadata in Grafeas format. So that it can later be consumed (by Kritis for example).
And that’s exactly what we did.
Talking to Grafeas
Grafeas project on github currently provides a reference Grafeas server implementation and Grafeas client libraries for Java, Python and Go.
We’ve used the Go client library and wrote a little command-line utility ‘cf-grafeas’ that can be executed in a freestyle Codefresh pipeline step to update a Grafeas server.
The utility source code is available on github and there’s also a docker image with a built binary on Dockerhub.
To run the utility just execute :
cf-grafeas <http://your-grafeas-server-url> <your_image_name>
The utility is meant to run inside a Codefresh pipeline. It will collect all of the metadata from the pipeline environment and write it to your very own Grafeas instance (or a public one when it becomes available)
Kinds of Information
Grafeas currently defines 6 distinctive artifact information kinds: PACKAGE_VULNERABILITY, BUILD_DETAILS, IMAGE_BASIS, PACKAGE_MANAGER, DEPLOYMENT_HISTORY and ATTESTATION.
Out of these we currently chose to support the BUILD_DETAILS and IMAGE_BASIS of course. With DEPLOYMENT_HISTORY and ATTESTATION support coming up next.
The kinds of ATTESTATIONs we’re planning to support are for example the quality metrics such as unit test coverage and static code analysis results.
In parallel we’re looking into providing a full-blown Grafeas backend implementation inside the Codefresh platform and integrating that with security scanners and audit engines. So there’s a lot to be looking forward to.
We’ll be happy to hear what you think.
The cf-grafeas docker image on Dockerhub: https://hub.docker.com/r/codefresh/cf-grafeas/
The Grafeas project code: https://github.com/Grafeas
The official project site is here: https://grafeas.io/
The cf-grafeas source code: https://github.com/codefreshdemo/cf-grafeas