At Sonatype we've been talking about securing and strengthening software supply chains for quite a while. We've even produced the annual State of the Software Supply Chain report since 2015.
A few years ago, most people had never heard of a "software supply chain". They couldn't quite grasp how applications were being assembled from third-party components. They couldn't see how traditional software development had transformed into a supply chain-like process.
So much has changed in the past six years. Today, we're reaping the benefits of maturing DevOps, containers, and microservices. Development teams everywhere are embracing continuous delivery practices and realizing the importance of maintaining a trusted software supply chain from the very beginning, to the very end, of the value chain.
The latest evidence of this trend is Grafeas; an open source initiative launched by Google to define a uniform way for auditing and governing the modern software supply chain. Grafeas is an open API designed to expose relevant metadata about artifacts to help customers continuously audit and govern the volume and variety of components and containers flowing through the modern development lifecycle and into production.
Perhaps more than any organization in the world, Google understands that software innovation is a strategic weapon of choice for delivering new customer experiences and creating new markets. Whether you’re a bank, a drug maker, an auto maker, or a retailer, survival in today’s application economy depends on your ability to innovate.
Organizations are fundamentally changing how they build and deliver software to the market. They are shifting from waterfall releases once per quarter; to continuous deployments happening dozens of times a day. Nowadays, innovation is king, speed is critical, and more than ever -- organizations need strong governance and policy enforcement underpinning every phase of their software supply chain.
At Sonatype we have a rich history of supporting open software innovation. From our humble beginning as core contributors to Apache Maven, to supporting the world’s largest repository of open source components (Central), to distributing the world's most popular repository manager (Nexus), we value the power of community collaboration.
Grafeas is a terrific idea. Google, IBM, Red Hat, CoreOS, Twistlock, Aqua, jFrog, and Black Duck should be applauded for their initiative.
In keeping with our long standing commitment to open innovation — Sonatype is excited to add unique value to the Grafeas community so organizations everywhere can automatically strengthen and secure software supply chains early, everywhere, and at scale.