Graph for Understanding Artifact Composition
Graph for Understanding Artifact Composition, usually shortened to GUAC, is an OpenSSF software supply-chain project for aggregating security metadata into a queryable graph.
Definition
Graph for Understanding Artifact Composition (GUAC) is an OpenSSF software supply-chain security project. The OpenSSF project page says GUAC ingests software metadata such as SBOMs and maps relationships between software. The GUAC repository describes the same idea more technically: GUAC aggregates software security metadata into a high-fidelity graph database, normalizing entity identities and mapping standard relationships between them.
GUAC is not an SBOM format, a vulnerability scanner by itself, a proof that a package is safe, or an AI governance standard. It is an aggregation and synthesis layer. It helps teams ask questions across many artifacts and metadata documents instead of inspecting one SBOM, one attestation, or one vulnerability report at a time.
The AI inference is practical: deployed AI systems are built from ordinary software artifacts as well as models, prompts, datasets, tools, and infrastructure. If those artifacts are spread across containers, packages, repositories, model gateways, and agent connectors, a graph that connects supply-chain metadata can become useful governance evidence.
How It Works
GUAC documentation frames the project as a way to move from isolated supply-chain data to usable knowledge. It ingests software security metadata, maps relationships between software, and exposes that graph through query and visualization workflows. The docs describe searches for vulnerabilities through transitive dependencies, package summary reports, and links between SBOM data and additional package information.
The "known and unknown" GUAC demo is a useful governance pattern. It asks what metadata exists for an artifact and what is missing: an SBOM, a SLSA Provenance attestation, OpenSSF Scorecard information, or other attestations. That shifts the security conversation from "we ran a scan" to "we know which evidence is present and which evidence is absent."
OpenSSF's 2025 GUAC 1.0 announcement says GUAC collects and stores SBOMs from file systems, object storage, image repositories, and code repositories, then parses them into a graph database. GUAC can also enrich the graph by querying trusted services for package information. The project documentation names examples such as Deps.dev, OpenSSF Scorecard, and OSV vulnerability data.
Agent Context
Agentic systems make supply-chain graphs more valuable because agents connect many pieces of software into action paths. A coding agent may install packages, run build tools, invoke CI, edit repositories, and launch containers. A browser agent may depend on browser automation, extensions, sandbox images, screenshot services, identity sessions, and policy filters. A customer-service agent may route through retrieval stores, CRM connectors, email gateways, and payment or escalation tools.
GUAC can help answer questions that matter before and after an agent incident: which deployed images include a vulnerable dependency, which tool servers lack provenance, which package versions are duplicated across agent runtimes, which artifacts have SBOMs but no VEX status, and which repositories have weak security practice signals. It does not decide whether an agent should act, whether a prompt is malicious, or whether a model answer is correct.
Governance and Safety
A governance-grade GUAC workflow should preserve which sources were ingested, when they were refreshed, which artifact identifiers were normalized, which external services enriched the graph, which query produced a decision, and which person or policy accepted the result. The graph should be treated as evidence infrastructure, not as an oracle.
The main governance risk is stale confidence. If the graph is missing private registries, model-serving images, agent plugins, temporary build outputs, or customer-specific deployments, its answer may be incomplete. GUAC's "known and unknown" framing is useful precisely because it makes absence visible. A serious deployment record should say which supply-chain evidence exists and which evidence remains unavailable.
GUAC is strongest when paired with AI Bill of Materials records, Vulnerability Exploitability eXchange statements, provenance attestations, asset inventories, and incident-response procedures. It should support prioritization, not replace accountable ownership.
Defense Pattern
- Define graph scope. Name which registries, repositories, artifact stores, SBOM sources, and attestations are included.
- Track freshness. Store ingestion times and refresh schedules so old metadata does not masquerade as current knowledge.
- Preserve query evidence. Save the query, graph version, result, decision, reviewer, and remediation owner.
- Make absence visible. Treat missing SBOMs, missing provenance, or missing vulnerability status as findings to triage.
- Separate graph answer from action. A GUAC query can inform a patch plan or deployment block, but policy must decide the action.
- Connect to incidents. During a supply-chain event, use the graph to identify affected artifacts, owners, dependencies, and missing evidence.
Source Discipline
Claims about GUAC should cite GUAC or OpenSSF sources directly. A GUAC graph can include SBOM, SLSA, VEX, Scorecard, OSV, Deps.dev, and other metadata, but those sources retain their own meanings. GUAC is the relationship layer; it does not transform weak source evidence into strong assurance.
When applying GUAC to AI systems, label the inference. GUAC's sources are software supply-chain sources. The AI relevance comes from the fact that agent systems and model services are deployed as software stacks that can be inventoried, attested, scanned, and queried.
Spiralist Reading
Spiralism reads GUAC as a memory palace for software dependence. Modern systems do not fail as isolated artifacts. They fail through ancestry, reuse, transitive dependency, shared maintainer risk, stale evidence, and misunderstood inheritance.
The useful ritual is not the graph visualization. It is the demand that a machine-mediated institution be able to say what it contains, where it came from, what evidence is missing, and who is responsible for acting on the answer.
Open Questions
- Which AI-specific artifacts belong in a GUAC-style graph: model images, adapters, prompts, tools, evaluations, or retrieval indexes?
- How should closed model providers expose enough supply-chain metadata for downstream GUAC-style analysis?
- What graph queries should trigger automatic deployment gates for agent tools or model-serving containers?
- How should organizations explain graph-derived risk decisions to auditors, customers, workers, or affected users?
Related Pages
- AI Bill of Materials
- SLSA Provenance
- Vulnerability Exploitability eXchange
- Exploit Prediction Scoring System
- AI Data Provenance
- Agentic Supply-Chain Vulnerabilities
- Secure AI System Development
- AI Coding Agents
- AI Agent Sandboxing
- AI Agent Observability
- Confidential Computing for AI
- Model Context Protocol
- AI Governance
Sources
- OpenSSF, GUAC project page, reviewed June 25, 2026.
- GUAC, GUAC Docs, reviewed June 25, 2026.
- GUAC, What is Known and Unknown about your software supply chain?, reviewed June 25, 2026.
- GUAC maintainers, guacsec/guac GitHub repository, reviewed June 25, 2026.
- OpenSSF, GUAC 1.0 is Now Available, June 12, 2025.
- OpenSSF, Graph for Understanding Artifact Composition (GUAC) Joins OpenSSF as Incubating Project, March 7, 2024.