Home Innovation Red Hat Red Hat Contributes Trustify t...

Red Hat Contributes Trustify to GUAC for Enhanced Software Supply Chain Security

Red Hat

Business Honor
29 August, 2025

Red Hat contributes Trustify to GUAC under OpenSSF to enhance software supply chain security and visibility.

As cyberattacks increase, enhancing visibility across the software supply chain is now a high-priority mission for organizations. To meet this increasing issue, Red Hat has contributed Trustify, an open-source initiative, to the Graph for Understanding Artifact Composition (GUAC) project under the Open Source Security Foundation (OpenSSF). This contribution reflects Red Hat's focus on building secure, scalable, and open security solutions. Trustify is an enterprise-grade, searchable backend intended to handle software supply chain metadata, such as Software Bills of Materials (SBOMs), Critical Vulnerabilities and Exploits (CVEs), and vendor advisories. It accommodates important formats like SPDX, CycloneDX, and OSV and is intended for integration into contemporary continuous integration and continuous delivery (CI/CD) workflows.

The GUAC project combines and normalizes security information from different sources into one graph, which allows developers and security teams to handle intricate software security metadata efficiently. The collaborative effort seeks to gain greater insight into software provenance, the effects of vulnerabilities, and supply chain integrity, solving the problem of "alert fatigue" and making vulnerability data more scalable and usable.

Red Hat's contribution of Trustify to GUAC is a testament to its commitment to upstream-first innovation—the understanding that the development of interoperable solutions with a community orientation is essential. Through this open approach, contributions from the wider open-source community are invited, assisting in fast-tracking adoption and hardening of security technology.

By collaborating with GUAC, Trustify assists organizations in addressing the daunting task of working with enormous security data, enabling organizations to better secure and understand their software supply chains. With open-source, transparent development, Red Hat works towards reinforcing the security and integrity of the global software ecosystem to build resilience and confidence in software infrastructure.