ossf · joshbressers · Jul 11, 2024 · Jul 11, 2024
@@ -578,3 +578,19 @@
     - Validate
   Type:
   Language:
+
+- Name: GUAC
+  Link: https://github.com/guacsec/guac
+  Publisher: GUAC (OpenSSF)
+  License: OpenSource
+  Standards:
+    - CycloneDX
+    - SPDX
+  Abilities:
+    - Consume
+  Type: 
+    - Source
+    - Build
+    - Analyzed
+  Language:
+    - Generic
@@ -0,0 +1,12 @@
+[Graph for Understanding Artifact Composition](https://guac.sh) (GUAC)  provides supply chain observability with a graph view of the software supply chain and tools for performing queries to gain actionable insights.
+
+GUAC is for developers, operations, and security practitioners who need to identify and address problems in their software supply chain, including proactively managing dependencies and responding to vulnerabilities.
+
+GUAC has three key differentiating features from other tools in this space
+
+* **Works on more than one SBOM at a time.**
+This allows observability into the entire software portfolio instead of application-by-application.
+* **Aggregates additional data beyond the SBOM.**
+GUAC brings in data like dependencies and vulnerabilities from trusted third-party sources, enriching the supply chain graph.
+* **Provides APIs and a visualization tool.**
+GUAC’s query and visualization tooling let the user get the answers to the questions they need to ask.