GUAC

"GUAC: Graphing Your Artifacts, Dependencies, and Vulnerabilities"
Modern supply chains generate oceans of metadata—SBOMs, scanner findings, registry records, provenance, and advisory feeds—yet security and platform teams still struggle to answer basic questions with confidence. This book is for experienced engineers and security practitioners who need defensible, fast, and repeatable answers about what they ship: not more dashboards, but a coherent correlation layer that turns fragmented evidence into a queryable graph.
You’ll learn how GUAC models software reality across artifacts, packages, and sources; why identity normalization (digests, coordinates, pURLs) is the make-or-break foundation; and how attestations preserve competing claims without erasing uncertainty. The book goes deep on building production ingestion pipelines, engineering graph storage for traversal workloads, and writing query patterns that return auditable results with provenance, confidence, and coverage flags. It also operationalizes GUAC for incident response: mapping vulnerabilities to deployed artifacts, explaining blast radius with path evidence, and verifying closure without regressions.
Expect a practitioner’s focus on trade-offs, failure modes, and integration patterns. Readers should be comfortable with SBOM concepts, vulnerability ecosystems (CVE/GHSA/OSV), and operating API-driven systems; GUAC is treated as an internal platform, not a point tool.