Skip to content

Adoption & Ecosystem

Who uses it

The repository has no ADOPTERS.md and the README has no adopters section, so this deep-dive found no citable named production end-user. Rather than invent one, the table below lists the organizations with a documented relationship to the project, which is building and supporting it, not a public statement of running it in production.

OrganisationRelationshipSource
Kusari, Google, Purdue University, CitiFounding collaboratorsKusari blog
OpenSSFHosts GUAC as an incubating projectOpenSSF project page
Red HatContributed the Trustify project to the GUAC communityRed Hat blog

Adoption signals

Because named adopters are not citable, the measurable signals matter more here. As of 2026-06-22 (GitHub REST API): 1,508 stars, 205 forks, and 70 contributors. The project is an OpenSSF incubating project under active development, with commits on main past the latest tagged release (sources: GitHub API, OpenSSF project page).

Ecosystem

GUAC sits downstream of the tools that produce supply chain metadata and integrates a broad set of formats and sources. It ingests SPDX and CycloneDX SBOMs, in-toto/SLSA attestations (ITE6/DSSE), OpenVEX and CSAF, and OpenSSF Scorecard results, and it can enrich the graph from deps.dev, OSV, ClearlyDefined, and endoflife.date (pkg/handler/processor/process/process.go:57, pkg/ingestor/parser/parser.go:109). Collection sources include file, OCI, GCS, S3, git, GitHub, and Kubescape (pkg/handler/collector/). On storage it ships keyvalue (in-memory) and ent+PostgreSQL as supported backends, with ArangoDB, Neo4j, and Neptune also present (pkg/assembler/backends/backends.go:27).

Alternatives

GUAC's distinction is that it is a relationship graph and query layer across many artifacts plus external metadata, not a per-artifact SBOM store and not a scanner.

AlternativeDiffers by
Dependency-TrackComponent/vulnerability analysis dashboard centered on tracked projects, rather than a general GraphQL graph aggregating arbitrary supply chain documents and external sources
TrustifyAdjacent supply chain effort contributed by Red Hat into the GUAC community in 2026, consolidating rather than competing (Red Hat blog)
Plain SBOM repositoriesStore and retrieve individual SBOMs; they do not normalize entities across documents or answer cross-artifact queries