GUAC

An open-source tool from Google that aggregates software supply chain metadata (SBOMs, attestations, vulnerability data, scorecard results) into a queryable graph database. GUAC answers questions like "which of my deployments are affected by this CVE?" across your entire software portfolio. It represents the direction supply chain security is heading — from document exchange to real-time queryable intelligence.