Assured OSS
Your trusted source,
for open source software packages
Improve the security of your software supply chain by incorporating the same trusted open source software (OSS) packages that Google secures and uses into your own developer workflows.
-
Obtain your OSS packages from a trusted and known supplier
-
Know more about your ingredients from Assured SBOMs, provided in industry standard formats
-
Reduce risk and benefit from Google actively finding and fixing vulnerabilities in packages
-
Increase confidence in the integrity of the packages through signed, tamper-evident provenance
-
Choose from 1000+ curated Java/Python packages including ML/AI projects like TensorFlow
Video | 20:14
Managing the risks of open source dependencies in your software supply chain
Build trust in critical dependencies
Take control of your dependencies
SLSA-2 compliant builds
Packages are built with Cloud Build, including evidence of verifiable SLSA-compliance. We provide three levels of package assurance: level 1, built and signed by Google, level 2, securely built from vetted sources, and attested to all transitive dependencies, and level 3, including transitive closure of all dependencies and continuously scanned and fuzzed.
Enriched metadata in standard formats
SBOMs for each package come with enriched metadata including Cloud Build, Container Analysis, package health, and vulnerability impact data, provided in SPDX and VEX formats.
Fuzzing and vulnerability testing
Packages include OSV data and are regularly scanned, analyzed, and fuzz-tested for vulnerabilities.
Verifiable integrity and provenance
Packages and metadata include end-to-end provenance of how the packages were built and tested
Secured distribution
Signed versions of the packages and their metadata are distributed from a Google-managed, secured, and protected Artifact Registry
Ongoing portfolio expansion
New packages are added on an ongoing basis based on the open source projects that impact our customers.
Learn more
Assured Open Source Software Guides
Get a quick intro to using Assured OSS packages and learn how to complete specific tasks.Software Delivery Shield
Enhance software supply chain security across the entire SDLC—from development, supply, and CI/CD to runtimes—with our fully managed, end-to-end solution.Protect your software supply chain
Learn best practices that help protect your software across processes and systems in your software supply chain.Shifting left on security: securing software supply chains
Understand the processes, tools, practices, and techniques that increase confidence in the SDLC by mitigating security-risk concerns.Still have questions?
Need help with anything else? Get in touch with us