Skip to content

Services for storing and searching information about software content and vulnerabilities

License

Notifications You must be signed in to change notification settings

desmax74/trustification

This branch is up to date with trustification/trustification:main.

Folders and files

NameName
Last commit message
Last commit date

Latest commit

1d65f2c · Mar 6, 2025
Oct 4, 2023
Aug 5, 2024
Dec 18, 2023
Aug 22, 2024
Feb 7, 2024
Oct 31, 2023
Sep 13, 2024
Nov 8, 2024
Dec 13, 2024
Oct 11, 2024
Oct 30, 2024
Apr 22, 2024
Jan 17, 2024
Nov 7, 2024
Jan 9, 2025
Aug 22, 2024
Aug 22, 2024
Feb 7, 2024
Sep 24, 2024
Apr 15, 2024
Apr 11, 2024
Sep 24, 2024
Feb 7, 2024
Feb 19, 2025
Jul 4, 2024
Feb 20, 2024
Jan 28, 2025
Dec 9, 2024
Sep 24, 2024
Feb 27, 2024
Feb 13, 2024
Feb 8, 2024
Mar 6, 2025
Mar 6, 2025
Apr 24, 2024
May 19, 2023
Jan 8, 2024
Jan 9, 2025
Jan 8, 2024
Aug 22, 2024
Feb 27, 2024
Nov 14, 2023
Apr 11, 2024
Aug 14, 2023
Aug 14, 2023

Repository files navigation

Trustification

CI GitHub release (latest SemVer)

Trustification is a collection of software that allow you to store bill of materials (SBOM), vulnerability information (VEX) for your organization and use that information to learn impact of vulnerabilities and dependency changes.

With Trustification you can:

  • Store SBOM and VEX documents for your company software and their dependencies.
  • Discover and learn the state of vulnerabilities related to your software.
  • Explore SBOM and VEX documents using search queries.
  • Share access to your SBOM and VEX information with others.

Trustification consists of a set of services you can use standalone or together:

  • Bombastic - Storage and archival of SBOM documents.
  • Vexination - Storage and archival of VEX documents.
  • V11y - Storing and lookup information about a vulnerability.
  • Collectorist - A process that drives polling and populating of GUAC and V11y.
  • Spog - Single Pane Of Glass API and frontend.

Services such as Bombastic and Vexination uses S3-compatible storage for storing SBOM/VEX data and a search index. The search index is used to query data using the sikula query language.

Have a look at the README file for each service for more detailed information on how they work.

Running locally

Prerequisite: an implementation of the Compose Spec such as Docker Desktop or podman-compose. For the latter, v1.0.6 or higher is required.

To start all dependencies and trustification components:

For Linux systems only:

export SELINUX_VOLUME_OPTIONS=':Z'
cd deploy/compose
podman-compose -f compose.yaml -f compose-trustification.yaml -f compose-guac.yaml -f compose-walkers.yaml up

If you'd like to run a specific release, edit the .env file in that directory and set TRUST_VERSION to the desired release label.

This will start MinIO and Kafka for object storage and eventing and then run all the trustification services. It will also start to ingest data from Red Hat sources automatically. You should be able to open the UI by pointing your browser to http://localhost:8084.

You can also run all of the trustification services via a single binary named trust or using the container image ghcr.io/trustification/trust.

Running in production

There is a helm chart that you can use to deploy all Trustification services. See this file for an example deployment that is used for the staging.trustification.dev environment.

The helm chart assumes that infrastructure such as Kafka/SQS and S3 is managed externally and that access credentials are injected into secrets as specified in the chart configuration.

Developing

See DEVELOPMENT for running the different components while developing.

Building

To build all trustification components:

cargo build

To use containers to build and package:

podman build -t trust -f Containerfile .

About

Services for storing and searching information about software content and vulnerabilities

Resources

License

Stars

Watchers

Forks

Languages

  • Rust 95.7%
  • Smarty 2.7%
  • Shell 0.6%
  • TypeScript 0.3%
  • HTML 0.3%
  • SCSS 0.2%
  • Other 0.2%