gitwtfhub

wtf is grafeas?

kelseyhightower/grafeas — explained in plain English

Analysis updated 2026-07-17 · repo last pushed 2017-10-15

3GoAudience · ops devopsComplexity · 4/5DormantSetup · hard

TL;DR

Grafeas is a spec for storing structured metadata about your software, like vulnerabilities, build info, and deployment history, so you can track what's inside everything you ship.

Mindmap

mindmap
  root((grafeas))
    What it does
      Metadata API spec
      Tracks software components
      Notes and occurrences
    Tech stack
      Go
      API specification
    Use cases
      Vulnerability tracking
      Build provenance
      Deployment history
    Audience
      Security vendors
      DevOps teams
      Platform builders

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Track which container images contain a known vulnerability across your fleet.

REASON 2

Record build provenance showing what tool produced an artifact and when.

REASON 3

Maintain a library of security notes and link them to specific scanned resources.

REASON 4

Track deployment history and package manager details in one queryable format.

What's in the stack?

Go

How it stacks up

kelseyhightower/grafeasalexremn/finalizer-doctorazer/diskwhere
Stars333
LanguageGoGoGo
Last pushed2017-10-15
MaintenanceDormant
Setup difficultyhardeasyeasy
Complexity4/53/51/5
Audienceops devopsops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · hard Time to first run · 1h+

It's a spec, not a runnable service, you need a compatible Grafeas server implementation to use it.

Wtf does this do

Grafeas is an API specification for storing and retrieving metadata about the software components you build and deploy, things like container images, VM images, JAR files, and scripts. Think of it as a structured filing system that keeps track of what's inside your software: known vulnerabilities, build details, what base image was used, deployment history, and more. The core idea revolves around two concepts: notes and occurrences. A note is a general description of something, say, a specific security vulnerability (like a known CVE) or a build tool. An occurrence is a specific instance where that note shows up in one of your actual resources, for example, "this vulnerability was found in this specific container image, and here's how to fix it." This split lets a security vendor maintain a library of notes (the vulnerabilities they know about) and then record occurrences in each customer's project when they find those issues during a scan. This design is useful for teams who need to answer questions like: "Which of our images contain this vulnerability?" or "What went into building this artifact?" A vulnerability scanning provider, for instance, could maintain notes for every CVE they track, then generate occurrences in your project when they scan your containers. You could also track build provenance (what builder produced an image and when), deployment history, or package manager details, all in a normalized, queryable format. Grafeas supports several metadata "kinds" out of the box: package vulnerabilities, build details, image base layers, package manager info, deployment history, and attestations. Each kind has a strict schema so data from different providers stays consistent and comparable. The API also has built-in access control concepts, note owners can keep their notes read-only for others, while occurrence access is limited to those authorized to create links. One practical detail: resource URLs need to be unique and immutable, so metadata always points to exactly one component. The spec recommends content-addressable URLs (like Docker image digests) and provides example URL formats for Debian packages, Maven artifacts, NPM modules, Python pip packages, RPMs, and generic files.

Yoink these prompts

Prompt 1
Explain how Grafeas notes and occurrences relate to each other with a concrete vulnerability example.
Prompt 2
Show me how to design a content-addressable resource URL for a Docker image using Grafeas conventions.
Prompt 3
Walk me through building a vulnerability scanner that writes occurrences to a Grafeas-compatible API.
Prompt 4
Compare Grafeas's note/occurrence model to a simple database schema for tracking build metadata.

Frequently asked questions

wtf is grafeas?

Grafeas is a spec for storing structured metadata about your software, like vulnerabilities, build info, and deployment history, so you can track what's inside everything you ship.

What language is grafeas written in?

Mainly Go. The stack also includes Go.

Is grafeas actively maintained?

Dormant — no commits in 2+ years (last push 2017-10-15).

How hard is grafeas to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is grafeas for?

Mainly ops devops.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.