Trustification is a collection of software that allow you to store bill of materials (SBOM), vulnerability information (VEX) for your organization and use that information to learn impact of vulnerabilities and dependency changes.
With Trustification you can:
- Store SBOM and VEX documents for your company software and their dependencies.
- Discover and learn the state of vulnerabilities related to your software.
- Explore SBOM and VEX documents using search queries.
- Share access to your SBOM and VEX information with others.
Trustification consists of a set of services you can use standalone or together:
- Bombastic - Storage and archival of SBOM documents.
- Vexination - Storage and archival of VEX documents.
- Reservoir - Managing product metadata and access control.
- Spog - Single Pane Of Glass API and frontend.
Services such as Bombastic and Vexination uses S3-compatible storage for storing SBOM/VEX data and a search index. The search index is used to query data using the sikula query language.
Have a look at the README file for each service for more detailed information on how they work.
You can try out a publicly hosted trustification instance at https://trustification.dev. This instance is ingested with Red Hat security advisories and SBOMs for Red Hat products only.
Prerequisite: podman-compose or docker-compose.
To start all dependencies and trustification components:
cd deploy/compose
docker-compose -f compose.yaml -f compose-trustification.yaml -f compose-guac.yaml upThis will start MinIO and Kafka for object storage and eventing and then run all the trustification services. It will also start to ingest data from Red Hat sources automatically via the vexination-walker and (TODO bombastic-walker) processes.
You can also run all of the trustification services via a single binary named trust or using the container image ghcr.io/trustification/trust.
You can also try out the publicly hosted instance at https://trustification.dev.
See DEVELOPMENT for running the different components while developing.
To build all trustification components:
cargo buildTo use containers to build and package:
podman build -t trust -f trust/Containerfile .