Help reduce the risk to your software supply chain by using the same OSS packages that Google uses and secures in your own developer workflows.
Obtain your OSS packages from a trusted and known supplier
Know more about your ingredients from Assured SBOMs, provided in industry standard formats
Reduce risk with Google actively finding and fixing vulnerabilities in packages
Increase confidence in the integrity of the packages through signed, tamper-evident provenance
Choose from 1000+ curated Java and Python packages including ML/AI projects like TensorFlow
Leverage Google’s end-to-end capabilities and expertise to address the emerging threats to the software supply chain.
Reduce the need for your DevOps teams to establish and operate OSS security workflows.
Accelerate your business’s ability to meet new software supply chain security regulatory requirements.
Packages are built with Cloud Build, including evidence of verifiable SLSA-compliance. We provide three levels of package assurance: level 1, built and signed by Google, level 2, securely built from vetted sources, and attested to all transitive dependencies, and level 3, including transitive closure of all dependencies and continuously scanned and fuzzed.
Packages include OSV data and are regularly scanned, analyzed, and fuzz-tested for vulnerabilities.
Packages and metadata include end-to-end provenance of how the packages were built and tested.
Signed versions of the packages and their metadata are distributed from a Google-managed, secured, and protected Artifact Registry.
New packages are added on an ongoing basis based on the open source projects that impact our customers.
Assured OSS is available at no cost.