Overview of Assured Open Source Software

Assured Open Source Software (Assured OSS) lets you take advantage of the security and experience that Google applies to open source software (OSS) by incorporating the same OSS packages that Google secures and uses into your own developer workflows.

Assured OSS lets you do the following:

  • Obtain your OSS packages from a trusted and known supplier.
  • Know more about package contents with Assured SBOMs. provided in industry standard formats like SPDX.
  • Know about threats and security of a package with VEX information in a industry-standard format like CycloneDX.
  • Reduce security risk as Google is actively scanning, finding, and fixing new vulnerabilities in curated packages.
  • Increase confidence in the integrity of the OSS you are using through signed, tamper-evident provenance.
  • Choose from more than one thousand of the most popular Java and Python packages, including common machine learning and artificial intelligence projects like TensorFlow, Pandas, and Scikit-learn.

The open-source packages are built by Google in a secure manner. These packages meet Supply-chain Levels for Software Artifacts (SLSA) level 3 requirements and have a verifiable provenance and SBOM.

Assured OSS tiers

Assured OSS has a free tier and a paid tier. The paid tier is available when you purchase Security Command Center Enterprise.

The free tier includes the following:

  • Python and Java open-source packages in curated repositories.
  • Manual setup steps.
  • Curated repositories created in a Google-managed project.
  • Universal proxy endpoints for open-source packages. This proxy lets you download open-source packages and their metadata from one source, whether the packages were built by Google or not.
  • Support for Amazon Web Service (AWS) account access.

The paid tier lets you integrate Assured OSS with Security Command Center Enterprise. It includes the following:

  • Python and Java open-source packages in curated repositories.
  • JavaScript open-source packages in a canonical repository.
  • Automated setup as part of Security Command Center Enterprise activation process.
  • Curated repositories created in a project that you specify.
  • Universal package metadata that is collected and signed by Google. This metadata provides information about the package build, any vulnerabilities, and package health. The package health information is only available for packages that are built by Google.

For more information about Security Command Center Enterprise pricing, see Pricing for the Enterprise tier.

Software Delivery Shield

Assured Open Source Software is part of the Software Delivery Shield solution. Software Delivery Shield is a fully-managed, end-to-end software supply chain security solution that helps you to improve the security posture of developer workflows and tools, software dependencies, CI/CD systems used to build and deploy your software, and runtime environments such as Google Kubernetes Engine and Cloud Run. To learn how you can use Assured Open Source Software with other components of Software Delivery Shield to improve the security posture of your software supply chain, see Software Delivery Shield overview.

What's next