Assured Open Source Software
Help reduce the risk to your software supply chain by using the same OSS packages that Google uses and secures in your own developer workflows.
Obtain your OSS packages from a trusted and known supplier
Know more about your ingredients from Assured SBOMs, provided in industry standard formats
Reduce risk with Google actively finding and fixing vulnerabilities in packages
Increase confidence in the integrity of the packages through signed, tamper-evident provenance
Choose from 2500+ curated Java and Python packages including ML/AI projects like TensorFlow
Benefits
Improve security
Leverage Google’s end-to-end capabilities and expertise to address the emerging threats to the software supply chain.
Increase efficiency
Reduce the need for your DevOps teams to establish and operate OSS security workflows.
Address compliance
Accelerate your business’s ability to meet new software supply chain security regulatory requirements.
Key features
Key features
SLSA-2 compliant builds
Packages are built with Cloud Build, including evidence of verifiable SLSA-compliance. We provide three levels of package assurance: level 1, built and signed by Google, level 2, securely built from vetted sources, and attested to all transitive dependencies, and level 3, including transitive closure of all dependencies and continuously scanned and fuzzed.
Enriched metadata in standard formats
SBOMs for each package come with enriched metadata including Cloud Build, Artifact Analysis, package health, and vulnerability impact data, provided in SPDX and VEX formats.
Fuzzing and vulnerability testing
Packages include OSV data and are regularly scanned, analyzed, and fuzz-tested for vulnerabilities.
Verifiable integrity and provenance plus secured distribution
Packages and metadata include end-to-end provenance of how the packages were built and tested.
Signed versions of the packages and their metadata are distributed from a Google-managed, secured, and protected Artifact Registry.
Ongoing portfolio expansion
New packages are added on an ongoing basis based on the open source projects that impact our customers.
Citi has been an advocate and active leader in the industry's efforts to secure enterprise software supply chains. Both Citi and Google see untrusted and unverified open source dependencies as a key risk vector. This is why we’ve been excited to be an early adopter of Google Cloud's new Assured OSS product. It can help reduce risk and protect OSS components commonly used by enterprises like us.
Jon Meadows, Managing Director, Citi Tech Fellow - Cyber Security
What's new
Recommended reading
Documentation
Documentation
Get started
Start using Assured OSS by getting a service account, enabling the service, and then validating the connection.
Supported Java and Python packages
View all the current packages supported in the Assured OSS portfolio.
Connect Assured OSS to your CI/CD pipeline
Get options and instructions to integrate Assured OSS with popular repository managers Artifact Registry, Artifactory, and Nexus; or directly to your config scripts.
Review the enriched metadata
Access key metadata including SPDX, VEX, package health, and license information.
Software Delivery Shield
Enhance software supply chain security across the entire SDLC—from development, supply, and CI/CD to runtimes—with our fully managed, end-to-end solution.
Protect your software supply chain
Learn best practices that help protect your software across processes and systems in your software supply chain.
Not seeing what you’re looking for?
Pricing
Pricing
Assured OSS is available at no cost.
Take the next step
Start building on Google Cloud with $300 in free credits and 20+ always free products.
Need help getting started?
Contact salesWork with a trusted partner
Find a partnerContinue browsing
See all products
