Skip to content

🥑 Inspect and understand an organization's software supply chain that enables stakeholders to make actionable decisions about software supply chain security

License

Notifications You must be signed in to change notification settings

sozercan/guac-ai-mole

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

🥑 Guac-AI-Mole

Guac-AI-Mole is a large language model (LLM) powered tool to inspect and understand an organization's software supply chain. It uses LLM models, such as OpenAI GPT-4, and GUAC to query and analyze the secure supply chain artifacts, such as Software Bill of Materials (SBOM), to make actionable decisions.

🧪 This is a hackathon project. Do not use in production.

Demo

Demo will provide samples questions and answers generated by Guac-AI-Mole!

These answers are pre-generated and cached for faster response times and to avoid needing API access. You can try out your own questions and answers by setting up the app locally.

Video

Video

Development Setup

Pre-requisites

Populate registry with sample images and attached SBOMs as OCI referrers artifacts

  • Download and copy ORAS and Syft to your $PATH
  • Login to your registry (make sure to have push access) and run export REGISTRY=<registry name i.e., myregistry.io> to set your registry
  • Run scripts/populate-registry.sh to populate the registry with sample images and attached SBOMs as OCI referrers artifacts
  • You can verify the attached SBOMS by using oras discover. For example,
$ oras discover ${REGISTRY}/vul-image:latest
Discovered 1 artifact referencing latest
Digest: sha256:b6f1a6e034d40c240f1d8b0a3f5481aa0a315009f5ac72f736502939419c1855

Artifact Type           Digest
application/spdx+json   sha256:5479d40d5d27025ab4eda699e91961fc0537def2ffe850e2c19172b41eb72ca7

Ingesting SBOMs from OCI referrers to GUAC

  • Run guacone collect registry ${REGISTRY} to ingest the SBOMs from OCI referrers to GUAC. This will automatically ingest the SBOMs from the OCI referrers to GUAC.

Run the app

  • Install python dependencies with pip install -r requirements.txt
  • Run streamlit run app.py to start the Streamlit app (add --logger.level=debug for debug logs)
  • Navigate to app URL (default: http://localhost:8501)
  • Set up Open AI API-compatible (OpenAI, Azure OpenAI, LocalAI) API Key, endpoint and deployment name in the sidebar on the left
    • Alternatively, set OPENAI_API_KEY, OPENAI_API_ENDPOINT and OPENAI_API_MODEL environment variables
  • Set up GUAC GraphQL endpoint in the sidebar on the left (default: http://localhost:8080/query). This URL must be accessible from the app.
    • Alternatively, set GUAC_GRAPHQL_ENDPOINT environment variable

About

🥑 Inspect and understand an organization's software supply chain that enables stakeholders to make actionable decisions about software supply chain security

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published