Trustification is a collection of software that allow you to store bill of materials (SBOM), vulnerability information (VEX) for your organization and use that information to learn impact of vulnerabilities and dependency changes.

With Trustification you can:

• Store SBOM and VEX documents for your company software and their dependencies.
• Discover and learn the state of vulnerabilities related to your software.
• Explore SBOM and VEX documents using search queries.
• Share access to your SBOM and VEX information with others.

Trustification consists of a set of services you can use standalone or together:

• Bombastic - Storage and archival of SBOM documents.
• Vexination - Storage and archival of VEX documents.
• V11y - Storing and lookup information about a vulnerability.
• Collectorist - A process that drives polling and populating of GUAC and V11y.
• Spog - Single Pane Of Glass API and frontend.

Services such as Bombastic and Vexination uses S3-compatible storage for storing SBOM/VEX data and a search index. The search index is used to query data using the sikula query language.

Have a look at the README file for each service for more detailed information on how they work.

You can try out a publicly hosted trustification instance at https://trustification.dev. This instance is ingested with Red Hat security advisories and SBOMs for Red Hat products only.

Prerequisite: an implementation of the Compose Spec such as Docker Desktop or podman-compose. For the latter, v1.0.6 or higher is required.

To start all dependencies and trustification components:

For Linux systems only:

export SELINUX_VOLUME_OPTIONS=':Z'

cd deploy/compose
podman-compose -f compose.yaml -f compose-trustification.yaml -f compose-guac.yaml -f compose-walkers.yaml up

If you'd like to run a specific release, edit the .env file in that directory and set TRUST_VERSION to the desired release label.

This will start MinIO and Kafka for object storage and eventing and then run all the trustification services. It will also start to ingest data from Red Hat sources automatically. You should be able to open the UI by pointing your browser to http://localhost:8084.

You can also run all of the trustification services via a single binary named trust or using the container image ghcr.io/trustification/trust.

You can also try out the publicly hosted instance at https://trustification.dev.

There is a helm chart that you can use to deploy all Trustification services. See this file for an example deployment that is used for the staging.trustification.dev environment.

The helm chart assumes that infrastructure such as Kafka/SQS and S3 is managed externally and that access credentials are injected into secrets as specified in the chart configuration.

See DEVELOPMENT for running the different components while developing.

To build all trustification components:

cargo build

To use containers to build and package:

podman build -t trust -f Containerfile .