Guac-AI-Mole is a large language model (LLM) powered tool to inspect and understand an organization's software supply chain. It uses LLM models, such as OpenAI GPT-4, and GUAC to query and analyze the secure supply chain artifacts, such as Software Bill of Materials (SBOM), to make actionable decisions.
🧪 This is a hackathon project. Do not use in production.
Demo will provide samples questions and answers generated by Guac-AI-Mole!
These answers are pre-generated and cached for faster response times and to avoid needing API access. You can try out your own questions and answers by setting up the app locally.
- Install and run GUAC using the main branch. It is working as of this commit.
- Install Steamlit
- OpenAI, Azure OpenAI, or LocalAI API access (tested and recommended to use with gpt-4-32k-0613and later models)
- Download and copy ORAS and Syft to your $PATH
- Login to your registry (make sure to have push access) and run export REGISTRY=<registry name i.e., myregistry.io>to set your registry
- Run scripts/populate-registry.shto populate the registry with sample images and attached SBOMs as OCI referrers artifacts
- You can verify the attached SBOMS by using oras discover. For example,
$ oras discover ${REGISTRY}/vul-image:latest
Discovered 1 artifact referencing latest
Digest: sha256:b6f1a6e034d40c240f1d8b0a3f5481aa0a315009f5ac72f736502939419c1855
Artifact Type           Digest
application/spdx+json   sha256:5479d40d5d27025ab4eda699e91961fc0537def2ffe850e2c19172b41eb72ca7- Run guacone collect registry ${REGISTRY}to ingest the SBOMs from OCI referrers to GUAC. This will automatically ingest the SBOMs from the OCI referrers to GUAC.
- Install python dependencies with pip install -r requirements.txt
- Run streamlit run app.pyto start the Streamlit app (add--logger.level=debugfor debug logs)
- Navigate to app URL (default: http://localhost:8501)
- Set up Open AI API-compatible (OpenAI, Azure OpenAI, LocalAI) API Key, endpoint and deployment name in the sidebar on the left
- Alternatively, set OPENAI_API_KEY,OPENAI_API_ENDPOINTandOPENAI_API_MODELenvironment variables
 
- Alternatively, set 
- Set up GUAC GraphQL endpoint in the sidebar on the left (default: http://localhost:8080/query). This URL must be accessible from the app.
- Alternatively, set GUAC_GRAPHQL_ENDPOINTenvironment variable
 
- Alternatively, set 
