Supply Chain Briefing — Google Cloud Launches Assured OSS
Google Cloud introduced the Assured Open Source Software service on April 12, 2022, providing curated, vulnerability-scanned open source packages with Google-signed provenance for enterprise use.
Executive briefing: Google Cloud launched Assured Open Source Software (Assured OSS) on . The managed repository supplies vetted versions of popular OSS packages that mirror Google production usage and include security attestations.
Key features
- Curated packages. Google publishes deterministic builds of critical OSS components such as TensorFlow, Pandas, and Angular.
- Security scanning. Packages undergo fuzzing, static analysis, and vulnerability remediation before release.
- Provenance artifacts. Each package ships with SLSA-compliant attestations and is signed by Google to verify the build pipeline.
Implementation guidance
- Repository integration. Configure artifact proxies or artifact registries to trust Google-signed packages and fall back to upstream mirrors as needed.
- Policy enforcement. Update supply-chain policies to prefer Assured OSS artifacts for critical libraries and log deviations.
- Risk reporting. Incorporate provenance attestations into SBOM workflows and customer due diligence packages.
Enablement moves
- Collaborate with security champions to prioritize migration for high-risk dependencies.
- Automate dependency updates using Renovate or Dependabot configured to target Assured OSS versions.
- Track coverage expansion as Google adds new language ecosystems and integrates with Cloud Build.