Deploy GUAC using the published Docker Compose setup from the GUAC repository, which starts the GraphQL server, ingestor, and a backend graph database.
Ingest an SBOM file using the GUAC CLI ingest command: guacone collect files --gql-endpoint http://localhost:8080/query ./sbom.spdx.json; GUAC normalizes entity identities and links packages.
Open the GUAC GraphQL playground at http://localhost:8080 (or your deployed endpoint) and run an exploratory query against the packages node to confirm ingestion.
Query the full dependency graph for a specific package by searching for hasSBOM nodes filtered by subject package name and version.
Cross-reference ingested packages with vulnerability data by querying certifyVuln nodes, which GUAC populates by enriching against OSV and other advisory sources.
Use the GUAC patch planner query to identify which frontier packages can be updated to resolve a specific vulnerability across the entire ingested graph.
Known gotchas
GUAC 1.0 (released June 2025) stabilized the GraphQL schema; earlier deployments used a different schema — regenerate clients after upgrading.
GUAC normalizes package identifiers using purl (Package URL) format; mismatched purl structures across different SBOM sources may cause the same package to appear as distinct nodes.
Large ingestion jobs are memory-intensive; allocate sufficient container memory and use batch ingestion rather than loading hundreds of SBOMs concurrently.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp