Deploy GUAC using the Docker Compose or Kubernetes manifests from the GUAC repository; the deployment includes the ingestion service (guacone), the GraphQL server, and a backing store (verify current default storage options in GUAC docs).
Ingest a CycloneDX or SPDX SBOM using the guacone collect files command pointing at a local SBOM file, or configure a collector to watch an S3 bucket or OCI registry for new SBOMs.
Ingest in-toto attestations (SLSA provenance, VEX) through the same guacone mechanism; GUAC parses the predicate type and populates the graph accordingly.
Query the GUAC GraphQL endpoint (default at localhost:8080/query) to find packages, their dependencies, and their associated vulnerabilities or provenance using queries such as packages, hasSBOM, hasSLSA, and isVulnerable.
Use GUAC's certifyBad or certifyGood GraphQL mutations (or the CLI equivalents) to tag known-bad packages and propagate that information across the dependency graph for downstream impact analysis.
Known gotchas
GUAC's data model is graph-based; understanding the node types (Package, Source, Artifact, Builder) and edge types (HasSBOM, HasSLSA, IsDependency) is necessary before writing useful queries.
GUAC is under active development; GraphQL schema, CLI subcommands, and deployment configuration change frequently — consult the current GUAC documentation for your deployed version.
Large SBOM ingestion can be slow if done synchronously; use GUAC's pubsub-based ingestion pipeline for bulk ingestion to avoid timeouts.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp