Stay organized with collections
Save and categorize content based on your preferences.
Assured Open Source Software (Assured OSS) lets you take advantage of the security
and experience that Google applies to open source software (OSS) by incorporating
the same OSS packages that Google secures and uses into your own developer
workflows.
Assured OSS lets you do the following:
Obtain your OSS packages from a trusted and known supplier.
Know more about package contents with Assured
SBOMs that are
provided in industry standard formats like SPDX.
Know about threats and security of a package with VEX information in
a industry-standard format like CycloneDX.
Reduce security risk as Google is actively scanning, finding, and fixing new
vulnerabilities in curated packages.
Increase confidence in the integrity of the OSS you are using through
signed, tamper-evident provenance.
Choose from more than one thousand of the most popular Java and Python packages, including
common machine learning and artificial intelligence projects like TensorFlow,
Pandas, and Scikit-learn.
Assured OSS has a free tier and a premium tier. The premium tier is
available when you purchase Security Command Center Enterprise.
The free tier includes the following:
Python and Java open-source packages in curated repositories.
Manual setup steps.
Curated repositories created in a Google-managed project.
Universal proxy endpoints for open-source packages. This proxy lets you
download open-source packages and their metadata from one source, whether the
packages were built by Google or not.
Support for Amazon Web Service (AWS) account access.
Python and Java open-source packages in curated repositories.
JavaScript open-source packages in a canonical repository.
Automated setup as part of Security Command Center Enterprise activation process.
Curated repositories created in a project that you specify.
Universal package metadata that is collected and signed by Google. This
metadata provides information about the package build, any vulnerabilities,
and package health. The package health information is only available for
packages that are built by Google.
Assured OSS packages are stored on a Google-managed Artifact Registry repository. You can access and download the open
source packages offered by Assured OSS using one of the
following methods:
Set up a remote (also called a mirror or a proxy) repository in your
environment to act as a proxy for the Google-managed Artifact Registry repository.
Your developers can connect to the remote repository to download the packages.
Use this method if you are using a repository manager like Jfrog Artifactory
or Sonatype Nexus.
Connect to the Artifact Registry repository directly using a service account. Use
this method if developers are using build tools like Maven, Gradle, or pip.
Use a virtual upstream repository that acts as a single access point for your
developers so that they can download, install, or deploy packages. In the
premium tier, two virtual repositories are created automatically: one for Java
packages and one for Python packages. In the free tier, you must configure a
virtual repository yourself. You can use an Artifact Registry standard repository or
an Artifact Registry remote repository as your upstream virtual repository.
The following diagram shows Assured OSS connected to a remote
repository.
Software supply chain security
Assured Open Source Software is one of the Google Cloud components you
can use to protect your software supply chain. You can use
Assured Open Source Software together with other Google Cloud products and
features to improve the security posture of developer workflows and tools,
software dependencies, CI/CD systems used to build and deploy your software,
and runtime environments such as Google Kubernetes Engine and Cloud Run. To learn
more, see
Software supply chain security.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eAssured Open Source Software (Assured OSS) provides secure, Google-vetted open source packages for developers, ensuring they use the same OSS packages that Google secures.\u003c/p\u003e\n"],["\u003cp\u003eAssured OSS enhances security by providing industry-standard SBOMs and VEX information, along with signed, tamper-evident provenance, and the ongoing scanning and fixing of new vulnerabilities by Google.\u003c/p\u003e\n"],["\u003cp\u003eThe Assured OSS service is offered in a free tier and a premium tier, with the premium tier including additional features like JavaScript package support, automated setup, and integration with Security Command Center Enterprise.\u003c/p\u003e\n"],["\u003cp\u003eAssured OSS packages are stored in Google-managed Artifact Registry repositories, which can be accessed directly or through remote/proxy repositories, and virtual repositories, depending on your preferred method.\u003c/p\u003e\n"],["\u003cp\u003eAssured OSS improves the security of software supply chains by integrating with other Google Cloud products and features to enhance the security of developer workflows, dependencies, CI/CD systems, and runtime environments.\u003c/p\u003e\n"]]],[],null,["# Overview of Assured Open Source Software\n\nAssured Open Source Software (Assured OSS) lets you take advantage of the security\nand experience that Google applies to open source software (OSS) by incorporating\nthe same OSS packages that Google secures and uses into your own developer\nworkflows.\n\nAssured OSS lets you do the following:\n\n- Obtain your OSS packages from a trusted and known supplier.\n- Know more about package contents with Assured [SBOMs](https://www.cisa.gov/sbom#) that are provided in industry standard formats like [SPDX](https://spdx.dev/).\n- Know about threats and security of a package with VEX information in a industry-standard format like [CycloneDX](https://cyclonedx.org/).\n- Reduce security risk as Google is actively scanning, finding, and fixing new vulnerabilities in curated packages.\n- Increase confidence in the integrity of the OSS you are using through signed, tamper-evident [provenance](https://slsa.dev/provenance/v0.2).\n- Choose from more than one thousand of the most popular Java and Python packages, including common machine learning and artificial intelligence projects like TensorFlow, Pandas, and Scikit-learn.\n\nThe open-source packages are built by Google in a secure manner. These packages\nmeet [Supply-chain Levels for Software Artifacts (SLSA) level 3\nrequirements](https://slsa.dev/spec/v0.1/levels) and have a verifiable\nprovenance and SBOM.\n\nAssured OSS tiers\n-----------------\n\nAssured OSS has a free tier and a premium tier. The premium tier is\navailable when you purchase Security Command Center Enterprise.\n\nThe free tier includes the following:\n\n- Python and Java open-source packages in curated repositories.\n- Manual setup steps.\n- Curated repositories created in a Google-managed project.\n- Universal proxy endpoints for open-source packages. This proxy lets you download open-source packages and their metadata from one source, whether the packages were built by Google or not.\n- Support for Amazon Web Service (AWS) account access.\n\nThe premium tier lets you [integrate Assured OSS with Security Command Center\nEnterprise](/security-command-center/docs/integrate-aoss-with-scc). It includes\nthe following:\n\n- Python and Java open-source packages in curated repositories.\n- JavaScript open-source packages in a canonical repository.\n- Automated setup as part of Security Command Center Enterprise activation process.\n- Curated repositories created in a project that you specify.\n- Universal package metadata that is collected and signed by Google. This metadata provides information about the package build, any vulnerabilities, and package health. The package health information is only available for packages that are built by Google.\n\nFor more information about Security Command Center Enterprise pricing, see [Pricing for the\nEnterprise tier](/security-command-center/pricing#enterprise-tier).\n\nAssured OSS repository options\n------------------------------\n\nAssured OSS packages are stored on a Google-managed [Artifact Registry](/artifact-registry/docs) repository. You can access and download the open\nsource packages offered by Assured OSS using one of the\nfollowing methods:\n\n- Set up a remote (also called a *mirror* or a *proxy*) repository in your\n environment to act as a proxy for the Google-managed Artifact Registry repository.\n Your developers can connect to the remote repository to download the packages.\n Use this method if you are using a repository manager like Jfrog Artifactory\n or Sonatype Nexus.\n\n- Connect to the Artifact Registry repository directly using a service account. Use\n this method if developers are using build tools like Maven, Gradle, or pip.\n\n- Use a virtual upstream repository that acts as a single access point for your\n developers so that they can download, install, or deploy packages. In the\n premium tier, two virtual repositories are created automatically: one for Java\n packages and one for Python packages. In the free tier, you must configure a\n virtual repository yourself. You can use an Artifact Registry standard repository or\n an Artifact Registry remote repository as your upstream virtual repository.\n\nThe following diagram shows Assured OSS connected to a remote\nrepository.\n\nSoftware supply chain security\n------------------------------\n\nAssured Open Source Software is one of the Google Cloud components you\ncan use to protect your software supply chain. You can use\nAssured Open Source Software together with other Google Cloud products and\nfeatures to improve the security posture of developer workflows and tools,\nsoftware dependencies, CI/CD systems used to build and deploy your software,\nand runtime environments such as Google Kubernetes Engine and Cloud Run. To learn\nmore, see\n[Software supply chain security](/software-supply-chain-security/docs/overview).\n\nWhat's next\n-----------\n\n- To use the free tier, see [Enable Assured OSS](/assured-open-source-software/docs/enable).\n- To integrate with Security Command Center Enterprise, see [Integrate with Assured OSS for code security](/security-command-center/docs/integrate-aoss-with-scc)."]]
