Building software at scale requires strong governance of the software supply chain, and strong governance requires good data. This BoF will be a discussion around the recently launched Grafeas ("scribe") open source project (see grafeas.io), whose goal is to provide organizations with a central source of truth for tracking artifacts and enforcing policies across an ever growing set of software development teams and pipelines. Part of the Grafeas project is Kritis ("judge"), a Kubernetes policy engine that lets organizations do real-time enforcement of container properties at deploy time for Kubernetes clusters. To kick off the discussion, Google and other Grafeas collaborators will give an overview of the Grafeas project.