Repository navigation
supply-chain-security
- Website
- Wikipedia
Supply-chain Levels for Software Artifacts
GUAC aggregates software security metadata into a high fidelity graph database.
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. It monitors network egress, file integrity, and process activity on those runners, detecting threats in real-time.
Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
Packj stops ⚡ Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
Protect against malicious open source packages 🤖
Evidence store and policy engine for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, and more
BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
Independent verification of binary packages - Reproducible Builds
A compilation of resources in the software supply chain security domain, with emphasis on open source
boostsecurityio/poutine
Developer-centric tool to secure your software supply chain.
JavaScript & Node.js open-source SAST scanner. A static analyser for detecting most common malicious patterns 🔬.
Prevent merging of malicious code in pull requests
sbomqs: The Comprehensive SBOM Quality & Compliance Tool