supply-chain-security

There are 106 repositories under supply-chain-security topic.

  • slsa-framework/slsa

    Supply-chain Levels for Software Artifacts

    Language:Shell1.5k62380213

  • guacsec/guac

    GUAC aggregates software security metadata into a high fidelity graph database.

    Language:Go1.2k42419154

  • tern-tools/tern

    Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.

    Language:Python94331528187

  • owasp-dep-scan/dep-scan

    OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.

    Language:Python9051414292

  • Legit-Labs/legitify

    Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets

    Language:Go721157158

  • ossillate-inc/packj

    Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain

    Language:Python622102936

  • step-security/harden-runner

    Network egress filtering and runtime security for GitHub-hosted and self-hosted runners

    Language:TypeScript54079241

  • kpcyrd/rebuilderd

    Independent verification of binary packages - reproducible builds

    Language:Rust346124722

  • chainloop-dev/chainloop

    Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.

    Language:Go322928326

  • owasp-dep-scan/blint

    BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.

    Language:Python30275529

  • bureado/awesome-software-supply-chain-security

    A compilation of resources in the software supply chain security domain, with emphasis on open source

    255242525

  • step-security/secure-repo

    Orchestrate GitHub Actions Security

    Language:Go24361.1k41

  • docker/scout-cli

    Docker Scout CLI

    Language:Shell236125658

  • NodeSecure/js-x-ray

    JavaScript & Node.js open-source SAST scanner. A static analyser for detecting most common malicious patterns 🔬.

    Language:JavaScript21144725
  • vet

    safedep/vet

    Tool to achieve policy driven vetting of open source dependencies

    Language:Go18665816

  • ckotzbauer/sbom-operator

    Catalogue all images of a Kubernetes cluster to multiple targets with Syft

    Language:Go18254125

  • boostsecurityio/poutine

    boostsecurityio/poutine

    Language:Go15883017

  • interlynk-io/sbomqs

    SBOM quality score - Quality metrics for your sboms

    Language:Go14258016

  • mbalabash/sdc-check

    Small tool to inform you about potential risks in project dependencies list

    Language:TypeScript139341

  • cugu/gocap

    List your dependencies capabilities and monitor if updates require more capabilities.

    Language:Go1302512

  • kpcyrd/sh4d0wup

    Signing-key abuse and update exploitation framework

    Language:Rust1193113

  • vishalgarg-sec/Software-Supply-Chain-Security

    A compilation of Software Supply Chain Security resources including initiatives, standards, regulations, organizations, vendors, tooling, books, articles and a plethora of learning resources from the web.

    1156012

  • oracle/macaron

    Macaron is an extensible supply-chain security analysis framework from Oracle Labs that supports a wide range of build systems and CI/CD services. It can be used to prevent supply chain attacks or check conformance to frameworks, such as SLSA.

    Language:Python110920017

  • boostsecurityio/lotp

    boostsecurityio/lotp

    Language:HTML908186

  • kpcyrd/pacman-bintrans

    Experimental binary transparency for pacman with sigstore and rekor

    Language:Rust825144

  • CycodeLabs/cimon-action

    Runtime Security Solution for your CI/CD Pipeline

    Language:JavaScript79323

  • docker/scout-action

    Docker Scout GitHub Action

    Language:JavaScript6992027
  • codetotal

    oxsecurity/codetotal

    Analyze any snippet, file, or repository to detect possible security flaws such as secret in code, open source vulnerability, code security, vulnerability, insecure infrastructure as code, and potential legal issues with open source licenses.

    Language:TypeScript685258

  • mchmarny/s3cme

    Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance

    Language:Go46478
  • chainalert-github-action

    Checkmarx/chainalert-github-action

    scans popular packages and alerts in cases there is suspicion of an account takeover

    Language:JavaScript408522

  • meta-fun/awesome-software-supply-chain-security

    Sharing software supply chain security open source projects

    38503

  • kpcyrd/repro-env

    Dependency lockfiles for reproducible build environments 📦🔒

    Language:Rust33504

  • mitre/hipcheck

    Automatically assess and score software repositories for supply chain risk.

    Language:Rust2812282

  • 0x2E/go-build-hijacking

    Insert payload through the program set by -toolexec. Just a toy

    Language:Go27307

  • BretFisher/container-security-steps

    Docker and Kubernetes security steps to help you create, build, test, and run safer in containers

    2660

  • kpcyrd/backseat-signed

    Authenticate the cryptographic chain-of-custody of Linux distributions (like Arch Linux and Debian) to their source code inputs

    Language:Rust25401