supply-chain-security
There are 106 repositories under supply-chain-security topic.
slsa-framework/slsa
Supply-chain Levels for Software Artifacts
guacsec/guac
GUAC aggregates software security metadata into a high fidelity graph database.
tern-tools/tern
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
owasp-dep-scan/dep-scan
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
Legit-Labs/legitify
Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
ossillate-inc/packj
Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
step-security/harden-runner
Network egress filtering and runtime security for GitHub-hosted and self-hosted runners
kpcyrd/rebuilderd
Independent verification of binary packages - reproducible builds
chainloop-dev/chainloop
Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.
owasp-dep-scan/blint
BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
bureado/awesome-software-supply-chain-security
A compilation of resources in the software supply chain security domain, with emphasis on open source
step-security/secure-repo
Orchestrate GitHub Actions Security
docker/scout-cli
Docker Scout CLI
NodeSecure/js-x-ray
JavaScript & Node.js open-source SAST scanner. A static analyser for detecting most common malicious patterns 🔬.
safedep/vet
Tool to achieve policy driven vetting of open source dependencies
ckotzbauer/sbom-operator
Catalogue all images of a Kubernetes cluster to multiple targets with Syft
boostsecurityio/poutine
boostsecurityio/poutine
interlynk-io/sbomqs
SBOM quality score - Quality metrics for your sboms
mbalabash/sdc-check
Small tool to inform you about potential risks in project dependencies list
cugu/gocap
List your dependencies capabilities and monitor if updates require more capabilities.
kpcyrd/sh4d0wup
Signing-key abuse and update exploitation framework
vishalgarg-sec/Software-Supply-Chain-Security
A compilation of Software Supply Chain Security resources including initiatives, standards, regulations, organizations, vendors, tooling, books, articles and a plethora of learning resources from the web.
oracle/macaron
Macaron is an extensible supply-chain security analysis framework from Oracle Labs that supports a wide range of build systems and CI/CD services. It can be used to prevent supply chain attacks or check conformance to frameworks, such as SLSA.
boostsecurityio/lotp
boostsecurityio/lotp
kpcyrd/pacman-bintrans
Experimental binary transparency for pacman with sigstore and rekor
CycodeLabs/cimon-action
Runtime Security Solution for your CI/CD Pipeline
docker/scout-action
Docker Scout GitHub Action
oxsecurity/codetotal
Analyze any snippet, file, or repository to detect possible security flaws such as secret in code, open source vulnerability, code security, vulnerability, insecure infrastructure as code, and potential legal issues with open source licenses.
mchmarny/s3cme
Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance
Checkmarx/chainalert-github-action
scans popular packages and alerts in cases there is suspicion of an account takeover
meta-fun/awesome-software-supply-chain-security
Sharing software supply chain security open source projects
kpcyrd/repro-env
Dependency lockfiles for reproducible build environments 📦🔒
mitre/hipcheck
Automatically assess and score software repositories for supply chain risk.
0x2E/go-build-hijacking
Insert payload through the program set by -toolexec. Just a toy
BretFisher/container-security-steps
Docker and Kubernetes security steps to help you create, build, test, and run safer in containers
kpcyrd/backseat-signed
Authenticate the cryptographic chain-of-custody of Linux distributions (like Arch Linux and Debian) to their source code inputs