scq

This is a Supply Chain Query tool intended to query datastores containing attestations, SBOMs, and other supply chain metadata and build a graph that can be queried.

This is currently a POC and is being tested by storing attestations in mongodb and thus relies on mongo db for testing.

Right now the way you would test it out is:

go build
./scq test testdata/
cat testdata/foo.json | jq '.subject[0].digest.sha256' | xargs -I{} ./scq graph --hash {} | jq | less

The above commands will store the testdata into mongodb and then generate a graph based on the hash from the foo.json test attestation. It will recursively query the mongodb until it can't find any attestations to follow.