software-composition-analysis

There are 20 repositories under software-composition-analysis topic.

jeremylong / DependencyCheck
OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
security-audit build-tool maven-plugin jenkins-plugin gradle-plugin vulnerability-detection security ant-task software-composition-analysis
Language:Java 5863
RetireJS / retire.js
scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.
vulnerabilities scanner firefox-extension grunt-plugins javascript vulnerable-libraries insecure-libraries chrome-extension build-tool security software-composition-analysis sbom sbom-generator sbom-tool
Language:JavaScript 3507
dependency-track
DependencyTrack / dependency-track
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
owasp appsec security bom vulnerabilities component-analysis nvd software-security software-composition-analysis sca bill-of-materials vulndb package-url purl vulnerability-detection ossindex sbom devsecops security-automation cyclonedx
Language:Java 2315
nexB / scancode-toolkit
:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
license copyright packages dependencies spdx provenance license-scan copyright-scan licensing spdx-licenses open-source-licensing oss-compliance license-checking software-composition-analysis purl package-url sbom sca cyclonedx dependency-graph
Language:Python 1971
murphysecurity / murphysec
An open source tool focused on software supply chain security. 墨菲安全专注于软件供应链安全，具备专业的软件成分分析（SCA）、漏洞检测、专业漏洞库。
security scanner dependency vulnerability-detection software-supply-chain sca software-composition-analysis codescan
Language:Go 1569
lunasec-io / lunasec
LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
tokenization web-security compliance security soc2 pci-dss gdpr zero-trust devsecops log4shell dependency-analysis scanning cybersecurity security-tools scanning-tool cve-scanning sbom sbom-generator continuous-delivery software-composition-analysis
Language:TypeScript 1405
XmirrorSecurity / OpenSCA-cli
OpenSCA is an open source software supply chain security solution that supports the detection of open source dependencies, vulnerabilities and license compliance with a widely noticed accuracy by the community.
sca devsecops security sbom software-bill-of-materials software-composition-analysis software-supply-chain software-supply-chain-security static-analysis vulnerabilities license-compliance cyclonedx spdx swid
Language:Go 997
tern-tools / tern
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
python containers oss-compliance sbom docker compliance spdx tool dependencies software-composition-analysis risk-management open-source supply-chain-security metadata-extraction
Language:Python 930
microsoft / component-detection
Scans your project to determine what components you use
static-analysis dependencies package-management software-composition-analysis sbom software-bill-of-materials hacktoberfest
Language:C# 373
albuch / sbt-dependency-check
SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs). :rainbow:
sbt sbt-plugin owasp-dependencycheck cve scala vulnerabilities nvd appsec software-security security owasp static-analysis vulnerability-scanners software-composition-analysis security-automation security-audit devsecops infosec devops
Language:Scala 260
bureado / awesome-software-supply-chain-security
A compilation of resources in the software supply chain security domain, with emphasis on open source
reproducible-builds supply-chain-security devsecops vulnerability-scanning security-vulnerability vulnerability-management supply-chain-attacks sbom package-management dependency-management static-analysis software-composition-analysis oss-compliance software-supply-chain software-supply-chain-security dependencies cve-scanning attestation awesome-list
251
stevespringett / nist-data-mirror
A simple Java command-line utility to mirror the CVE JSON data from NIST.
appsec nvd software-security nist cpe cve java software-composition-analysis sca
Language:Java 206
vet
safedep / vet
Tool to achieve policy driven vetting of open source dependencies
devsecops security supply-chain-security policy-as-code software-composition-analysis
Language:Go 173
nexB / scancode.io
ScanCode.io is a server to script and automate software composition analysis pipelines with ScanPipe pipelines. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ Google Summer of Code, nexB and others generous sponsors!
sca software-composition-analysis open-source license scancode docker virtual-machine cyclonedx package-url purl spdx vulnerabilities foss-compliance
Language:Python 88
hysnsec / awesome-sca
A curated list of Software Component Analysis (SCA) books, courses - free and paid, videos, tools, and tutorials.
sca practical-devsecops component-analysis snyk vulnerability-databases software-composition-analysis
86
pmckeown / dependency-track-maven-plugin
Maven plugin that integrates with a Dependency Track server to submit dependency manifests and optionally fail execution when vulnerable dependencies are found.
owasp dependency-track security-software component-analysis software-composition-analysis maven-plugin java devsecops maven-lifecycle bom-upload pom
Language:Java 59
opossum-tool / OpossumUI
A light-weight app to audit and inventory large codebases for open source license compliance.
spdx package-dependency remediation license-scan copyright-scan software-composition-analysis codescan oss-compliance software-bill-of-materials
Language:TypeScript 55
jhermann / dependency-check-py
:closed_lock_with_key: Shim to easily install OWASP dependency-check-cli into Python projects
owasp dependency-analysis security python cli-utility software-supply-chain cve-scanning vulnerability-detection security-audit software-composition-analysis
Language:Python 47
ozontech / dtrack-audit
OWASP Dependency Track API client for intergration into CI/CD pipeline
security security-tools component-analysis software-composition-analysis
Language:Go 46
stevespringett / vulndb-data-mirror
A simple Java command-line utility to mirror the entire contents of VulnDB.
appsec vulndb software-security cve java software-composition-analysis sca
Language:Java 42
scanoss / sbom-workbench
The SCANOSS SBOM Workbench graphical user interface to scan and audit your source code.
license open-source sbom sbom-generator software-composition-analysis
Language:TypeScript 39
meta-fun / awesome-software-supply-chain-security
Sharing software supply chain security open source projects
security security-tools supply-chain-security supply-chain sbom sast cicd kubernetes devops software-supply-chain software-supply-chain-security vulnerability-scanner software-composition-analysis dependency-analysis
37
scanoss / scanoss.py
The SCANOSS python package providing a simple, easy to consume library for interacting with SCANOSS APIs/Engine.
software-composition-analysis
Language:Python 23
actions-exposure
SecureStackCo / actions-exposure
A GitHub Action that scans your public web applications after every deployment. Add this to your dev, staging and prod steps and SecureStack will make sure that what you've just deployed is secure and meets your requirements.
github-actions security actions deployment deployment-automation deployment-pipeline vulnerability-scanning vulnerability-detection web-application secrets-detection dynamic-analysis software-composition-analysis web-vulnerability-scanner web-vulnerability cloud-security cloud-security-posture-management
22
ozonru / cyclonedx-go
Creates CycloneDX Software Bill-of-Materials (SBOM) from Go projects. So you can use it with DependencyTrack to monitor security issues in 3rd party modules.
security security-tools component-analysis software-composition-analysis bill-of-materials cyclonedx bom sbom
Language:Go 20
actions-code
SecureStackCo / actions-code
A GitHub Action for using SecureStack to analyse a repository codebase for vulnerabilities in library dependencies (software composition analysis).
software-composition-analysis deployment github-actions devsecops security vulnerability-detection vulnerability-scanner deployment-pipeline deployment-automation security-automation security-tools
20
actions-all-in-one
SecureStackCo / actions-all-in-one
All of our GitHub Actions rolled into one. Or as we like to say: One GitHub Action to rule them all!
software-composition-analysis secret-scanning web-vulnerability-scanner vulnerability-detection vulnerability-scanner vulnerability-scanning devsecops devsecops-pipeline devsecops-best-practices security-automation deployment-pipeline github-actions
19
nxenon / DevSecOps
♾️ Collection of DevSecOps Notes + Resources + Courses + Tools
devsecops devsecops-best-practices sdlc secure-development devsecops-notes devsecops-resources iast sast sbom secret-management secure-coding software-bill-of-material software-composition-analysis threat-model threat-modeling static-analysis-security-testing rasp runtime-application-self-protection
16
bgnetworks / meta-dependencytrack
A Yocto meta-layer for generating CycloneDX SBOMs and automatically uploading them to Dependency Track.
dependency-track cyclonedx bitbake sbom security security-automation software-composition-analysis yocto
15
SecureStackCo / actions-log4j
A GitHub Action that scans your public web applications for log4j vulnerabilities after every deployment. Add this to your dev, staging and prod steps and SecureStack will make sure that what you've just deployed is secure and meets your requirements.
java log4j log4j2 vulnerabilities software-composition-analysis static-analysis security devsecops security-automation security-tools github-actions java8 jre scanning log4shell log4js log4j-rce java-vulnerability vulnerability-scanner vulnerability-assessment
15
tonycch / get-dependabot-alerts-sample
Get Dependabot Alerts from a repo
dependabot software-composition-analysis software-supp dependencies
Language:JavaScript 13
Surfactant
LLNL / Surfactant
Modular framework for SBOM generation that gathers file information and analyzes dependencies
cyclonedx dependencies dependency-analysis dependency-graph python python3 sbom sbom-generator software-bill-of-materials software-composition-analysis spdx static-analysis tool hacktoberfest
Language:Python 11
blackducksoftware / kubectl-bd-xray
kubectl plugin scanning docker images for open source security and license compliance using Black Duck by Synopsys
kubectl-plugin docker image helm yaml software-composition-analysis
Language:Go 8
MetLife / VeracodeCommunitySCA
Seamlessly integrate Veracode Agent-Based SCA scans with Azure DevOps build or release pipelines.
veracode-sca security software-composition-analysis azure-devops devsecops
Language:Python 8
soarsmu / midas
MiDas: Multi-granularity Detector for Vulnerability Fixes (IEEE TSE)
large-language-models software-composition-analysis vulnerability-scanner
Language:Python 8
software-composition-analysis / fosdem-2022-devroom
Software Composition and Dependencies devroom - FOSDEM 2022
sca software-composition-analysis dependencies package-management
8

software-composition-analysis

jeremylong / DependencyCheck

RetireJS / retire.js

DependencyTrack / dependency-track

nexB / scancode-toolkit

murphysecurity / murphysec

lunasec-io / lunasec

XmirrorSecurity / OpenSCA-cli

tern-tools / tern

microsoft / component-detection

albuch / sbt-dependency-check

bureado / awesome-software-supply-chain-security

stevespringett / nist-data-mirror

safedep / vet

nexB / scancode.io

hysnsec / awesome-sca

pmckeown / dependency-track-maven-plugin

opossum-tool / OpossumUI

jhermann / dependency-check-py

ozontech / dtrack-audit

stevespringett / vulndb-data-mirror

scanoss / sbom-workbench

meta-fun / awesome-software-supply-chain-security

scanoss / scanoss.py

SecureStackCo / actions-exposure

ozonru / cyclonedx-go

SecureStackCo / actions-code

SecureStackCo / actions-all-in-one

nxenon / DevSecOps

bgnetworks / meta-dependencytrack

SecureStackCo / actions-log4j

tonycch / get-dependabot-alerts-sample

LLNL / Surfactant

blackducksoftware / kubectl-bd-xray

MetLife / VeracodeCommunitySCA

soarsmu / midas

software-composition-analysis / fosdem-2022-devroom