supply-chain-security

There are 9 repositories under supply-chain-security topic.

slsa-framework / slsa
Supply-chain Levels for Software Artifacts
devops security supply-chain-security
Language:Shell 1618
guacsec / guac
GUAC aggregates software security metadata into a high fidelity graph database.
attestations cyclonedx cyclonedx-sbom graph in-toto sbom security slsa software-supply-chain software-supply-chain-security spdx spdx-sbom supply-chain supply-chain-analytics supply-chain-security supply-chain-visibility vex vulnerability vulnerability-management
Language:Go 1335
owasp-dep-scan / dep-scan
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
vulnerability-scanners cve dependency-analysis risk-audit containers sbom sca dependency-audit compliance cyclonedx devsecops security-audit security-tools vex reachability-analysis supply-chain-security
Language:Python 1071
tern-tools / tern
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
python containers oss-compliance sbom docker compliance spdx tool dependencies software-composition-analysis risk-management open-source supply-chain-security metadata-extraction
Language:Python 977
Legit-Labs / legitify
Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
supply-chain-security security-scanner sdlc-security devops security devsecops ci github gitlab golang
Language:Go 796
bitbomdev / minefield
Graphing SBOM's Fast.
graph roaring-bitmaps sbom supply-chain-security airgap ai llm
Language:Go 717
step-security / harden-runner
Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. It monitors network egress, file integrity, and process activity on those runners, detecting threats in real-time.
actions egress-filtering github-actions hardening network-security runners runtime-security security-hardening supply-chain-security
Language:TypeScript 681
ossillate-inc / packj
Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
malware npm pypi python security security-audit security-tools vulnerability rubygems supply-chain-security malware-analysis static-analysis vulnerability-scanners dynamic-analysis sandboxing devops developer-tools devops-tools devsecops supply-chain
Language:Python 661
chainloop-dev / chainloop
Evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, and more
attestation compliance cyclonedx devsecops in-toto license metadata-platform open-source-licensing ospo oss-compliance regulated-industry sbom sbom-discovery sbom-distribution security slsa slsa-provenance spdx supply-chain-security
Language:Go 391
kpcyrd / rebuilderd
Independent verification of binary packages - Reproducible Builds
rebuilder reproducible-builds rust security-tools supply-chain supply-chain-security
Language:Rust 373
docker / scout-cli
Docker Scout CLI
docker security supply-chain-security
Language:Shell 372
owasp-dep-scan / blint
BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
binary fuzzing malware cyclonedx sbom supply-chain-analytics supply-chain-security depscan
Language:Python 357
bureado / awesome-software-supply-chain-security
A compilation of resources in the software supply chain security domain, with emphasis on open source
reproducible-builds supply-chain-security devsecops vulnerability-scanning security-vulnerability vulnerability-management supply-chain-attacks sbom package-management dependency-management static-analysis software-composition-analysis oss-compliance software-supply-chain software-supply-chain-security dependencies cve-scanning attestation awesome-list
309
buildsafedev / bsf
Developer-centric tool to secure your software supply chain.
hacktoberfest nix reproducibility slsa supply-chain-security
Language:Go 287
vet
safedep / vet
Policy driven vetting of open source packages with malicious code analysis
devsecops security supply-chain-security policy-as-code software-composition-analysis
Language:Go 278
step-security / secure-repo
Orchestrate GitHub Actions Security
security github-actions workflow actions github golang supply-chain-security security-tools
Language:Go 276
boostsecurityio / poutine
boostsecurityio/poutine
ci cli devops devsecops gh-extension github github-actions golang security security-scanner supply-chain supply-chain-security
Language:Go 258
NodeSecure / js-x-ray
JavaScript & Node.js open-source SAST scanner. A static analyser for detecting most common malicious patterns 🔬.
security security-tools security-audit ast-analysis ast javascript nodejs sast supply-chain-security
Language:JavaScript 237
ckotzbauer / sbom-operator
Catalogue all images of a Kubernetes cluster to multiple targets with Syft
sbom kubernetes k8s operator supply-chain-security
Language:Go 198
interlynk-io / sbomqs
SBOM quality score - Quality metrics for your sboms
golang cyclonedx spdx sbom sbom-examples sbom-tool go sbom-quality sbom-score sbom-samples devsecops-pipeline security-tools supply-chain-security
Language:Go 195
PRevent
apiiro / PRevent
Prevent merging of malicious code in pull requests
block-merging cicd-security cloud-security code-integrity code-security dynamic-execution github-app malicious-code malware-detection obfuscation opengrep pull-request security-review security-rules security-scan security-tools semgrep semgrep-rules static-analysis supply-chain-security
Language:Python 190
oracle / macaron
Macaron is an extensible supply-chain security analysis framework from Oracle Labs that supports a wide range of build systems and CI/CD services. It can be used to prevent supply chain attacks, detect malicious Python packages, or check conformance to frameworks, such as SLSA. Documentation:
sbom slsa supply-chain-security build-system cicd integrity-protection malware-detection docker gradle malware-analysis maven npm python
Language:Python 146
mbalabash / sdc-check
Small tool to inform you about potential risks in project dependencies list
npm security audit supply-chain-security
Language:TypeScript 142
cugu / gocap
List your dependencies capabilities and monitor if updates require more capabilities.
go supply-chain-security supply-chain-attacks
Language:Go 132
vishalgarg-sec / Software-Supply-Chain-Security
A compilation of Software Supply Chain Security resources including initiatives, standards, regulations, organizations, vendors, tooling, books, articles and a plethora of learning resources from the web.
open-source-security openssf sbom software-supply-chain-security software-transparency supply-chain-attacks supply-chain-security software-bill-of-material attestations cncf dependency-management owasp slsa software-security vex vulnerability-management
131
kpcyrd / sh4d0wup
Signing-key abuse and update exploitation framework
exploitation hacking penetration-testing redteaming supply-chain-security backdoor-factory
Language:Rust 123
boostsecurityio / lotp
boostsecurityio/lotp
lotp supply-chain-security living-off-the-pipeline
Language:HTML 113
mchmarny / s3cme
Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance
attestation oidc provenance sbom slsa supply-chain-security vulnerability cosine
Language:Go 104
docker / scout-action
Docker Scout GitHub Action
docker security github-actions supply-chain-security
Language:JavaScript 103
mitre / hipcheck
Automatically assess and score software repositories for supply chain risk.
supply-chain-security
Language:Rust 102
apiiro / malicious-code-ruleset
Focused malicious code detection ruleset, with a high protection-to-noise ratio
appsec cicd-security cloud-security code-integrity code-security detection devsecops dynamic-execution malicious-code malicious-detection malware malware-detection obfuscation opengrep ruleset security security-scan semgrep semgrep-rules supply-chain-security
Language:Python 101
bomctl / bomctl
Format agnostic SBOM tooling
cyclonedx openssf sbom sbom-distribution security-tools spdx supply-chain-security
Language:Go 100
CycodeLabs / cimon-action
Runtime Security Solution for your CI/CD Pipeline
github-actions security cicd hardening security-hardening supply-chain-security ebpf linux
Language:JavaScript 96
kpcyrd / pacman-bintrans
Experimental pacman integration for Reproducible Builds and Binary Transparency (with sigstore/rekor)
archlinux binary-transparency security supply-chain supply-chain-security
Language:Rust 85
codetotal
oxsecurity / codetotal
Analyze any snippet, file, or repository to detect possible security flaws such as secret in code, open source vulnerability, code security, vulnerability, insecure infrastructure as code, and potential legal issues with open source licenses.
code-quality-analyzer iac megalinter sast secrets-detection security supply-chain sbom sbom-generator vulnerability-scanners supply-chain-security
Language:TypeScript 76
johnbillion / rave-wordpress
Reproduces WordPress builds and verifies that the official and unofficial packages haven't been tampered with.
supply-chain-security wordpress
48