supply-chain-security
There are 5 repositories under supply-chain-security topic.
- Language:Shell 1418
- Language:Go 1174
tern-tools / tern
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
Language:Python 930Legit-Labs / legitify
Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
Language:Go 706owasp-dep-scan / dep-scan
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
Language:Python 697ossillate-inc / packj
Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
Language:Python 614step-security / harden-runner
Network egress filtering and runtime security for GitHub-hosted and self-hosted runners
Language:TypeScript 488kpcyrd / rebuilderd
Independent verification of binary packages - reproducible builds
Language:Rust 344chainloop-dev / chainloop
Chainloop is an Open Source Metadata Vault for your Software Supply Chain metadata, SBOMs, VEX, SARIF files, QA reports, and more.
Language:Go 303bureado / awesome-software-supply-chain-security
A compilation of resources in the software supply chain security domain, with emphasis on open source
reproducible-buildssupply-chain-securitydevsecopsvulnerability-scanningsecurity-vulnerabilityvulnerability-managementsupply-chain-attackssbompackage-managementdependency-managementstatic-analysissoftware-composition-analysisoss-compliancesoftware-supply-chainsoftware-supply-chain-securitydependenciescve-scanningattestationawesome-listOrchestrate GitHub Actions Security
Language:Go 234- Language:Shell 202
NodeSecure / js-x-ray
JavaScript & Node.js open-source SAST scanner. A static analyser for detecting most common malicious patterns 🔬.
Language:JavaScript 196ckotzbauer / sbom-operator
Catalogue all images of a Kubernetes cluster to multiple targets with Syft
Language:Go 179- vetLanguage:Go 173
- Language:TypeScript 138
- Language:Go 130
interlynk-io / sbomqs
SBOM quality score - Quality metrics for your sboms
Language:Go 130- Language:Rust 118
vishalgarg-sec / Software-Supply-Chain-Security
A compilation of Software Supply Chain Security resources including initiatives, standards, regulations, organizations, vendors, tooling, books, articles and a plethora of learning resources from the web.
oracle / macaron
Macaron is an extensible supply-chain security analysis framework from Oracle Labs that supports a wide range of build systems and CI/CD services. It can be used to prevent supply chain attacks or check conformance to frameworks, such as SLSA.
Language:Python 106Experimental binary transparency for pacman with sigstore and rekor
Language:Rust 83- Language:HTML 78
CycodeLabs / cimon-action
Runtime Security Solution for your CI/CD Pipeline
Language:JavaScript 72- codetotal
oxsecurity / codetotal
Analyze any snippet, file, or repository to detect possible security flaws such as secret in code, open source vulnerability, code security, vulnerability, insecure infrastructure as code, and potential legal issues with open source licenses.
Language:TypeScript 67 - Language:JavaScript 60
BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
Language:Python 60mchmarny / s3cme
Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance
Language:Go 46- chainalert-github-action
Checkmarx / chainalert-github-action
scans popular packages and alerts in cases there is suspicion of an account takeover
Language:JavaScript 40 meta-fun / awesome-software-supply-chain-security
Sharing software supply chain security open source projects
- Language:Rust 33
0x2E / go-build-hijacking
Insert payload through the program set by -toolexec. Just a toy
Language:Go 26BretFisher / container-security-steps
Docker and Kubernetes security steps to help you create, build, test, and run safer in containers
boostsecurityio / poutine
boostsecurityio/poutine
Language:Go 25Authenticate the cryptographic chain-of-custody of Linux distributions (like Arch Linux and Debian) to their source code inputs
Language:Rust 25testifysec / solarsploit
Red team tool that emulates the SolarWinds CI compromise attack vector.
Language:Go 22
