supply-chain-security

There are 7 repositories under supply-chain-security topic.

slsa-framework / slsa
Supply-chain Levels for Software Artifacts
devops security supply-chain-security
Language:Shell 1557
guacsec / guac
GUAC aggregates software security metadata into a high fidelity graph database.
security software-supply-chain software-supply-chain-security supply-chain supply-chain-analytics supply-chain-security supply-chain-visibility
Language:Go 1290
owasp-dep-scan / dep-scan
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
compliance containers cve cyclonedx dependency-analysis dependency-audit devsecops reachability-analysis risk-audit sbom sca security-audit security-tools supply-chain-security vex vulnerability-scanners
Language:Python 1019
tern-tools / tern
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
python containers oss-compliance sbom docker compliance spdx tool dependencies software-composition-analysis risk-management open-source supply-chain-security metadata-extraction
Language:Python 967
Legit-Labs / legitify
Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
ci devops devsecops github gitlab golang sdlc-security security security-scanner supply-chain-security
Language:Go 775
ossillate-inc / packj
Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
malware npm pypi python security security-audit security-tools vulnerability rubygems supply-chain-security malware-analysis static-analysis vulnerability-scanners dynamic-analysis sandboxing devops developer-tools devops-tools devsecops supply-chain
Language:Python 629
step-security / harden-runner
Network egress filtering and runtime security for GitHub-hosted and self-hosted runners
actions egress-filtering github-actions hardening network-security runners runtime-security security-hardening supply-chain-security
Language:TypeScript 621
bitbomdev / minefield
Graphing SBOM's Fast.
airgap graph roaring-bitmaps sbom supply-chain-security
Language:Go 524
chainloop-dev / chainloop
Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.
compliance cyclonedx devsecops sbom sbom-distribution security spdx supply-chain-security metadata-platform sbom-discovery license open-source-licensing ospo oss-compliance regulated-industry attestation in-toto slsa slsa-provenance
Language:Go 375
kpcyrd / rebuilderd
Independent verification of binary packages - reproducible builds
rebuilder reproducible-builds rust security-tools supply-chain supply-chain-security
Language:Rust 356
owasp-dep-scan / blint
BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
binary fuzzing malware cyclonedx sbom supply-chain-analytics supply-chain-security depscan
Language:Python 343
docker / scout-cli
Docker Scout CLI
docker security supply-chain-security
Language:Shell 325
bureado / awesome-software-supply-chain-security
A compilation of resources in the software supply chain security domain, with emphasis on open source
reproducible-builds supply-chain-security devsecops vulnerability-scanning security-vulnerability vulnerability-management supply-chain-attacks sbom package-management dependency-management static-analysis software-composition-analysis oss-compliance software-supply-chain software-supply-chain-security dependencies cve-scanning attestation awesome-list
291
step-security / secure-repo
Orchestrate GitHub Actions Security
actions github github-actions golang security security-tools supply-chain-security workflow
Language:Go 256
vet
safedep / vet
Tool to achieve policy driven vetting of open source dependencies
devsecops policy-as-code security software-composition-analysis supply-chain-security
Language:Go 233
boostsecurityio / poutine
boostsecurityio/poutine
ci cli devops devsecops gh-extension github github-actions golang security security-scanner supply-chain supply-chain-security
Language:Go 232
NodeSecure / js-x-ray
JavaScript & Node.js open-source SAST scanner. A static analyser for detecting most common malicious patterns 🔬.
security security-tools security-audit ast-analysis ast javascript nodejs sast supply-chain-security
Language:JavaScript 229
ckotzbauer / sbom-operator
Catalogue all images of a Kubernetes cluster to multiple targets with Syft
k8s kubernetes operator sbom supply-chain-security
Language:Go 194
interlynk-io / sbomqs
SBOM quality score - Quality metrics for your sboms
cyclonedx devsecops-pipeline go golang sbom sbom-examples sbom-quality sbom-samples sbom-score sbom-tool security-tools spdx supply-chain-security
Language:Go 186
mbalabash / sdc-check
Small tool to inform you about potential risks in project dependencies list
audit npm security supply-chain-security
Language:TypeScript 139
oracle / macaron
Macaron is an extensible supply-chain security analysis framework from Oracle Labs that supports a wide range of build systems and CI/CD services. It can be used to prevent supply chain attacks, detect malicious Python packages, or check conformance to frameworks, such as SLSA. Documentation:
sbom slsa supply-chain-security build-system cicd integrity-protection malware-detection docker gradle malware-analysis maven npm python
Language:Python 138
cugu / gocap
List your dependencies capabilities and monitor if updates require more capabilities.
go supply-chain-attacks supply-chain-security
Language:Go 130
vishalgarg-sec / Software-Supply-Chain-Security
A compilation of Software Supply Chain Security resources including initiatives, standards, regulations, organizations, vendors, tooling, books, articles and a plethora of learning resources from the web.
attestations cncf dependency-management open-source-security openssf owasp sbom slsa software-bill-of-material software-security software-supply-chain-security software-transparency supply-chain-attacks supply-chain-security vex vulnerability-management
126
kpcyrd / sh4d0wup
Signing-key abuse and update exploitation framework
backdoor-factory exploitation hacking penetration-testing redteaming supply-chain-security
Language:Rust 121
boostsecurityio / lotp
boostsecurityio/lotp
living-off-the-pipeline lotp supply-chain-security
Language:HTML 100
mchmarny / s3cme
Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance
attestation oidc provenance sbom slsa supply-chain-security vulnerability cosine
Language:Go 95
CycodeLabs / cimon-action
Runtime Security Solution for your CI/CD Pipeline
github-actions security cicd hardening security-hardening supply-chain-security ebpf linux
Language:JavaScript 88
docker / scout-action
Docker Scout GitHub Action
docker github-actions security supply-chain-security
Language:JavaScript 87
kpcyrd / pacman-bintrans
Experimental pacman integration for Reproducible Builds and Binary Transparency (with sigstore/rekor)
archlinux binary-transparency security supply-chain supply-chain-security
Language:Rust 83
mitre / hipcheck
Automatically assess and score software repositories for supply chain risk.
supply-chain-security
Language:Rust 79
codetotal
oxsecurity / codetotal
Analyze any snippet, file, or repository to detect possible security flaws such as secret in code, open source vulnerability, code security, vulnerability, insecure infrastructure as code, and potential legal issues with open source licenses.
code-quality-analyzer iac megalinter sast sbom sbom-generator secrets-detection security supply-chain supply-chain-security vulnerability-scanners
Language:TypeScript 73
buildsafedev / bsf
Developer-centric tool to secure your software supply chain.
nix reproducibility slsa supply-chain-security hacktoberfest
Language:Go 68
chainalert-github-action
Checkmarx / chainalert-github-action
scans popular packages and alerts in cases there is suspicion of an account takeover
supply-chain-security github-action free-service
Language:JavaScript 41
meta-fun / awesome-software-supply-chain-security
Sharing software supply chain security open source projects
security security-tools supply-chain-security supply-chain sbom sast cicd kubernetes devops software-supply-chain software-supply-chain-security vulnerability-scanner software-composition-analysis dependency-analysis
39
staex-io / cijail
CI/CD pipeline process jail that filters outgoing network traffic.
cd ci firewall jail mitm pipeline process proxy supply-chain-security
Language:Rust 36
kpcyrd / repro-env
Dependency lockfiles for reproducible build environments 📦🔒
reproducible-builds supply-chain-security release-engineering
Language:Rust 33

supply-chain-security

slsa-framework / slsa

guacsec / guac

owasp-dep-scan / dep-scan

tern-tools / tern

Legit-Labs / legitify

ossillate-inc / packj

step-security / harden-runner

bitbomdev / minefield

chainloop-dev / chainloop

kpcyrd / rebuilderd

owasp-dep-scan / blint

docker / scout-cli

bureado / awesome-software-supply-chain-security

step-security / secure-repo

safedep / vet

boostsecurityio / poutine

NodeSecure / js-x-ray

ckotzbauer / sbom-operator

interlynk-io / sbomqs

mbalabash / sdc-check

oracle / macaron

cugu / gocap

vishalgarg-sec / Software-Supply-Chain-Security

kpcyrd / sh4d0wup

boostsecurityio / lotp

mchmarny / s3cme

CycodeLabs / cimon-action

docker / scout-action

kpcyrd / pacman-bintrans

mitre / hipcheck

oxsecurity / codetotal

buildsafedev / bsf

Checkmarx / chainalert-github-action

meta-fun / awesome-software-supply-chain-security

staex-io / cijail

kpcyrd / repro-env