{"id":19057866,"url":"https://github.com/emirhandogandemir/software-supply-chain-security-java","last_synced_at":"2025-04-24T05:30:04.114Z","repository":{"id":199435787,"uuid":"624021634","full_name":"emirhandogandemir/software-supply-chain-security-java","owner":"emirhandogandemir","description":"This repo contains the technology stack and its usage for software supply chain security of a Java application","archived":false,"fork":false,"pushed_at":"2023-12-29T06:23:15.000Z","size":203,"stargazers_count":7,"open_issues_count":2,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-30T07:22:01.021Z","etag":null,"topics":["cosign","dependency-scanning","helm","image-scanning","jib-maven-plugin","kyverno","sbom","sonarqube","supply-chain-security","trivy"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/emirhandogandemir.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-04-05T15:20:44.000Z","updated_at":"2023-10-23T12:23:02.000Z","dependencies_parsed_at":"2023-10-20T15:30:50.003Z","dependency_job_id":null,"html_url":"https://github.com/emirhandogandemir/software-supply-chain-security-java","commit_stats":null,"previous_names":["emirhandogandemir/software-supply-chain-security-java"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emirhandogandemir%2Fsoftware-supply-chain-security-java","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emirhandogandemir%2Fsoftware-supply-chain-security-java/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emirhandogandemir%2Fsoftware-supply-chain-security-java/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emirhandogandemir%2Fsoftware-supply-chain-security-java/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/emirhandogandemir","download_url":"https://codeload.github.com/emirhandogandemir/software-supply-chain-security-java/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250571826,"owners_count":21452322,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cosign","dependency-scanning","helm","image-scanning","jib-maven-plugin","kyverno","sbom","sonarqube","supply-chain-security","trivy"],"created_at":"2024-11-08T23:59:49.384Z","updated_at":"2025-04-24T05:30:04.085Z","avatar_url":"https://github.com/emirhandogandemir.png","language":"Java","readme":"# Software-supply-chain-security-java\nThis repo contains articles, videos, and resources on software supply chain security that I came across during my research. Below, you can first see the architecture of the project to be implemented and access the detailed technology stack through the links.\n\n🔗 GitHub Links\n| Proje Adı    | Açıklama    | GitHub Linki                           |\n|--------------|-------------|----------------------------------------|\n| Awesome software supply chain security      | A compilation of resources in the software supply chain security domain, with emphasis on open source | [Github](https://github.com/bureado/awesome-software-supply-chain-security)  |\n| ssc-reading-list      | ssc-reading-list  | [GitHub](https://github.com/chainguard-dev/ssc-reading-list)  |\n| Proje 3      | Açıklama 3  | [GitHub Proje 3](https://github.com/)  |\n| Proje 4      | Açıklama 4  | [GitHub Proje 4](https://github.com/)  |\n\n------------------------------------------------------------------------------\n\n🎥 Videos\n| Başlık       | Yükleyen    | Yayın Tarihi | İzlenme Sayısı |\n|--------------|-------------|--------------|----------------|\n| [Securing the Supply Chain for Your Java Applications By Thomas Vitale](https://youtu.be/ftPFxK8JPNM?si=SZRjqNARzj1GJaam)    | [Devoxx](https://youtube.com/@DevoxxForever?si=L_YwGLhn7japl-bb)    | 06.10.2023   | 500+          |\n| [Signing And Verifying Container Images With Sigstore Cosign And Kyverno](https://www.youtube.com/watch?v=HLb1Q086u6M\u0026t=1s)      | DevOps Toolkit     | 10.10.2022   | 5000+           |\n| Video 3      | Kanal 3     | 03.01.2023   | 2000+          |\n| Video 4      | Kanal 4     | 04.01.2023   | 300+           |\n\n------------------------------------------------------------------------------\n\n📝 Article\n| Başlık       | Yazar       | Yayın Tarihi | Değerlendirme |\n|--------------|-------------|--------------|---------------|\n| [Supply Chain Security](https://www.aquasec.com/cloud-native-academy/supply-chain-security/supply-chain-security-mitigating-the-supply-chain-threat/)       | aqua     | None   | ⭐⭐⭐⭐⭐    |\n| [How to create SBOMs in Java with Maven and Gradle](https://medium.com/@snyksec/how-to-create-sboms-in-java-with-maven-and-gradle-2abb1269baa6)       | snyk     | 28.11.2022   | ⭐⭐⭐⭐       |\n| [SBOM Quick Start](https://help.sonatype.com/iqserver/quickstart-guides/software-bill-of-materials-%28sbom%29-quick-start?selectedPageVersions=6\u0026selectedPageVersions=7)       | Sonatype     | None   | ⭐⭐⭐⭐     |\n| [Sign and Verify Container Images with Cosign, and Kyverno: A Complete Guide](https://medium.com/@seifeddinerajhi/sign-and-verify-container-images-with-cosign-and-kyverno-a-complete-guide-b32b1f6e6264)       | Seifeddine Rajhi     | .09.2023   | ⭐⭐⭐⭐⭐ |\n\n--------------------------------------------------------------------------------\n\n👤 LinkedIn Profiles to Follow\n| Name           | Title               | Profile Link                        |\n|----------------|----------------------|------------------------------------|\n| Batuhan Apaydın       | Senior Platform Engineer          | [LinkedIn Profile](https://www.linkedin.com/in/bthnapydin/) |\n| Furkan Türkal       | Platform Engineer          | [LinkedIn Profile](https://www.linkedin.com/in/furkanturkal/) |\n| Dan Lorenc       | Ceo          | [LinkedIn Profile](https://www.linkedin.com/in/danlorenc/) |\n| Saim Safder      | DevOps Tech Lead         | [LinkedIn Profile](https://www.linkedin.com/in/saim-safder/) |\n\n\n--------------------------------------\n## Dependency Track \n\n`Installed with docker-compose.yaml`\n\n![image](https://github.com/emirhandogandemir/software-supply-chain-security-java/assets/74687192/4db8ff3b-6c49-499b-b705-bb69a9e1af6c)\n\n![image](https://github.com/emirhandogandemir/software-supply-chain-security-java/assets/74687192/a77ad6f6-4445-4097-8778-2852e1e8dae6)\n\n![image](https://github.com/emirhandogandemir/software-supply-chain-security-java/assets/74687192/e387a3f0-d3cb-4117-b37c-a2a7e1594322)\n\n## Sonarqube\n\n- `docker pull sonarqube:communition`\n- `docker run -d --name sonarqube -p 9000:9000 -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -e SONAR_JAVA_OPTS=\"-Xmx4g -Xms512m -XX:+HeapDumpOnOutOfMemoryError\" sonarqube:community`\n\nWe can use below command for project SCA \n\n- `You must install sonar-scanner your local desktop`\n  \n ![image](https://github.com/emirhandogandemir/software-supply-chain-security-java/assets/74687192/af49f3a9-aaf1-45c7-aa10-e098a6ce3751)\n\n- How to create a token =\u003e My Account=\u003e Security=\u003e Generate Tokens \n\n- `mvn clean package sonar:sonar -Dsonar.projecKey=secure-devOps -Dsonar.host.url=http://localhost:9000 -Dsonar.login=sqa_8d5781d430cef6f2ba2c08e691ef6b01bd0c8f28 -Dsonar.exclusions=**/*.java` this login token will be changing because of this sonarqube does not persistent\n\n![image](https://github.com/emirhandogandemir/software-supply-chain-security-java/assets/74687192/a2576664-7c8f-45f6-8cc7-734446a19e15)\n\n![image](https://github.com/emirhandogandemir/software-supply-chain-security-java/assets/74687192/11d5e107-f421-460c-a88d-912dadcead96)\n\n![image](https://github.com/emirhandogandemir/software-supply-chain-security-java/assets/74687192/de7bba07-253e-4eb1-8792-4b1b19762d19)\n\n\n## Buildpacks\n\nWe will creating a image with buildpacks\n[Buildpacks](https://buildpacks.io/)\n\n\n## Jıb-Maven-Plugin\n\n- [How to use jib with our java project](https://github.com/GoogleContainerTools/jib/blob/master/jib-maven-plugin/README.md)\n- `mvn clean install -P create-image-openjdk` =\u003e max size\n- `mvn clean install -P create-image-openjdk-slim`\n- `mvn clean install -P create-image-openjdk-jre` =\u003e min size\n- ![image](https://github.com/emirhandogandemir/software-supply-chain-security-java/assets/74687192/4baf45ae-cc84-4835-9a52-44ab795d5d84)\n\n----------------------------------------------------------------------------------------\n\n### [After this step we will be working on killercoda](https://killercoda.com/kubernetes/scenario/playground)\n\n## Trivy\n\n- [How to install trivy](https://aquasecurity.github.io/trivy/v0.18.3/installation/)\n- `trivy image dogandemir51/secure:0.0.1`\n- `trivy image --format json --output trivy-scanning.json dogandemir51/secure:0.0.1`\n\n## Helm\n\n- [helm](https://helm.sh/)\n- `helm create securechart`\n- You must change values.yaml for your application\n- `helm install secure ./securechart`\n\n## Kyverno\n\n- [Kyverno](https://kyverno.io/docs/introduction/#quick-start)\n- [Installation](https://kyverno.io/docs/installation/)\n- [ExamplePolicy](https://kyverno.io/policies/best-practices/disallow-latest-tag/disallow-latest-tag/)\n\n## Cosign \n- [Installation](https://docs.sigstore.dev/system_config/installation/)\n- `cosign generate-key-pair`\n- `cosign sign --key cosign.key dogandemir51/secure:0.0.1`\n- `cosign verify --key cosign.pub dogandemir51/secure:0.0.1`\n\n![image](https://github.com/emirhandogandemir/software-supply-chain-security-java/assets/74687192/bb0fa683-fd1b-4faf-9410-e83050749db2)\n\n![image](https://github.com/emirhandogandemir/software-supply-chain-security-java/assets/74687192/2c4cfa51-dda4-4fb7-83c2-fbac5efb3f70)\n\n\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Femirhandogandemir%2Fsoftware-supply-chain-security-java","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Femirhandogandemir%2Fsoftware-supply-chain-security-java","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Femirhandogandemir%2Fsoftware-supply-chain-security-java/lists"}