Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
awesome-software-supply-chain-security
A compilation of resources in the software supply chain security domain, with emphasis on open source
https://github.com/bureado/awesome-software-supply-chain-security
Last synced: about 10 hours ago
JSON representation
-
Dependency intelligence
-
- How Cloudflare verifies the code WhatsApp Web serves to users
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Open Source Insights
- scanoss.py/PACKAGE.md at main · scanoss/scanoss.py
- Artifact Hub - policies-repositories)
- crt.sh | Certificate Search
- grep.app | code search
- GitHub code search
- searchcode | source code search engine
- Sourcegraph
- Get Started - FOSSology
- Contour: A Practical System for Binary Transparency
- Shopify/seer-prototype: Security Expert Elicitation of Risks
- NSRL - quality-group/national-software-reference-library-nsrl/about-nsrl/library-contents), well-integrated in tooling from [sleuthkit/hfind](http://manpages.ubuntu.com/manpages/bionic/man1/hfind.1.html) to [nsrllookup](https://github.com/rjhansen/nsrllookup)
- CIRCL hashlookup
- Repology - updater](https://github.com/repology/repology-updater) and other infrastructure pieces are open source. It provides an updater for [WikiData](https://github.com/repology/repology-wikidata-bot) which also has properties of interest for the supply chain security domain.
- external repositories metadata
- libraries.io
- Unified Agent
- Software Heritage Project
- swh scanner CLI
- hashdd - Known Good Cryptographic Hashes
- ClearlyDefined
- Binary Transparency directory
- Subresource Integrity
- Binary Transparency
- curl trace attestor · Issue #139 · testifysec/witness
- Friends don't let friends Curl | Bash
- Enable packaging of curl|bash and other wild stuff. by jordansissel · Pull Request #1957 · jordansissel/fpm
- Falco
- dependency-check
- Introducing Package Analysis: Scanning open source packages for malicious behavior
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- MATE: Interactive Program Analysis with Code Property Graphs
- Alpha-Omega Project
- Socket - Find and compare millions of open source packages
- diffoscope: in-depth comparison of files, archives, and directories
- OSS Insight
- grep.app | code search
- Announcing the Private Beta of FOSSA Risk Intelligence
- Projects | Software Transparency Foundation
- GitHub code search
- searchcode | source code search engine
- Sourcegraph
- Code Checker
- Contour: A Practical System for Binary Transparency
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- guacsec/guac: GUAC aggregates software security metadata into a high fidelity graph database.
- package-url/purl-spec: A minimal specification for purl aka. a package "mostly universal" URL, join the discussion at https://gitter.im/package-url/Lobby
- SpectralOps/preflight: preflight helps you verify scripts and executables to mitigate chain of supply attacks such as the recent Codecov hack.
- apiaryio/curl-trace-parser: Parser for output from Curl --trace option
- aquasecurity/tracee: Linux Runtime Security and Forensics using eBPF
- genuinetools/bane: Custom & better AppArmor profile generator for Docker containers.
- containers/oci-seccomp-bpf-hook: OCI hook to trace syscalls and generate a seccomp profile
- bottlerocket-os/hotdog: Hotdog is a set of OCI hooks used to inject the Log4j Hot Patch into containers.
- deepfence/ThreatMapper: 🔥 🔥 Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more. 🔥 🔥
- ossf/package-analysis: Open Source Package Analysis - feeds: Feed parsing for language package manager updates](https://github.com/ossf/package-feeds)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- ClusterFuzzLite
- CodeIntelligenceTesting/jazzer.js: Coverage-guided, in-process fuzzing for the Node.js
- IntelLabs/control-flag: A system to flag anomalous source code expressions by learning typical expressions from training data
- abhisek/supply-chain-security-gateway: Reference architecture and proof of concept implementation for supply chain security gateway
- cugu/gocap: List your dependencies capabilities and monitor if updates require more capabilities.
- Checkmarx/chainalert-github-action: scans popular packages and alerts in cases there is suspicion of an account takeover
- RedHatProductSecurity/component-registry: Component Registry (Corgi) aggregates component data across Red Hat's supported products, managed services, and internal product pipeline services.
- cve-search/git-vuln-finder: Finding potential software vulnerabilities from git commit messages
- chaoss/augur: Python library and web service for Open Source Software Health and Sustainability metrics & data collection. You can find our documentation and new contributor information easily here: https://chaoss.github.io/augur/ and learn more about Augur at our website https://augurlabs.io
- IBM/CBOM: Cryptography Bill of Materials
- AppThreat/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. It is powered by lief.
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Unified Agent
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- TaptuIT/awesome-devsecops: Curating the best DevSecOps resources and tooling.
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Alpha-Omega Project
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- AppThreat/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. It is powered by lief.
- curl trace attestor · Issue #139 · testifysec/witness
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
- Argo Security Automation with OSS-Fuzz - security-by-fuzzing-the-cncf-landscape/) and [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz)
-
SCA and SBOM
- bomsage/vision.md at main · dpp/bomsage
- GitBOM
- Mend SCA SBOM - developer-tools/bolt/) and [Whitesource Renovate: Automated Dependency Updates](https://www.whitesourcesoftware.com/free-developer-tools/renovate/)
- GitBOM. It’s not Git or SBOM
- bomsage/vision.md at main · dpp/bomsage
- SCA tools
- New `docker sbom` Command Creates SBOMs Using Syft
- Creating SBOM Attestations Using Syft and Sigstore
- utils/ci/github/docker-build-sign-sbom at main · marco-lancini/utils
- Energy SBOM Proof of Concept - INL
- SCA tools
- Mend SCA SBOM - developer-tools/bolt/) and [Whitesource Renovate: Automated Dependency Updates](https://www.whitesourcesoftware.com/free-developer-tools/renovate/)
- Use Cases - Renovate Docs
- JFrog Xray - Universal Component Analysis & Container Security Scanning
- Good read on Dependency-Track
- ANNOUNCE: Scan is now in maintenance mode · Issue #352 · ShiftLeftSecurity/sast-scan
- Container Security | Qualys, Inc.
- Aqua Cloud Native Security, Container Security & Serverless Security
- REA-Products/C-SCRM-Use-Case at master · rjb4standards/REA-Products
- Energy SBOM Proof of Concept - INL
- DWARF 5 Standard
- awesomeSBOM/awesome-sbom
- git-bom/bomsh: bomsh is collection of tools to explore the GitBOM idea
- yonhan3/gitbom-repo: A repository of gitBOM docs for Linux binaries
- Grafeas: A Component Metadata API
- trailofbits/it-depends: A tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories.
- renovatebot/renovate: Universal dependency update tool that fits into your workflows.
- DependencyTrack/dependency-track: Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
- oss-review-toolkit/ort: A suite of tools to assist with reviewing Open Source Software dependencies.
- anchore/syft: CLI tool and library for generating a Software Bill of Materials from container images and filesystems
- tern-tools/tern: Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
- Phylum Analyze PR Action: GitHub Action to analyze Pull Requests for open-source supply chain issues
- microsoft/component-detection: Scans your project to determine what components you use
- hughsie/python-uswid: A tiny tool for embedding CoSWID tags in EFI binaries
- DefectDojo/django-DefectDojo: DefectDojo is a DevSecOps and vulnerability management tool.
- DefectDojo/sample-scan-files: Sample scan files for testing DefectDojo imports
- swingletree-oss/swingletree: Integrate and observe the results of your CI/CD pipeline tools
- mercedes-benz/sechub: SecHub - one central and easy way to use different security tools with one API/Client
- BBVA/susto: Systematic Universal Security Testing Orchestration
- AppThreat/rosa: An experiment that looks very promising so far.
- opensbom-generator/spdx-sbom-generator: Support CI generation of SBOMs via golang tooling.
- javixeneize/yasca: Yet Another SCA tool
- edgebitio/edgebit-build: GitHub action to upload SBOMs to EdgeBit and receive vulnerability context in your pull requests - Real-time supply chain security, enabling security teams to target and coordinate vulnerability remediation without toil.](https://edgebit.io/)
- microsoft/sbom-tool: The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts
- sbs2001/fatbom: fatbom (Fat Bill Of Materials) is a tool which combines the SBOM generated by various tools into one fat SBOM. Thus leveraging each tool's strength.
- jhutchings1/spdx-to-dependency-graph-action: A GitHub Action that takes SPDX SBOMs and uploads them to GitHub's dependency submission API to power Dependabot alerts
- evryfs/sbom-dependency-submission-action: Submit SBOMs to GitHub's dependency submission API
- tap8stry/orion: Go beyond package manager discovery for SBOM
- patriksvensson/covenant: A tool to generate SBOM (Software Bill of Material) from source code artifacts.
- CycloneDX/cyclonedx-webpack-plugin: Create CycloneDX Software Bill of Materials (SBOM) from webpack bundles at compile time.
- advanced-security/gh-sbom: Generate SBOMs with gh CLI
- interlynk-io/sbomqs: SBOM quality score - Quality metrics for your sboms
- eBay/sbom-scorecard: Generate a score for your sbom to understand if it will actually be useful.
- Rezillion Dynamic SBOM
- Software Identification (SWID) Tagging | CSRC
- Concise Software Identification Tags
- thread
- in coreboot
- Security problem management
- SBOM Solution
- Rezillion Dynamic SBOM
- SBOM tools
- Supported Languages & Manifests
- Software Bill of Materials
- SBOM Studio
- Software Assurance Guardian Point Man (SAG-PM)
- SCA to Automate Security Scanning
- Enterprise Edition - BluBracket: Code Security & Secret Detection
- Software Composition Analysis (SCA) | CyberRes
- Nexus Intelligence - Sonatype Data Services
- Sonatype BOM Doctor
- Dependency submission
- Brakeing Down Security Podcast: 2020-031-Allan Friedman, SBOM, software transparency, and knowing how the sausage is made
- Episode 312: The Legend of the SBOM
- Reimagining Cyber Podcast: Log4j vulnerability provides harsh lessons in unknown dependencies
- Tech Debt Burndown Podcast Series 1 E11: Allan Friedman and SBOMs
- Sounil Yu on SBOMs, software supply chain security - Security Conversations
- Exploring Security. Criticality of SBOM. Scott McGregor, Cloud Security, Wind River
- Down the Security Rabbithole Podcast: DtSR Episode 487 - Software Supply Chain is a BFD
- Software Composition Analysis Podcast: Software Supply Chain - Episode 1
- Software Bill of Materials | CISA
- SBOM Use Case - RKVST - RKVST](https://www.rkvst.com/rkvst-sbom-hub/)
- SBOM Hub - NTIA Attribute Mappings
- BOF: SBOMs for Embedded Systems: What's Working, What's Not? - Kate Stewart, Linux Foundation
- OWASP CycloneDX Launches SBOM Exchange API
- SBOM Management | Six Ways It Prevents SBOM Sprawl
- The Minimum Elements For a Software Bill of Materials
- What an SBOM Can Do for You
- envoy/DEPENDENCY_POLICY.md at main · envoyproxy/envoy
- What curl expects from dependencies
- Reimagining Cyber Podcast: Log4j vulnerability provides harsh lessons in unknown dependencies
- What an SBOM Can Do for You
- Reimagining Cyber Podcast: Log4j vulnerability provides harsh lessons in unknown dependencies
- GitBOM. It’s not Git or SBOM
- Critical Update: Do You Know What’s In Your Software?
- All About That BoM, ‘bout That BoM - Melba Lopez, IBM
- GitBOM
- nexB/scancode-toolkit: ScanCode detects licenses, copyrights, package manifests & dependencies and more by scanning code ... to discover and inventory open source and third-party packages used in your code.
- microsoft/component-detection: Scans your project to determine what components you use
- marcinguy/betterscan-ce: Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report (Code, IaC) - Betterscan Community Edition (CE)
- sbs2001/fatbom: fatbom (Fat Bill Of Materials) is a tool which combines the SBOM generated by various tools into one fat SBOM. Thus leveraging each tool's strength.
-
Vulnerability information exchange
- spdx/spdx-to-osv: Produce an Open Source Vulnerability JSON file based on information in an SPDX document
- google/osv-scanner: Vulnerability scanner written in Go which uses the data provided by https://osv.dev
- AppThreat/vulnerability-db: Vulnerability database and package search for sources such as OSV, NVD, GitHub and npm.
- aquasecurity/trivy: Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues
- cve-search/cve-search: cve-search - a tool to perform local searches for known vulnerabilities
- Exein-io/kepler: NIST-based CVE lookup store and API powered by Rust
- ossf/scorecard: Security Scorecards - Security health metrics for Open Source - reviews: A community collection of security reviews of open source software components.](https://github.com/ossf/security-reviews)
- ossf/scorecard-action: Official GitHub Action for OSSF Scorecards.
- OpenSSF Security Insights Spec
- victims/victims-cve-db: CVE database store
- anchore/grype: A vulnerability scanner for container images and filesystems
- trickest/cve: Gather and update all available and newest CVEs with their PoC.
- quarkslab/aosp_dataset: Large Commit Precise Vulnerability Dataset based on AOSP CVE
- nyph-infosec/daggerboard
- davideshay/vulnscan: Vulnerability Scanner Suite based on grype and syft from anchore
- secvisogram/secvisogram: Secvisogram is a web tool for creating and editing security advisories in the CSAF 2.0 format
- future-architect/vuls: Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
- infobyte/faraday: Open Source Vulnerability Management Platform - Community v4 Release](https://faradaysec.com/community-v4/)
- nexB/vulnerablecode: A work-in-progress towards a free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode
- toolswatch/vFeed: The Correlated CVE Vulnerability And Threat Intelligence Database API
- mitre/saf: The MITRE Security Automation Framework (SAF) Command Line Interface (CLI) brings together applications, techniques, libraries, and tools developed by MITRE and the security community to streamline security automation for systems and DevOps pipelines
- Rezilion/mi-x: Determine whether your compute is truly vulnerable to a specific vulnerability by accounting for all factors which affect *actual* exploitability (runtime execution, configuration, permissions, existence of a mitigation, OS, etc..)
- ossf-cve-benchmark/ossf-cve-benchmark: The OpenSSF CVE Benchmark consists of code and metadata for over 200 real life CVEs, as well as tooling to analyze the vulnerable codebases using a variety of static analysis security testing (SAST) tools and generate reports to evaluate those tools.
- noqcks/xeol: An end-of-life (EOL) package scanner for container images, systems, and SBOMs
- mchmarny/vimp: Compare data from multiple vulnerability scanners to get a more complete picture of potential exposures.
- OSV
- SBOM in Action: finding vulnerabilities with a Software Bill of Materials
- Vulnerability Detection Pipeline
- Vuls · Agentless Vulnerability Scanner for Linux/FreeBSD
- SAST for Code Security | Snyk Code
- Choosing Open Source Libraries
- Contrast Community Edition
- Known Exploited Vulnerabilities Catalog | CISA
- How OpenSSF Scorecards can help to evaluate open-source software risks
- State of the Eclipse Foundation GitHub repositories
- Lynis - Security auditing and hardening tool for Linux/Unix
- Using Grype to Identify GitHub Action Vulnerabilities
- Grype now supports CycloneDX and SPDX standards
- GitHub Advisory Database now open to community contributions
- Global Security Database Working Group | CSA - database: Global Security Database](https://github.com/cloudsecurityalliance/gsd-database)
- RFC 9116: A File Format to Aid in Security Vulnerability Disclosure
- Commit Level Vulnerability Dataset
- Vulnerability Management
- Vulnerability Management | aDolus
- Vulnerability Management
- CycloneDX - Vulnerability Exploitability Exchange (VEX)
- Vulnerability eXploitability Exchange explained: How VEX makes SBOMs actionable
- How VEX helps SBOM+SLSA improve supply chain visibility | Google Cloud Blog
- What is VEX and What Does it Have to Do with SBOMs?
- What is VEX? It's the Vulnerability Exploitability eXchange!
- Vex and SBOMs
- VDR or VEX – Which Do I Use? Part 1
- VEX! or... How to Reduce CVE Noise With One Simple Trick!
- Vulnerability Exploitability eXchange (VEX) - Status Justifications
- Real-time VEX
- Vulncode-DB
- GitHub brings supply chain security features to the Rust community
- CyCognito Adopts Mapping ATT&CK to CVE for Impact
- A closer look at CVSS scores - madness-vendor-bug-advisories-broken) and [An Incomplete Look at Vulnerability Databases & Scoring Methodologies](https://medium.com/@chris.hughes_11070/an-incomplete-look-at-vulnerability-databases-scoring-methodologies-7be7155661e8)
- How to Analyze an SBOM - to-generate-and-host-an-sbom/) from Cloudsmith
- After the Advisory
- devops-kung-fu/bomber: Scans Software Bill of Materials (SBOMs) for security vulnerabilities
- Vulnerability Database
- How OpenSSF Scorecard’s GitHub Action v2 action uses GitHub OIDC with Sigstore
- Vulnerability Detection Pipeline
- noqcks/xeol: An end-of-life (EOL) package scanner for container images, systems, and SBOMs
-
-
Identity, signing and provenance
-
Supply chain beyond libraries
- An exposed apt signing key and how to improve apt security
- testifysec/go-ima: go-ima is a tool that checks if a file has been tampered with. It is useful in ensuring integrity in CI systems
- puerco/tejolote: A highly configurable build executor and observer designed to generate signed SLSA provenance attestations about build runs.
- slsa-framework/slsa-github-generator: Language-agnostic SLSA provenance generation for Github Actions
- technosophos/helm-gpg: Chart signing and verification with GnuPG for Helm.
- cashapp/pivit
- notaryproject/notary: Notary is a project that allows anyone to have trust over arbitrary collections of data
- notaryproject/roadmap: Roadmap for NotaryV2
- notaryproject/notation: Notation is a project to add signatures as standard items in the registry ecosystem, and to build a set of simple tooling for signing and verifying these signatures. Based on Notary V2 standard.
- notaryproject/tuf: The Update Framework for OCI Registries
- vmware-labs/repository-editor-for-tuf: Command line tool for editing and maintaining a TUF repository
- werf/trdl: The universal solution for delivering your software updates securely from a trusted The Update Framework (TUF) repository.
- latchset/tang: Tang binding daemon
- witness example with GitLab
- aws-solutions/verifiable-controls-evidence-store: This repository contains the source code of the Verifiable Controls Evidence Store solution
- paragonie/libgossamer: Public Key Infrastructure without Certificate Authorities, for WordPress and Packagist
- johnsonshi/image-layer-provenance
- oras-project/artifacts-spec
- recipy/recipy: Effortless method to record provenance in Python
- spiffe/spire: The SPIFFE Runtime Environment
- Fraunhofer-SIT/charra: Proof-of-concept implementation of the "Challenge/Response Remote Attestation" interaction model of the IETF RATS Reference Interaction Models for Remote Attestation Procedures using TPM 2.0.
- google/trillian: A transparent, highly scalable and cryptographically verifiable data store.
- pyrsia/pyrsia: Decentralized Package Network
- sigstore
- Cosign
- Fulcio
- Rekor
- Kubernetes taps Sigstore to thwart open-source software supply chain attacks
- OpenSSF Landscape
- cas - cas attestation service
- Witness - [testifysec/witness: Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.](https://github.com/testifysec/witness)
- Securing the Supply Chain with Witness - Cole Kennedy, TestifySec
- in-toto-run - GitHub Marketplace - toto/github-action: in-toto provenance github action](https://github.com/in-toto/github-action)
- General availability of SLSA3 Generic Generator for GitHub Actions
- Attestation Crafting | ChainLoop documentation
- How to easily try out TUF + in-toto
- Python-TUF reaches version 1.0.0
- ietf-rats - Overview
- Issue #21 · testifysec/witness
- Allow using SSH keys to sign commits · Discussion #7744 · github/feedback
- Monitoring the kernel.org Transparency Log for a year
- Software Distribution Transparency and Auditability
- Solving Open Source Supply Chain Security for the PHP Ecosystem
- Artifactory - Universal Artifact Management
- transmute-industries/verifiable-actions: Workflow tools for Decentralized Identifiers & Verifiable Credentials
- Privacy-preserving Approaches to Transparency Logs
- Cosign
- Secure Software Updates via TUF — Part 2
- Fulcio
- Issue #21 · testifysec/witness
- vmware-labs/repository-editor-for-tuf: Command line tool for editing and maintaining a TUF repository
- Allow using SSH keys to sign commits · Discussion #7744 · github/feedback
- oras-project/artifacts-spec
-
-
Build techniques
-
Supply chain beyond libraries
- Lockheed Martin / hoppr / hoppr
- Reproducible Builds / reprotest
- tektoncd/chains: Supply Chain Security in Tekton Pipelines
- google/santa: A binary authorization system for macOS
- fepitre/package-rebuilder: Standalone orchestrator for rebuilding Debian, Fedora and Qubes OS packages in order to generate `in-toto` metadata which can be used with `apt-transport-in-toto` or `dnf-plugin-in-toto` to validate reproducible status.
- kpcyrd/rebuilderd-debian-buildinfo-crawler: Reproducible Builds: Scraper/Parser for https://buildinfos.debian.net into structured data
- kpcyrd/rebuilderd: Independent verification of binary packages - reproducible builds
- defenseunicorns/zarf: DevSecOps for Air Gap & Limited-Connection Systems. https://zarf.dev/
- edgelesssys/constellation: Constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.
- reposaur/reposaur: Open source compliance tool for development platforms.
- buildsec/frsca - toto attesttations for SLSA provenance predicates.
- chainloop-dev/chainloop: Chainloop is an open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process.
- aquasecurity/chain-bench: an open-source tool for auditing your software supply chain stack for security compliance - 1.0/)
- ossf/allstar: GitHub App to set and enforce security policies
- scribe-public/gitgat: Evaluate source control (GitHub) security posture
- Legit-Labs/legitify: Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
- crashappsec/github-analyzer: A tool to check the security settings of Github Organizations.
- wspr-ncsu/github-actions-security-analysis
- jart/landlock-make: Sandboxing for GNU Make has never been easier
- veraison/veraison: Project Veraison will build software components that can be used to build Attestation Verification Services
- GoogleContainerTools/kaniko: Build Container Images In Kubernetes
- sethvargo/ratchet: A tool for securing CI/CD workflows with version pinning.
- buildsec/vendorme
- eellak/build-recorder
- step-security/harden-runner: Security agent for GitHub-hosted runner: block egress traffic & detect code overwrite to prevent breaches
- cider-security-research/cicd-goat: A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.
- step-security/attack-simulator: Simulate past supply chain attacks such as SolarWinds, Codecov, and ua-parser-js
- alecmocatta/build_id: Obtain a UUID uniquely representing the build of the current binary.
- Shopify/hansel
- kpcyrd/archlinux-inputs-fsck: Lint repository of PKGBUILDs for cryptographically pinned inputs
- Software Supply Chain Attestation the Easy Way
- oss-reproducible - Measures the reproducibility of a package based on its purported source. Part of [OSS Gadget](https://github.com/microsoft/OSSGadget)
- Using Landlock to Sandbox GNU Make
- Changelog
- Security hardening for GitHub Actions
- Bazel
- FOSDEM 2023 - Build recorder: a system to capture detailed information
- reproducible-builds
- Handling build-time dependency vulnerabilities - security](https://github.com/cncf/tag-security/issues/855)
- Code Sight
- What Makes a Build Reproducible, Part 2
- Dependency management
- Building a Secure Software Supply Chain with GNU Guix
- On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Software Vulnerabilities
- Reproducible Builds: Break a log, good things come in trees
- Secure Your Software Factory with melange and apko
- Reproducible Builds - builds.org/docs/)
- r-b ecosytem mapping
- Is NixOS Reproducible?
- Bootstrappable Builds (GNU Mes Reference Manual)
- Bootstrappable builds
- Verifiable Supply Chain Metadata for Tekton - CD Foundation
- Reproducible Builds: Debian and the case of the missing version string - vulns.xyz
- Inputs - Hoppr
- Dependency management
- tag-security/sscsp.md at main · cncf/tag-security
- Draft: POC Witness Runner integration (!1) · Merge requests · testifysec / gitlab-runner
-
-
Talks, articles, media coverage and other reading
-
Getting started and staying fresh
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- chainguard-dev/ssc-reading-list: A reading list for software supply-chain security.
- IQTLabs/software-supply-chain-compromises: A dataset of software supply chain compromises. Please help us maintain it!
- Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages
- ossf/oss-compromises: Archive of various open source security compromises
- PayDevs/awful-oss-incidents: 🤬 A categorized list of incidents caused by unappreciated OSS maintainers or underfunded OSS projects. Feedback welcome!
- goreleaser/supply-chain-example: Example goreleaser + github actions config with keyless signing and SBOM generation
- sigstore/community: General sigstore community repo
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- @bureado - security](https://www.inoreader.com/stream/user/1005644984/tag/corner-security)
- tl;dr sec Newsletter
- Past Issues | CloudSecList
- News - reproducible-builds.org
- AppSec Map
- Jetstack | The Software Supply Chain Toolkit
- A toolbox for a secure software supply chain
- Technology
- Acronyms | OpenSCAP portal
- slsa/terminology.md at main · slsa-framework/slsa
- How to start learning about Supply Chain Security
- Open Source Supply Chain Security: A Visualization of the Checkmarx Solution
- Secure Software Development Fundamentals Courses - Open Source Security Foundation
- Securing Your Software Supply Chain with Sigstore
- “Chain”ging the Game - how runtime makes your supply chain even more secure
- How to attack cloud infrastructure via a malicious pull request
- The Challenges of Securing the Open Source Supply Chain
- What is a Software Supply Chain Attestation - and why do I need it?
- Open Policy Agent 2021, Year in Review
- Reproducibility · Cloud Native Buildpacks - sbom-opportunities/)
- The state of software bill of materials: SBOM growth could bolster software supply chains
- Secure Your Software Supply Chain with New VMware Tanzu Application Platform Capabilities
- Secure Software Supply Chains
- Supply Chain Compromise - attackics
- tag-security/supply-chain-security/compromises at main · cncf/tag-security
- Taxonomy of Attacks on Open-Source Software Supply Chains - explorer-for-software-supply-chains/)
- Risk Explorer for Software Supply Chains
- Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks
- Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages
- Software Supply Chain Security Threat Landscape
- Bad actors vs our community: detecting software supply chain...
- Protect Yourself Against Supply Chain Attacks - Rob Bos - NDC Security 2022
- Open Source Security: How Digital Infrastructure Is Built on a House of Cards
- Bootstrapping Trust Part 1
- The Rise of Continuous Packaging
- Supply Chain Security for Cloud Native Java
- Improving TOFU (trust on first use) With Transparency
- 2022 State of Cloud Native Security Report - Palo Alto Networks
- Improve supply chain security with GitHub actions, Cosign, Kyverno and other open source tools
- Using SARIF to Extend Analysis of SAST Tools
- Software Supply Chain Security
- Software Supply Chain Security Direction
- SARIF support for code scanning
- Driving Developer Productivity via Automated Dependency Tracking
- Code scanning finds more vulnerabilities using machine learning
- Securing Open Source Software at the Source
- Why SBOMS & Security Scanning Go Together - Upstream: The Software Supply Chain Security Podcast presented by Anchore
- SBOMs in the Windows Supply Chain
- Whose Sign Is It Anyway? - Marina Moore, NYU & Matthew Riley, Google
- Binary Authorization for Borg: how Google verifies code provenance and implements code identity
- Application Security Weekly (Video) on Apple Podcasts
- How to prioritize the improvement of open source software security
- Strengthening digital infrastructure: A policy agenda for free and open source software
- Software Supply Chain Security Turns to Risk Mitigation
- Reproducible Builds: Increasing the Integrity of Software Supply Chains
- CycloneDX Use Cases
- Building a Sustainable Software Supply Chain
- Dependency Issues: Solving the World’s Open Source Software Security Problem
- The Digital Economy Runs on Open Source. Here’s How to Protect It
- Report: 95% of IT leaders say Log4shell was ‘major wake-up call’ for cloud security
- Securing the Open Source Software Supply Chain
- The state of open source security in 2022
- Kubernetes Podcast from Google: Episode 174 - in-toto, with Santiago Torres-Arias
- EO 14028 and Supply Chain Security
- Reducing Open Source Risk Throughout the Development, Delivery and Deployment of SBOMs - 9
- Open Source Security Foundation (OpenSSF) Security Mobilization Plan
- Not Just Third Party Risk
- It Depends
- New security concerns for the open-source software supply chain
- Software Supply Chain Primer v0.93
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- wg-security-tooling/guide.md at main · ossf/wg-security-tooling - security-tooling: OpenSSF Security Tooling Working Group](https://github.com/ossf/wg-security-tooling#active-projects)
- tag-security/cloud-native-security-lexicon.md at main · cncf/tag-security
- Open Policy Agent 2021, Year in Review
- 2022 Software Supply Chain Security Report • Anchore
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- The state of software bill of materials: SBOM growth could bolster software supply chains
- Report: 95% of IT leaders say Log4shell was ‘major wake-up call’ for cloud security
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Securing the Open Source Software Supply Chain
- Open Policy Agent 2021, Year in Review
- #6: Steve Springett: CycloneDX and the Future of SBOMs - Cybellum
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Bad actors vs our community: detecting software supply chain...
- Security: The Value of SBOMs
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
- Open Policy Agent 2021, Year in Review
-
-
About this list
- here
- supply-chain-synthesis - form read on why that's the case, plus helpful pointers to understand and navigate it as it evolves.
- Add Bad Design as a supply chain scenario · Issue #249 · slsa-framework/slsa - framework/slsa](https://github.com/slsa-framework/slsa/issues/276). [Check out this tweet from Aeva Black](https://twitter.com/aevavoom/status/1491479149227118597) with Dan Lorenc for another in-a-pinch view of a couple key projects.
- supply-chain-synthesis - form read on why that's the case, plus helpful pointers to understand and navigate it as it evolves.
-
Point-of-use validations
-
Vulnerability information exchange
- testifysec/judge-k8s: Proof of concept Kubernetes admission controller using the witness attestation verification library
- sigstore/policy-controller: The policy admission controller used to enforce policy on a cluster on verifiable supply-chain metadata from cosign.
- lukehinds/policy-controller-demo: demo of keyless signing with the sigstore kubernetes policy controller
- reproducible-containers/repro-get: Reproducible apt/dnf/apk/pacman, with content-addressing
- kpcyrd/pacman-bintrans: Experimental binary transparency for pacman with sigstore and rekor
- kpcyrd/apt-swarm: 🥸 p2p gossip network for update transparency, based on pgp 🥸
- pyupio/safety: Safety checks your installed dependencies for known security vulnerabilities
- snyk-labs/snync: Mitigate security concerns of Dependency Confusion supply chain security risks
- lirantal/lockfile-lint: Lint an npm or yarn lockfile to analyze and detect security issues
- Checkmarx/chainjacking: Find which of your go lang direct GitHub dependencies is susceptible to ChainJacking attack
- Cargo Vet - dev/cargo-crev: A cryptographically verifiable code review system for the cargo (Rust) package manager.](https://github.com/crev-dev/cargo-crev)
- banyanops/collector: A framework for Static Analysis of Docker container images
- quay/clair: Vulnerability Static Analysis for Containers
- DataDog/guarddog: GuardDog is a CLI tool to Identify malicious PyPI and npm packages
- eliasgranderubio/dagda: a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
- kpcyrd/libredefender: Imagine the information security compliance guideline says you need an antivirus but you run Arch Linux
- tinkerbell/lint-install: Consistently install reasonable linter rules for open-source projects
- openclarity/kubeclarity: KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems
- stackrox/stackrox: The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.
- xlab-si/iac-scan-runner: Service that scans your Infrastructure as Code for common vulnerabilities
- aquasecurity/starboard: Kubernetes-native security toolkit
- ckotzbauer/vulnerability-operator: Scans SBOMs for vulnerabilities
- chen-keinan/kube-beacon: Open Source runtime scanner for k8s cluster and perform security audit checks based on CIS Kubernetes Benchmark specification
- aquasecurity/kube-bench: Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark - hunter: Hunt for security weaknesses in Kubernetes clusters](https://github.com/aquasecurity/kube-hunter)
- quarkslab/kdigger: Kubernetes focused container assessment and context discovery tool for penetration testing
- ossillate-inc/packj: The vetting tool 🚀 behind our large-scale security analysis platform to detect malicious/risky open-source packages
- doowon/sigtool: sigtool for signed PE files in GO
- JupiterOne/secops-automation-examples: Examples on how to maintain security/compliance as code and to automate SecOps using the JupiterOne platform.
- Project Thoth
- Kyverno
- Attesting Image Scans With Kyverno
- Managing Kyverno Policies as OCI Artifacts with OCIRepository Sources
- CONNAISSEUR - Verify Container Image Signatures in Kubernetes
- portieris/POLICIES.md at main · IBM/portieris
- Open Policy Agent
- Conftest - policy-agent/conftest/blob/master/examples/docker/policy/commands.rego)
- pre-commit
- npm-audit
- requires.io | Monitor your dependencies
- Brakeman Security Scanner
- Use data-dist-info-metadata (PEP 658) to decouple resolution from downloading by cosmicexplorer · Pull Request #11111 · pypa/pip
- Semgrep
- Getting started with Semgrep Supply Chain
- Catching Security Vulnerabilities With Semgrep
- KICS - Keeping Infrastructure as Code Secure
- dockerfile resource scans - checkov - time for Terraform, CloudFormation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.](https://github.com/bridgecrewio/checkov)
- Vulnerability Assessment | OpenSCAP portal
- Detecting Log4Shell with Wazuh
- Get started with Kubernetes Security and Starboard
- kubescape Visual Studio Code extension
- cloudquery/plugins/source/k8s/policies at main · cloudquery/cloudquery
- Introducing "safe npm", a Socket npm Wrapper - Socket
- How We Generate a Software Bill of Materials (SBOM) with CycloneDX
- Securing CICD pipelines with StackRox / RHACS and Sigstore
- Do you trust your package manager?
- analysis-tools-dev/static-analysis: ⚙️ A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.
- anderseknert/awesome-opa: A curated list of OPA related tools, frameworks and articles
- ckotzbauer/sbom-operator: Catalogue all images of a Kubernetes cluster to multiple targets with Syft
- armosec/kubescape: Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer and image vulnerabilities scanning.
- graudit/signatures at master · wireghoul/graudit
- hadolint/README.md at d16f342c8e70fcffc7a788d122a1ba602075250d · hadolint/hadolint
- Introducing SafeDep vet 🚀 | SafeDep
- aws-samples/automated-security-helper
- trailofbits/pip-audit: Audits Python environments and dependency trees for known vulnerabilities
-
Supply chain beyond libraries
- keylime/keylime: A CNCF Project to Bootstrap & Maintain Trust on the Edge / Cloud and IoT
- parallaxsecond/parsec: Platform AbstRaction for SECurity service
- System Transparency | security architecture for bare-metal servers
- Emulated host profiles in fwupd
- GNOME To Warn Users If Secure Boot Disabled, Preparing Other Firmware Security Help
- Kernel Self Protection Project - Linux Kernel Security Subsystem
- TPM Carte Blanche-resistant Boot Attestation
-
-
Frameworks and best practice references
-
Supply chain beyond libraries
- OWASP/Software-Component-Verification-Standard: Software Component Verification Standard (SCVS)
- microsoft/scim: Supply Chain Integrity Model
- microsoft/oss-ssc-framework: Open Source Software Secure Supply Chain Framework
- in-toto | A framework to secure the integrity of software supply chains
- Supply chain Levels for Software Artifacts - list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.
- SLSA | CloudSecDocs
- Building trust in our software supply chains with SLSA
- SLSA for Success: Using SLSA to help achieve NIST’s SSDF - foundational-framework)
- framework mapping - framework-measuring-supply-chain-security-maturity)
- A Practical Guide to the SLSA Framework
- Securing Gitpod's Software Supply Chain with SLSA
- A First Step to Attaining SLSA Level 3 on GitHub
- pattern search across GitHub
- OWASP Application Security Verification Standard - Configuration_
- CREST launches OWASP Verification Standard (OVS)
- Fundamental Practices for Secure Software Development, Third Edition - party Components_
- A MAP for Kubernetes supply chain security
- Supply Chain Integrity, Transparency, and Trust (scitt)
- Goodbye SDLC, Hello SSDF! What is the Secure Software Development Framework?
- Comply with NIST's secure software supply chain framework with GitLab
- SP 800-161 Rev. 1, C-SCRM Practices for Systems and Organizations | CSRC
- npm Best Practices Guide - Features and recommendations on using npm safely
- CIS Software Supply Chain Security Guide
- Implementing software security in open source
- System of Trust
- Securing the Software Supply Chain for Developers
- Concise Guide for Developing More Secure Software 2022-09-01
- Securing the Software Supply Chain
- Zero Trust the Hard Way
- KubePhilly March 2022- A Look At The Kubernetes SLSA Compliance Project
- Supply Chain Risk Management
- SSF | The Secure Software Factory - chain-examples](https://github.com/mlieberman85/supply-chain-examples)
- Google Best Practices for Java Libraries
- SSF | The Secure Software Factory - chain-examples](https://github.com/mlieberman85/supply-chain-examples)
- Software Supply Chain Risk Management | BSIMM
- pattern search across GitHub
-
Programming Languages
Categories
Sub Categories
Keywords
security
48
sbom
23
kubernetes
19
devsecops
16
supply-chain-security
15
security-tools
15
golang
13
supply-chain
12
docker
11
containers
11
cyclonedx
11
go
11
vulnerabilities
11
vulnerability
10
spdx
10
vulnerability-scanners
10
cve
9
vulnerability-detection
9
compliance
8
devops
8
python
8
appsec
7
security-automation
7
static-analysis
6
github
6
k8s
5
sbom-generator
5
oci
5
open-source
5
purl
5
dependencies
5
tool
4
reproducible-builds
4
vulnerability-management
4
gitlab
4
npm
4
cloud-native
4
owasp
4
package-url
4
software-bill-of-materials
4
security-audit
4
linux
4
oss-compliance
3
infosec
3
package-management
3
fuzzing
3
vulnerability-assessment
3
software-composition-analysis
3
rust
3
github-actions
3