awesome-software-supply-chain-security
Sharing software supply chain security open source projects
https://github.com/meta-fun/awesome-software-supply-chain-security
Last synced: 3 days ago
JSON representation
-
CI/CD
- Jenkins - The leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project.
- Reproducible Builds - Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code.
- Argo - Open source tools for Kubernetes to run workflows, manage clusters, and do GitOps right.
- Tektoncd - A cloud-native solution for building CI/CD systems.
- Jenkins X - CI/CD solution for modern cloud applications on Kubernetes.
- Prow -  - Prow is a Kubernetes based CI/CD system. Jobs can be triggered by various types of events and report their status to many different services.
- BuildKit -  - concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
- Kaniko -  - Build container images in Kubernetes.
- Starter Workflows -  - Workflow files for helping people get started with GitHub Actions.
- Lighthouse -  - Lighthouse is a lightweight ChatOps based webhook handler which can trigger Jenkins X Pipelines, Tekton Pipelines or Jenkins Jobs based on webhooks from multiple git providers such as GitHub, GitHub Enterprise, BitBucket Server and GitLab.
- jx-git-operator -  - An operator which polls a git repository for changes and triggers a Kubernetes Job to process the changes in git.
- ko -  - Build and deploy Go applications on Kubernetes
- Tektoncd - A cloud-native solution for building CI/CD systems.
-
Vulnerabilities Database & Tools
- CVE Details - CVE Details provides an easy to use web interface to CVE vulnerability data.
- Exploit Database Online - The Exploit Database is the most comprehensive collection of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers.
- National Vulnerability Database - The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP).
- Vuldb - Vulnerability database documenting and explaining security vulnerabilities, threats, and exploits since 1970.
- Snyk Vulnerability Database - Snyk Vulnerability Database.
- CVE List -  - The CVE Automation Working Group is piloting use of git to share information about public vulnerabilities.
- Exploit Database Offline -  - The official Exploit Database repository.
- advisory-database -  - Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
- CVE PoC -  - Gather and update all available and newest CVEs with their PoC.
- vuln-list -  - Collect vulnerability information and save it in parsable format automatically.
- NVD Tools -  - A set of tools to work with the feeds (vulnerabilities, CPE dictionary etc.) distributed by National Vulnerability Database (NVD)
- golang/vulndb -  - The Go Vulnerability Database
- VulnDB Data Mirror -  - A simple Java command-line utility to mirror the entire contents of VulnDB.
- NIST Data Mirror -  - A simple Java command-line utility to mirror the CVE JSON data from NIST.
- pypa/advisory-database -  - Advisory database for Python packages published on pypi.org
- RustSec/advisory-db -  - Security advisory database for Rust crates published through crates.io
- gsd-database -  - The Global Security Database (GSD) is a new Working Group project from the Cloud Security Alliance meant to address the gaps in the current vulnerability identifier space.
- oss-fuzz-vulns -  - OSS-Fuzz vulnerabilities for OSV.
- cve-ark -  - All published CVE and their recent changes, ready to be used by humans and machines.
- osv -  - Open source vulnerability DB and triage service.
-
Container Security Scanners
- Container Security - Qualys container security is a tool used to discover, track, and continuously protect container environments.
- Harbor - It stores, signs, and scans docker images for vulnerabilities.
- Aqua Security - Scanner for vulnerabilities in container images, provided vulnerability scanning and management for orchestrators like Kubernetes.
- JFrog Xray - Intelligent Supply Chain Security and Compliance at DevOps Speed.
- Clair -  - Vulnerability Static Analysis for Containers
- Docker Bench -  - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
- Falco -  - Open source cloud native runtime security tool. Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
- Dagda -  - A tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
- Docker Scan -  - Docker Scan leverages Synk engine and capable of scanning local Dockerfile, images, and its dependencies to find known vulnerabilities. You can run docker scan from Docker Desktop.
-
Identity Tools
- Spiffe/Spire
- SWID - Software Identification (SWID) tags provide an extensible XML-based structure to identify and describe individual software components, patches, and installation bundles.
- CIRCL hashlookup - CIRCL hash lookup is a public API to lookup hash values against known database of files.
- Grafeas -  - Grafeas defines an API spec for managing metadata about software resources, such as container images, Virtual Machine (VM) images, JAR files, and scripts.
- Dex -  - Dex is an identity service that uses OpenID Connect to drive authentication for other apps.
- purl -  - A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.
-
Software Composition Analysis
- Open Source Insights - Open Source Insights is an experimental service developed and hosted by Google to help developers better understand the structure, construction, and security of open source software packages.
- License Finder -  - LicenseFinder works with package managers to find dependencies, detect the licenses of the packages in them, compare those licenses against a user-defined list of permitted licenses.
- DependencyCheck -  - OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
- osv-scanner -  - Vulnerability scanner written in Go which uses the data provided by https://osv.dev
- go-licenses -  - Analyzes the dependency tree of a Go package/binary. It can output a report on the libraries used and under what license they can be used. It can also collect all of the license documents, copyright notices and source code into a directory in order to comply with license terms on redistribution.
- DependencyTrack -  - Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
- OSS Review Toolkit -  - The OSS Review Toolkit (ORT) aims to assist with the tasks that commonly need to be performed in the context of license compliance checks, especially for (but not limited to) Free and Open Source Software dependencies.
- Gemnasium - Dependency Scanning analyzer that uses the GitLab Advisory Database.
- MurphySec CLI -  - MurphySec CLI is used for detecting vulnerable dependencies from the command-line, and also can be integrated into your CI/CD pipeline.
- reuse-tool -  - The tool for checking and helping with compliance with the REUSE recommendations
- bomber -  - Scans SBOMs for security vulnerabilitiesrecommendations
- CVE-2021-44228-Scanner -  - Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
- OpenSCA-Cli -  - OpenSCA is now capable of parsing configuration files in the listed programming languages and correspondent package managers.
- scancode-toolkit -  - ScanCode detects licenses, copyrights, package manifests & dependencies and more by scanning code ... to discover and inventory open source and third-party packages used in your code.
-
Landscape
- OSPO Landscape - The OSPO landscape is intended as a map to explore the OSPO Ecosystem in terms of tooling, adopters and involved communities.
-
Software Bill of Materials
- SPDX - SPDX is an open standard for communicating SBOM information, including provenance, license, security, and other related information.
- CycloneDX - OWASP CycloneDX is a lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
- Syft -  - CLI tool and library for generating a Software Bill of Materials from container images and filesystems.
- bom -  - A utility to generate SPDX-compliant Bill of Materials manifests
- Tern -  - A software package inspection tool that can create a Software Bill of Materials (SBOM) for containers. It's written in Python3 with a smattering of shell scripts.
- sbom-operator -  - Catalogue all images of a Kubernetes cluster to multiple targets with Syft.
- spdx-sbom-generator -  - Support CI generation of SBOMs via golang tooling.
- sbom-tool -  - Microsoft's SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
- sbom-composer -  - A tool that takes two or more micro SBOMs and composes them into one distributable SBOM.
- tejolote -  - A highly configurable build executor and observer designed to generate signed SLSA provenance attestations about build runs.
- KiBoM -  - Configurable BoM generation tool for [KiCad EDA](http://kicad.org/).
-
Static Application Security Testing
- starter-workflows - GitHub code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production.
- DevSkim -  - DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities.
- trivy -  - Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues.
- Tencent Cloud Code Analysis -  - Tencent Cloud Code Analysis (TCA for short, code-named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking.
- CodeQL -  - the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security (code scanning)
- Find Security Bugs -  - The SpotBugs plugin for security audits of Java web applications and Android applications.
- SpotBugs -  - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
- tfsec -  - Security scanner for your Terraform code.
- kubectl-kubesec -  - Security risk analysis for Kubernetes resources.
- Horusec -  - Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.
- flawfinder -  - a static analysis tool for finding vulnerabilities in C/C++ source code.
- mobsfscan -  - mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code.
- licensee -  - A Ruby Gem to detect under what license a project is distributed.
- askalono -  - askalono is a library and command-line tool to help detect license texts. It's designed to be fast, accurate, and to support a wide variety of license texts.
- licenseclassifier -  - The license classifier is a library and set of tools that can analyze text to determine what type of license it contains. It searches for license texts in a file and compares them to an archive of known licenses.
- Scan -  - Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies.
- insider -  - SAST Engine focused on covering the OWASP Top 10, support Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Ful...
- njsscan -  - njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.
- go-license-detector -  - a command line application and a library, written in Go. It scans the given directory for license files, normalizes and hashes them and outputs all the fuzzy matches with the list of reference texts.
- licensechecker -  - licensechecker (lc) a command line application which scans directories and identifies what software license things are under producing reports as either SPDX, CSV, JSON, XLSX or CLI Tabular output. Dual-licensed under MIT or the UNLICENSE.
- Semgrep -  - Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
- licensed -  - A Ruby gem to cache and verify the licenses of dependencies
-
Signing Artefacts
- GPG - GnuPG is a complete and free implementation of the OpenPGP standard, it allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories.
- cosign -  - Container Signing, Verification and Storage in an OCI registry.
- Notation -  - A project to add signatures as standard items in the registry ecosystem, and to build a set of simple tooling for signing and verifying these signatures.
- Fulcio -  - A free Root-CA for code signing certs, issuing certificates based on an OIDC email address.
- python-tuf -  - Python reference implementation of The Update Framework (TUF).
- -  - Rust libraries and tools for using and generating TUF repositories.
- go-tuf -  - Go implementation of The Update Framework (TUF).
- k8s-manifest-sigstore -  - kubectl plugin for signing Kubernetes manifest YAML files with sigstore
-
Framework
- Software Supply Chain Best Practices -  - CNCF provide a comprehensive software supply chain paper highlighting best practices for high and medium risk environments.
- SLSA -  - A security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.
- SCIM -  - The proposed SCIM will be an industry standard specification, easing the path for uniform data flow across globally distributed supply chains.
- Blueprint Secure Software Pipeline -  - Blueprint for building modern, secure software development pipelines
-
Data Store
- ORAS - Registries are evolving as generic artifact stores. To enable this goal, the ORAS project provides a way to push and pull OCI Artifacts to and from OCI Registries.
- Trillian -  - A transparent, highly scalable and cryptographically verifiable data store.
- Rekor -  - Software Supply Chain Transparency Log
-
Malware Detection
- YARA -  - YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.
- ClamAV -  - ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
-
Secret Leakages
- truffleHog -  - Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
- SecLists -  - SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
- external-secrets -  - External Secrets Operator reads information from a third-party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets.
- Gitleaks -  - Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
-
Kubernetes Admission Controller
- Open Policy Agent -  - Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.
- Kyverno -  - A policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. Kyverno policies are Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.
- Kritis -  - An open-source solution for securing your software supply chain for Kubernetes applications, it enforces deploy-time security policies using the Grafeas API.
-
Infrastructure as Code Secure
- Checkov -  - Prevent cloud misconfigurations during build-time for Terraform, CloudFormation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
- kics -  - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code.
-
OCI Image Tools
- Buildah -  - A tool that facilitates building OCI images.
- Skopeo -  - Work with remote images registries - retrieving information, images, signing content.
- go-containerregistry -  - Go library and CLIs for working with container registries
- Buildpacks -  - Providind tooling to transform source code into container images using modular, reusable build functions.
-
Cloud Security Posture Management
- nuclei -  - Nuclei is used to send requests across targets based on a template, leading to zero false positives and providing fast scanning on a large number of hosts. Nuclei offers scanning for a variety of protocols, including TCP, DNS, HTTP, SSL, File, Whois, Websocket, Headless etc.
- DefectDojo -  - A security orchestration and vulnerability management platform.
- RiskScanner -  - RiskScanner is an open source multi-cloud security compliance scanning platform, Based on Cloud Custodian, Prowler and Nuclei engines, it realizes security compliance scanning and vulnerability scanning of mainstream public (private) cloud resources.
-
Risk Management
- Scorecard -  - Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10.
- allstar -  - GitHub App to set and enforce security policies
- Open Source Project Criticality Score -  - Gives criticality score for an open source project
- SSVC -  - Stakeholder-Specific Vulnerability Categorization
-
Fuzz Testing
- OSS-Fuzz -  - OSS-Fuzz - continuous fuzzing for open source software.
-
Artifact Metadata
- in-toto -  - An open metadata standard that you can implement in your software's supply chain toolchain.
- tkn-intoto-formatter -  - A common library to convert any tekton resource to intoto attestation format.
-
Demo
- demonstration of SLSA provenance generation strategies -  - A demonstration of SLSA provenance generation strategies that don't require full build system integration.
- ssf -  - Prototype implementation of the CNCF's Software Supply Chain Best Practices White Paper
Categories
Static Application Security Testing
22
Vulnerabilities Database & Tools
20
Software Composition Analysis
14
CI/CD
13
Software Bill of Materials
11
Container Security Scanners
9
Signing Artefacts
8
Identity Tools
6
Risk Management
4
Framework
4
OCI Image Tools
4
Secret Leakages
4
Kubernetes Admission Controller
3
Cloud Security Posture Management
3
Data Store
3
Infrastructure as Code Secure
2
Artifact Metadata
2
Malware Detection
2
Demo
2
Fuzz Testing
1
Landscape
1
Sub Categories
Keywords
security
27
kubernetes
13
golang
13
sbom
12
static-analysis
11
spdx
10
devsecops
10
go
10
docker
9
containers
9
vulnerabilities
8
appsec
8
security-tools
8
java
7
software-composition-analysis
7
python
7
cyclonedx
6
sca
6
vulnerability-detection
6
scanner
5
sast
5
linter
5
license-management
5
compliance
5
software-security
4
vulnerability-scanners
4
security-audit
4
open-source-licensing
4
infrastructure-as-code
4
owasp
4
security-automation
4
supply-chain
4
oci-image
4
container
4
cloud-native
4
oci
4
cve
4
aws
3
azure
3
license
3
devops
3
open-source
3
kotlin
3
cli
3
terraform
3
nodejs
3
dependencies
3
cncf
3
supply-chain-security
3
licensing
3