https://github.com/bazel-contrib/supply-chain

https://github.com/bazel-contrib/supply-chain

Last synced: 6 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/bazel-contrib/supply-chain
• Owner: bazel-contrib
• License: apache-2.0
• Created: 2024-11-26T18:16:59.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2025-07-03T14:20:56.000Z (7 months ago)
• Last Synced: 2025-07-03T14:41:42.514Z (7 months ago)
• Language: Starlark
• Size: 97.7 KB
• Stars: 10
• Watchers: 11
• Forks: 3
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

• stars - bazel-contrib/supply-chain - \[*Apache License 2.0*\] (⭐️26) (Starlark)

README

          
# Supply-chain rules for Bazel

This repository contains Bazel modules for injecting and collecting supply-chain metadata into builds.

  - [Documentation](./docs)

  - Modules

    - [@package_metadata](./metadata)

  - Contact:

    - [Slack](https://bazelbuild.slack.com/archives/C04AZC3E729)

    - There is a working group which meets weekly on Thursdays at 2:30pm CET / 8:30am EST. [Meet link](https://meet.google.com/qop-eyei-cfh).

      - If you would like to participate, reach out on the slack channel for an invitation.

      - [Meeting notes](https://docs.google.com/document/d/1WhScaOLERet4Fxi4fa2Lpke2MgJZGvEE4EXeq6yb0LU)

    - Mailing list: [bazel-supply-chain-security@bazel.build](https://groups.google.com/a/bazel.build/g/bazel-supply-chain-security)

This project is the successor to [rules_license](https://github.com/bazelbuild/rules_license).

The intended use cases are:

- declaring metadata about packages, such as

  - the licenses the package is available under

  - the canonical package name and version

  - copyright information

  - ... and more TBD in the future

- gathering license declarations into artifacts to ship with code

- applying organization specific compliance constriants against the

  set of packages used by a target.

- producing SBOMs for built artifacts.

WARNING: The code here is still in active initial development and will churn a lot.

## Roadmap

In flux.

### Q3 2025

The immediate concern is feature parity with rules_license and providing a smooth migration path.

## Background reading:

These is for learning about the problem space, and our approach to solutions. Concrete specifications will always appear in checked in code rather than documents.

- [License Checking with Bazel](https://docs.google.com/document/d/1uwBuhAoBNrw8tmFs-NxlssI6VRolidGYdYqagLqHWt8/edit#).

- [OSS Licenses and Bazel Dependency Management](https://docs.google.com/document/d/1oY53dQ0pOPEbEvIvQ3TvHcFKClkimlF9AtN89EPiVJU/edit#)

- [Adding OSS license declarations to Bazel](https://docs.google.com/document/d/1XszGbpMYNHk_FGRxKJ9IXW10KxMPdQpF5wWbZFpA4C8/edit#heading=h.5mcn15i0e1ch)