Projects in Awesome Lists tagged with software-composition-analysis
A curated list of projects in awesome lists tagged with software-composition-analysis .
https://github.com/jeremylong/dependencycheck
OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
ant-task build-tool gradle-plugin jenkins-plugin maven-plugin security security-audit software-composition-analysis vulnerability-detection
Last synced: 02 Nov 2025
https://retirejs.github.io/retire.js/
scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.
build-tool chrome-extension firefox-extension grunt-plugins insecure-libraries javascript sbom sbom-generator sbom-tool scanner security software-composition-analysis vulnerabilities vulnerable-libraries
Last synced: 21 Nov 2025
https://github.com/retirejs/retire.js
scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.
build-tool chrome-extension firefox-extension grunt-plugins insecure-libraries javascript sbom sbom-generator sbom-tool scanner security software-composition-analysis vulnerabilities vulnerable-libraries
Last synced: 18 Jan 2026
https://github.com/RetireJS/retire.js
scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.
build-tool chrome-extension firefox-extension grunt-plugins insecure-libraries javascript sbom sbom-generator sbom-tool scanner security software-composition-analysis vulnerabilities vulnerable-libraries
Last synced: 26 Mar 2025
https://github.com/dependencytrack/dependency-track
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
appsec bill-of-materials bom component-analysis cyclonedx devsecops hacktoberfest nvd ossindex owasp package-url purl sbom sca security security-automation software-composition-analysis software-security vulnerabilities vulnerability-detection
Last synced: 13 May 2025
https://github.com/DependencyTrack/dependency-track
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
appsec bill-of-materials bom component-analysis cyclonedx devsecops hacktoberfest nvd ossindex owasp package-url purl sbom sca security security-automation software-composition-analysis software-security vulnerabilities vulnerability-detection
Last synced: 30 Mar 2025
https://github.com/aboutcode-org/scancode-toolkit
:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
copyright copyright-scan cyclonedx dependencies dependency-graph license license-checking license-scan licensing open-source-licensing oss-compliance package-url packages provenance purl sbom sca software-composition-analysis spdx spdx-licenses
Last synced: 11 May 2025
https://github.com/murphysecurity/murphysec
An open source tool focused on software supply chain security. 墨菲安全专注于软件供应链安全,具备专业的软件成分分析(SCA)、漏洞检测、专业漏洞库。
codescan dependency sca scanner security software-composition-analysis software-supply-chain vulnerability-detection
Last synced: 14 May 2025
https://github.com/lunasec-io/lunasec
LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
compliance continuous-delivery cve-scanning cybersecurity dependency-analysis devsecops gdpr log4shell pci-dss sbom sbom-generator scanning scanning-tool security security-tools soc2 software-composition-analysis tokenization web-security zero-trust
Last synced: 15 May 2025
https://github.com/xmirrorsecurity/opensca-cli
OpenSCA is an open source software supply chain security solution that supports the detection of open source dependencies, vulnerabilities and license compliance with a widely noticed accuracy by the community.
cyclonedx devsecops license-compliance sbom sca security software-bill-of-materials software-composition-analysis software-supply-chain software-supply-chain-security spdx static-analysis swid vulnerabilities
Last synced: 14 May 2025
https://github.com/XmirrorSecurity/OpenSCA-cli
OpenSCA is an open source software supply chain security solution that supports the detection of open source dependencies, vulnerabilities and license compliance with a widely noticed accuracy by the community.
cyclonedx devsecops license-compliance sbom sca security software-bill-of-materials software-composition-analysis software-supply-chain software-supply-chain-security spdx static-analysis swid vulnerabilities
Last synced: 26 Apr 2025
https://github.com/tern-tools/tern
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
compliance containers dependencies docker metadata-extraction open-source oss-compliance python risk-management sbom software-composition-analysis spdx supply-chain-security tool
Last synced: 15 May 2025
https://github.com/safedep/vet
Protect against malicious open source packages 🤖
devsecops golang hacktoberfest npm policy-as-code pypi rubygems security software-composition-analysis static-analysis supply-chain-security
Last synced: 09 Feb 2026
https://github.com/microsoft/component-detection
Scans your project to determine what components you use
dependencies package-management sbom software-bill-of-materials software-composition-analysis static-analysis
Last synced: 11 Feb 2026
https://github.com/albuch/sbt-dependency-check
SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs). :rainbow:
appsec cve devops devsecops infosec nvd owasp owasp-dependencycheck sbt sbt-plugin scala security security-audit security-automation software-composition-analysis software-security static-analysis vulnerabilities vulnerability-scanners
Last synced: 12 Jan 2026
https://github.com/stevespringett/nist-data-mirror
A simple Java command-line utility to mirror the CVE JSON data from NIST.
appsec cpe cve java nist nvd sca software-composition-analysis software-security
Last synced: 14 Jan 2026
https://github.com/aboutcode-org/scancode.io
ScanCode.io is a server to script and automate software composition analysis pipelines with ScanPipe pipelines. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ Google Summer of Code, nexB and others generous sponsors!
cyclonedx docker foss-compliance license open-source package-url purl sca scancode software-composition-analysis spdx virtual-machine vulnerabilities
Last synced: 15 Jan 2026
https://github.com/scanoss/sbom-workbench
The SCANOSS SBOM Workbench graphical user interface to scan and audit your source code.
license open-source sbom sbom-generator software-composition-analysis
Last synced: 16 Jan 2026
https://github.com/ozontech/dtrack-audit
OWASP Dependency Track API client for intergration into CI/CD pipeline
component-analysis security security-tools software-composition-analysis
Last synced: 10 Aug 2025
https://github.com/jhermann/dependency-check-py
:closed_lock_with_key: Shim to easily install OWASP dependency-check-cli into Python projects
cli-utility cve-scanning dependency-analysis owasp python security security-audit software-composition-analysis software-supply-chain vulnerability-detection
Last synced: 14 Apr 2025
https://github.com/stevespringett/vulndb-data-mirror
A simple Java command-line utility to mirror the entire contents of VulnDB.
appsec cve java sca software-composition-analysis software-security vulndb
Last synced: 21 Aug 2025
https://github.com/llnl/surfactant
Modular framework for file information extraction and dependency analysis to generate accurate SBOMs
cyclonedx dependencies dependency-analysis dependency-graph hacktoberfest python python3 sbom sbom-generator software-bill-of-materials software-composition-analysis spdx static-analysis tool
Last synced: 06 Apr 2025
https://github.com/securestackco/actions-code
A GitHub Action for using SecureStack to analyse a repository codebase for vulnerabilities in library dependencies (software composition analysis).
deployment deployment-automation deployment-pipeline devsecops github-actions security security-automation security-tools software-composition-analysis vulnerability-detection vulnerability-scanner
Last synced: 30 Jul 2025
https://github.com/securestackco/actions-all-in-one
All of our GitHub Actions rolled into one. Or as we like to say: One GitHub Action to rule them all!
deployment-pipeline devsecops devsecops-best-practices devsecops-pipeline github-actions secret-scanning security-automation software-composition-analysis vulnerability-detection vulnerability-scanner vulnerability-scanning web-vulnerability-scanner
Last synced: 30 Jul 2025
https://github.com/ozonru/cyclonedx-go
Creates CycloneDX Software Bill-of-Materials (SBOM) from Go projects. So you can use it with DependencyTrack to monitor security issues in 3rd party modules.
bill-of-materials bom component-analysis cyclonedx sbom security security-tools software-composition-analysis
Last synced: 17 Jan 2026
https://github.com/securestackco/actions-exposure
A GitHub Action that scans your public web applications after every deployment. Add this to your dev, staging and prod steps and SecureStack will make sure that what you've just deployed is secure and meets your requirements.
actions cloud-security cloud-security-posture-management deployment deployment-automation deployment-pipeline dynamic-analysis github-actions secrets-detection security software-composition-analysis vulnerability-detection vulnerability-scanning web-application web-vulnerability web-vulnerability-scanner
Last synced: 07 Aug 2025
https://github.com/securestackco/actions-log4j
A GitHub Action that scans your public web applications for log4j vulnerabilities after every deployment. Add this to your dev, staging and prod steps and SecureStack will make sure that what you've just deployed is secure and meets your requirements.
devsecops github-actions java java-vulnerability java8 jre log4j log4j-rce log4j2 log4js log4shell scanning security security-automation security-tools software-composition-analysis static-analysis vulnerabilities vulnerability-assessment vulnerability-scanner
Last synced: 30 Jul 2025
https://github.com/fabasoad/pre-commit-snyk
pre-commit hooks to run snyk
appsec pre-commit pre-commit-hook sast sca security snyk software-composition-analysis
Last synced: 26 Jan 2026
https://github.com/safedep/vet-action
GitHub Action for policy driven vetting of open source dependencies
devsecops policy-as-code software-composition-analysis supply-chain-security
Last synced: 02 Feb 2026
https://github.com/nmoncho/sbt-dependency-check
SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs).
appsec cve devops infosec nvd owasp owasp-dependencycheck sbt sbt-plugin scala security security-audit security-automation software-composition-analysis software-security static-analysis vulnerabilities vulnerability-scanners
Last synced: 11 Jul 2025
https://github.com/blackducksoftware/kubectl-bd-xray
kubectl plugin scanning docker images for open source security and license compliance using Black Duck by Synopsys
docker helm image kubectl-plugin software-composition-analysis yaml
Last synced: 10 Apr 2025
https://github.com/fdl66/Golang_SCA
Golang SCA(Software Composition Analysis) 通过分析你的go.mod文件,协助你发现,Golang项目的依赖库是否存在漏洞
codescan golang software-composition-analysis vulnerability-scanners
Last synced: 12 Jul 2025
https://github.com/xmirrorsecurity/opensca-scan-action
Integrate OpenSCA-cli into your GitHub Action to assess the supply chain risks associated with your application.
code-analysis software-composition-analysis supply-chain-security
Last synced: 03 Mar 2025
https://github.com/eclipse-apoapsis/guidance
The guidance for the Open Source Component Management process consists of a generic architecture description, usage blueprints, a concept of the abstraction layer and a collection of use cases. It enables you to quickly match your organization's needs with available solutions and jump-start your process definition by providing templates.
compliance ospo oss-compliance sbom sca software-composition-analysis spdx
Last synced: 26 Feb 2026
https://github.com/jeremylong/DependencyCheck
The dependency-check repository has moved:
ant-task build-tool gradle-plugin jenkins-plugin maven-plugin security security-audit software-composition-analysis vulnerability-detection
Last synced: 14 Mar 2025
https://github.com/fabasoad/pre-commit-vulncheck
pre-commit hooks to run vulncheck
appsec pre-commit pre-commit-hook sast sca security software-composition-analysis vulncheck
Last synced: 26 Jan 2026
https://github.com/scanoss/scanoss.java
SCANOSS Java package providing a simple, easy to consume library for interacting with SCANOSS APIs.
Last synced: 11 Jan 2026
https://github.com/fabasoad/reusable-workflows
Collection of reusable workflows
appsec ci ci-cd cicd dast github-actions github-workflows labels lint pre-commit sast security software-composition-analysis
Last synced: 10 Apr 2025
https://github.com/fabasoad/pre-commit-grype
pre-commit hooks to run grype
appsec grype pre-commit pre-commit-hook sast sca security software-composition-analysis
Last synced: 22 Jul 2025
https://github.com/githubfoam/gradle-pipeline
gradle pipeline
blackduck checkstyle code-coverage codecov coveralls findbugs gradle jacoco junit pipeline pmd sast sdkman software-composition-analysis sonarqube static-analysis static-application-security-testing
Last synced: 30 Mar 2025
https://github.com/datadog/dd-dependency-sniffer
The Datadog Dependency Sniffer is a tool designed to scan and analyze the dependencies of a project, identifying the actual location of specific dependencies.
datadog dependencies software-composition-analysis
Last synced: 27 Aug 2025
https://github.com/sonatype-nexus-community/ossindex-python
Python library for querying OSS Index
ossindex software-composition-analysis vulnerabilities
Last synced: 07 May 2025
https://github.com/izziiyt/compaa
component activity analyzer
security software-composition-analysis
Last synced: 15 Mar 2025
https://github.com/safedep/vetpkg.dev
Open Source Component Security Dashboard
analytics security software-composition-analysis supply-chain-security
Last synced: 12 Jan 2026
https://github.com/t7dela/shadowtool
This script is designed to automatically generate seed phrases and check balances for Tron networks. If a wallet with a non-zero balance is found, the wallet's information (address, mnemonic, private key, and balances) is logged and saved to a file named result.txt.
automation code-analysis code-quality code-review continuous-integration development devops dynamic-analysis github opensource quality-assurance scanning security shadowtool software software-composition-analysis static-analysis testing tool vulnerability
Last synced: 10 Apr 2025
https://github.com/githubfoam/blackduck-findbugs-gradle-githubactions
blackduck findbugs gradle githubactions
blackduck devsecops findbugs githubactions gradle license-compliance-risk software-composition-analysis static-analysis
Last synced: 30 Mar 2025
https://github.com/030/nononsec
No-nonsense security (NoNonSec). Ignored today, exploited tomorrow.
package-inventory sbom security-reporting software-composition-analysis vulnerability-management
Last synced: 06 Aug 2025
