Supply-chain Levels for Software Artifacts
翻译 - 软件工件的供应链级别
GUAC aggregates software security metadata into a high fidelity graph database.
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container ima...
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-...
Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. It monitors network egress, file integrity, and process activity on those runners, detecting threats in real-...
Packj stops ⚡ Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
Evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, and more
Independent verification of binary packages - Reproducible Builds
BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
#Awesome#A compilation of resources in the software supply chain security domain, with emphasis on open source
Developer-centric tool to secure your software supply chain.
Policy driven vetting of open source packages with malicious code analysis
Orchestrate GitHub Actions Security
boostsecurityio/poutine
JavaScript & Node.js open-source SAST scanner. A static analyser for detecting most common malicious patterns 🔬.
Catalogue all images of a Kubernetes cluster to multiple targets with Syft
SBOM quality score - Quality metrics for your sboms