Skip to content

meta-fun/awesome-software-supply-chain-security

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 

Repository files navigation

Awesome Software Supply Chain Security

Glossary

  • SBOM: Software Bill of Materials
  • SCA: Software Composition Analysis
  • SAST: Static Application Security Testing
  • IAST: Interactive Application Security Testing
  • VCS: Version Control System
  • OSPO: Open Source Program Office
  • CSPM: Cloud Security Posture Management

Landscape

  • OSPO Landscape - The OSPO landscape is intended as a map to explore the OSPO Ecosystem in terms of tooling, adopters and involved communities.

Secret Leakages

  • truffleHog - GitHub stars - Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
  • external-secrets - GitHub stars - External Secrets Operator reads information from a third-party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets.
  • Gitleaks - GitHub stars - Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
  • SecLists - GitHub stars - SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

Software Bill of Materials

  • SPDX - SPDX is an open standard for communicating SBOM information, including provenance, license, security, and other related information.
  • CycloneDX - OWASP CycloneDX is a lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
  • Tern - GitHub stars - A software package inspection tool that can create a Software Bill of Materials (SBOM) for containers. It's written in Python3 with a smattering of shell scripts.
  • Syft - GitHub stars - CLI tool and library for generating a Software Bill of Materials from container images and filesystems.
  • bom - GitHub stars - A utility to generate SPDX-compliant Bill of Materials manifests
  • ko - GitHub stars - Build and deploy Go applications on Kubernetes, support generate upload SBOM etc.
  • sbom-tool - GitHub stars - Microsoft's SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
  • spdx-sbom-generator - GitHub stars - Support CI generation of SBOMs via golang tooling.
  • sbom-composer - GitHub stars - A tool that takes two or more micro SBOMs and composes them into one distributable SBOM.
  • tejolote - GitHub stars - A highly configurable build executor and observer designed to generate signed SLSA provenance attestations about build runs.
  • KiBoM - GitHub stars - Configurable BoM generation tool for KiCad EDA.
  • bomsh - GitHub stars - bomsh is collection of tools to explore the GitBOM idea.
  • sbom-operator - GitHub stars - Catalogue all images of a Kubernetes cluster to multiple targets with Syft.

Software Composition Analysis

  • Open Source Insights - Open Source Insights is an experimental service developed and hosted by Google to help developers better understand the structure, construction, and security of open source software packages.
  • DependencyTrack - GitHub stars - Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
  • DependencyCheck - GitHub stars - OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
  • scancode-toolkit - GitHub stars - ScanCode detects licenses, copyrights, package manifests & dependencies and more by scanning code ... to discover and inventory open source and third-party packages used in your code.
  • OSS Review Toolkit - GitHub stars - The OSS Review Toolkit (ORT) aims to assist with the tasks that commonly need to be performed in the context of license compliance checks, especially for (but not limited to) Free and Open Source Software dependencies.
  • License Finder - GitHub stars - LicenseFinder works with package managers to find dependencies, detect the licenses of the packages in them, compare those licenses against a user-defined list of permitted licenses.
  • go-licenses - GitHub stars - Analyzes the dependency tree of a Go package/binary. It can output a report on the libraries used and under what license they can be used. It can also collect all of the license documents, copyright notices and source code into a directory in order to comply with license terms on redistribution.
  • Anchore - GitHub stars - A vulnerability scanner for container images and filesystems.
  • OpenSCA-Cli - GitHub stars - OpenSCA is now capable of parsing configuration files in the listed programming languages and correspondent package managers.
  • MurphySec CLI - GitHub stars - MurphySec CLI is used for detecting vulnerable dependencies from the command-line, and also can be integrated into your CI/CD pipeline.
  • Gemnasium - Dependency Scanning analyzer that uses the GitLab Advisory Database.
  • reuse-tool - GitHub stars - The tool for checking and helping with compliance with the REUSE recommendations
  • lgtm - A code analysis platform for finding zero-days and preventing critical vulnerabilities
  • bomber - GitHub stars - Scans SBOMs for security vulnerabilitiesrecommendations
  • CVE-2021-44228-Scanner - GitHub stars - Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
  • osv-scanner - GitHub stars - Vulnerability scanner written in Go which uses the data provided by https://osv.dev

Static Application Security Testing

  • trivy - GitHub stars - Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues.
  • Horusec - GitHub stars - Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.
  • Semgrep - GitHub stars - Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
  • Scan - GitHub stars - Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies.
  • starter-workflows - GitHub code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production.
  • CodeQL - GitHub stars - the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security (code scanning)
  • DevSkim - GitHub stars - DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities.
  • flawfinder - GitHub stars - a static analysis tool for finding vulnerabilities in C/C++ source code.
  • kubectl-kubesec - GitHub stars - Security risk analysis for Kubernetes resources.
  • mobsfscan - GitHub stars - mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code.
  • njsscan - GitHub stars - njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.
  • tfsec - GitHub stars - Security scanner for your Terraform code.
  • insider - GitHub stars - SAST Engine focused on covering the OWASP Top 10, support Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Ful...
  • SpotBugs - GitHub stars - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
  • Find Security Bugs - GitHub stars - The SpotBugs plugin for security audits of Java web applications and Android applications.
  • go-license-detector - GitHub stars - a command line application and a library, written in Go. It scans the given directory for license files, normalizes and hashes them and outputs all the fuzzy matches with the list of reference texts.
  • askalono - GitHub stars - askalono is a library and command-line tool to help detect license texts. It's designed to be fast, accurate, and to support a wide variety of license texts.
  • licensechecker - GitHub stars - licensechecker (lc) a command line application which scans directories and identifies what software license things are under producing reports as either SPDX, CSV, JSON, XLSX or CLI Tabular output. Dual-licensed under MIT or the UNLICENSE.
  • licensee - GitHub stars - A Ruby Gem to detect under what license a project is distributed.
  • licenseclassifier - GitHub stars - The license classifier is a library and set of tools that can analyze text to determine what type of license it contains. It searches for license texts in a file and compares them to an archive of known licenses.
  • licensed - GitHub stars - A Ruby gem to cache and verify the licenses of dependencies
  • Tencent Cloud Code Analysis - GitHub stars - Tencent Cloud Code Analysis (TCA for short, code-named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking.

Infrastructure as Code Secure

  • kics - GitHub stars - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code.
  • Checkov - GitHub stars - Prevent cloud misconfigurations during build-time for Terraform, CloudFormation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.

Cloud Security Posture Management

  • nuclei - GitHub stars - Nuclei is used to send requests across targets based on a template, leading to zero false positives and providing fast scanning on a large number of hosts. Nuclei offers scanning for a variety of protocols, including TCP, DNS, HTTP, SSL, File, Whois, Websocket, Headless etc.
  • RiskScanner - GitHub stars - RiskScanner is an open source multi-cloud security compliance scanning platform, Based on Cloud Custodian, Prowler and Nuclei engines, it realizes security compliance scanning and vulnerability scanning of mainstream public (private) cloud resources.
  • DefectDojo - GitHub stars - A security orchestration and vulnerability management platform.

Malware Detection

  • ClamAV - GitHub stars - ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
  • YARA - GitHub stars - YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.

Container Security Scanners

  • Clair - GitHub stars - Vulnerability Static Analysis for Containers
  • Anchore - GitHub stars - A vulnerability scanner for container images and filesystems.
  • Dagda - GitHub stars - A tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
  • Falco - GitHub stars - Open source cloud native runtime security tool. Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
  • Aqua Security - Scanner for vulnerabilities in container images, provided vulnerability scanning and management for orchestrators like Kubernetes.
  • Docker Bench - GitHub stars - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
  • Harbor - It stores, signs, and scans docker images for vulnerabilities.
  • JFrog Xray - Intelligent Supply Chain Security and Compliance at DevOps Speed.
  • Container Security - Qualys container security is a tool used to discover, track, and continuously protect container environments.
  • Docker Scan - GitHub stars - Docker Scan leverages Synk engine and capable of scanning local Dockerfile, images, and its dependencies to find known vulnerabilities. You can run docker scan from Docker Desktop.

Vulnerabilities Database & Tools

  • National Vulnerability Database - The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP).
  • NVD Tools - GitHub stars - A set of tools to work with the feeds (vulnerabilities, CPE dictionary etc.) distributed by National Vulnerability Database (NVD)
  • CVE Details - CVE Details provides an easy to use web interface to CVE vulnerability data.
  • Exploit Database Online - The Exploit Database is the most comprehensive collection of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers.
  • Exploit Database Offline - GitHub stars - The official Exploit Database repository.
  • VulnDB Data Mirror - GitHub stars - A simple Java command-line utility to mirror the entire contents of VulnDB.
  • NIST Data Mirror - GitHub stars - A simple Java command-line utility to mirror the CVE JSON data from NIST.
  • Snyk Vulnerability Database - Snyk Vulnerability Database.
  • Vuldb - Vulnerability database documenting and explaining security vulnerabilities, threats, and exploits since 1970.
  • osv - GitHub stars - Open source vulnerability DB and triage service.
  • advisory-database - GitHub stars - Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
  • golang/vulndb - GitHub stars - The Go Vulnerability Database
  • pypa/advisory-database - GitHub stars - Advisory database for Python packages published on pypi.org
  • RustSec/advisory-db - GitHub stars - Security advisory database for Rust crates published through crates.io
  • gsd-database - GitHub stars - The Global Security Database (GSD) is a new Working Group project from the Cloud Security Alliance meant to address the gaps in the current vulnerability identifier space.
  • oss-fuzz-vulns - GitHub stars - OSS-Fuzz vulnerabilities for OSV.
  • vuln-list - GitHub stars - Collect vulnerability information and save it in parsable format automatically.
  • CVE PoC - GitHub stars - Gather and update all available and newest CVEs with their PoC.
  • CVE List - GitHub stars - The CVE Automation Working Group is piloting use of git to share information about public vulnerabilities.
  • cve-ark - GitHub stars - All published CVE and their recent changes, ready to be used by humans and machines.

Artifact Metadata

  • in-toto - GitHub stars - An open metadata standard that you can implement in your software's supply chain toolchain.
  • Grafeas - GitHub stars - An open-source artifact metadata API that provides a uniform way to audit and govern your software supply chain.
  • tkn-intoto-formatter - GitHub stars - A common library to convert any tekton resource to intoto attestation format.

Identity Tools

  • Spiffe/Spire A universal identity control plane for distributed systems.
  • SWID - Software Identification (SWID) tags provide an extensible XML-based structure to identify and describe individual software components, patches, and installation bundles.
  • purl - GitHub stars - A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.
  • Grafeas - GitHub stars - Grafeas defines an API spec for managing metadata about software resources, such as container images, Virtual Machine (VM) images, JAR files, and scripts.
  • CIRCL hashlookup - CIRCL hash lookup is a public API to lookup hash values against known database of files.
  • Dex - GitHub stars - Dex is an identity service that uses OpenID Connect to drive authentication for other apps.

CI/CD

  • Kaniko - GitHub stars - Build container images in Kubernetes.
  • BuildKit - GitHub stars - concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
  • Tektoncd - A cloud-native solution for building CI/CD systems.
  • Reproducible Builds - Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code.
  • Argo - Open source tools for Kubernetes to run workflows, manage clusters, and do GitOps right.
  • Jenkins - The leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project.
  • Jenkins X - CI/CD solution for modern cloud applications on Kubernetes.
  • Prow - GitHub stars - Prow is a Kubernetes based CI/CD system. Jobs can be triggered by various types of events and report their status to many different services.
  • jx-git-operator - GitHub stars - An operator which polls a git repository for changes and triggers a Kubernetes Job to process the changes in git.
  • Lighthouse - GitHub stars - Lighthouse is a lightweight ChatOps based webhook handler which can trigger Jenkins X Pipelines, Tekton Pipelines or Jenkins Jobs based on webhooks from multiple git providers such as GitHub, GitHub Enterprise, BitBucket Server and GitLab.
  • Starter Workflows - GitHub stars - Workflow files for helping people get started with GitHub Actions.
  • ko - GitHub stars - Build and deploy Go applications on Kubernetes

Signing Artefacts

  • cosign - GitHub stars - Container Signing, Verification and Storage in an OCI registry.
  • Fulcio - GitHub stars - A free Root-CA for code signing certs, issuing certificates based on an OIDC email address.
  • GPG - GnuPG is a complete and free implementation of the OpenPGP standard, it allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories.
  • python-tuf - GitHub stars - Python reference implementation of The Update Framework (TUF).
  • go-tuf - GitHub stars - Go implementation of The Update Framework (TUF).
  • - GitHub stars - Rust libraries and tools for using and generating TUF repositories.
  • Notation - GitHub stars - A project to add signatures as standard items in the registry ecosystem, and to build a set of simple tooling for signing and verifying these signatures.
  • k8s-manifest-sigstore - GitHub stars - kubectl plugin for signing Kubernetes manifest YAML files with sigstore

Framework

  • SLSA - GitHub stars - A security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.
  • SCIM - GitHub stars - The proposed SCIM will be an industry standard specification, easing the path for uniform data flow across globally distributed supply chains.
  • Software Supply Chain Best Practices - GitHub stars - CNCF provide a comprehensive software supply chain paper highlighting best practices for high and medium risk environments.
  • Blueprint Secure Software Pipeline - GitHub stars - Blueprint for building modern, secure software development pipelines
  • Witness - GitHub stars - Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact providence.

Kubernetes Admission Controller

  • Kyverno - GitHub stars - A policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. Kyverno policies are Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.
  • Kritis - GitHub stars - An open-source solution for securing your software supply chain for Kubernetes applications, it enforces deploy-time security policies using the Grafeas API.
  • Open Policy Agent - GitHub stars - Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.
  • Ratify - GitHub stars - The project provides a framework to integrate scenarios that require verification of reference artifacts and provides a set of interfaces that can be consumed by various systems that can participate in artifact ratification.

Risk Management

  • Scorecard - GitHub stars - Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10.
  • Open Source Project Criticality Score - GitHub stars - Gives criticality score for an open source project
  • allstar - GitHub stars - GitHub App to set and enforce security policies
  • SSVC - GitHub stars - Stakeholder-Specific Vulnerability Categorization

OCI Image Tools

  • Buildah - GitHub stars - A tool that facilitates building OCI images.
  • Skopeo - GitHub stars - Work with remote images registries - retrieving information, images, signing content.
  • go-containerregistry - GitHub stars - Go library and CLIs for working with container registries
  • Buildpacks - GitHub stars - Providind tooling to transform source code into container images using modular, reusable build functions.

Data Store

  • Trillian - GitHub stars - A transparent, highly scalable and cryptographically verifiable data store.
  • Rekor - GitHub stars - Software Supply Chain Transparency Log
  • ORAS - Registries are evolving as generic artifact stores. To enable this goal, the ORAS project provides a way to push and pull OCI Artifacts to and from OCI Registries.

Fuzz Testing

  • OSS-Fuzz - GitHub stars - OSS-Fuzz - continuous fuzzing for open source software.

Demo