Creates CycloneDX Software Bill-of-Materials (SBOM) from Go projects. So you can use it with DependencyTrack to monitor security issues in 3rd party modules.

A demonstration of how GoReleaser can help us to make software supply chain more secure by using bunch of tools such as cosign, syft, grype, slsa-provenance

Supply Chain Security does not need to be difficult

fatbom (Fat Bill Of Materials) is a tool which combines the SBOM generated by various tools into one fat SBOM. Thus leveraging each tool's strength.

An example project that demonstrates how to automate a release with SBOM generation using Syft

vexctl is a tool to attest VEX impact statements

Tool to inspect and push and SPDX document as an OCI artifact

Inspect and push SBOMs (such as SPDX documents) to an OCI registry as an OCI artifact

Automates creation of Software Bill of Materials (SBOM) with Binary Authorization attestation for container images in Artifact Registry.

A tool for converting YAML configurations into Verified Security Test (VST) code.

Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance

An SPDX Querying Binary

Go client library for OWASP Dependency-Track

A Bitbucket Pipe containing a collection of open source tools to perform various types of additional analysis on a CycloneDX or SPDX sBOM (Software Bill of Materials).

Tool for SBOM (Software Bill Of Materials) collection from filesystems & GitHub repositories.

CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security signals for open source package versions.

build-observer is a tool to observe the build process of a project and create a log of all files that are read, written or executed during the build.

Find & pull public SBOMs

SBOM Assembler - A tool to compose your various sboms into a single sbom.