Tool to achieve policy driven vetting of open source dependencies
-
Updated
Oct 19, 2024 - Go
Tool to achieve policy driven vetting of open source dependencies
GUAC aggregates software security metadata into a high fidelity graph database.
Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.
SBOM quality score - Quality metrics for your sboms
Frizbee Action helps you pin your GitHub Actions and container images to specific versions using checksums.
Catalogue all images of a Kubernetes cluster to multiple targets with Syft
Developer-centric tool to secure your software supply chain.
boostsecurityio/poutine
Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
Orchestrate GitHub Actions Security
A Bitbucket Pipe containing a collection of open source tools to perform various types of additional analysis on a CycloneDX or SPDX sBOM (Software Bill of Materials).
Sample Go application project with supply chain security workflows conforms to the SLSA Build Level 3 specification
🛠️📊🤖 Fake GitHub Activity Generator
Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance
Pin your 3rd Party Github Actions and Docker Images dependencies.
The Cartographer CLI offers a convenient way to manage a Cartographer installation and related workflows.
Red team tool that emulates the SolarWinds CI compromise attack vector.
Go API client for osv.dev
Add a description, image, and links to the supply-chain-security topic page so that developers can more easily learn about it.
To associate your repository with the supply-chain-security topic, visit your repo's landing page and select "manage topics."