Supply-chain Levels for Software Artifacts

Utility for bulk image, license, package, and vulnerability discovery in containerize workloads on GCP. Includes CLI and Service with custom metrics and BigQuery data exports.

Generate a score for your sbom to understand if it will actually be useful.

A TypeScript library for creating dependency snapshots.

Generate CycloneDX Software Bill of Materials (SBOM) from webpack bundles at compile time.

A suite of tools to automate software compliance checks.

The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.

GitHub CLI extension for generating a report on repository dependencies.

GitHub Advanced Security Policy as Code

Verify provenance from SLSA compliant builders

GUAC aggregates software security metadata into a high fidelity graph database.

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. It monitors network egress, file integrity, and process activity on those runners, detecting threats in re…

Keyless Git signing using Sigstore

A GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs

Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.

An SBOM query language and associated utilities

Enrich SBOMs with data from third party services

Scans Software Bill of Materials (SBOMs) for security vulnerabilities

A draft standard for communicating a cryptographic record of build inputs for software artifacts.

Action for generating SBOM attestations for workflow artifacts

Create SBOMs in CycloneDX format for your Vite or Rollup projects with ease

This is the GitHub repo of the OpenChain SBOM Study Group