Supply-chain Levels for Software Artifacts

GUAC aggregates software security metadata into a high fidelity graph database.

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.

OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.

Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets

Packj stops ⚡ Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain

Network egress filtering and runtime security for GitHub-hosted and self-hosted runners

Independent verification of binary packages - reproducible builds

Chainloop is an Open Source Metadata Vault for your Software Supply Chain metadata, SBOMs, VEX, SARIF files, QA reports, and more.

A compilation of resources in the software supply chain security domain, with emphasis on open source

Orchestrate GitHub Actions Security

Docker Scout CLI

JavaScript & Node.js open-source SAST scanner. A static analyser for detecting most common malicious patterns 🔬.

Catalogue all images of a Kubernetes cluster to multiple targets with Syft

Tool to achieve policy driven vetting of open source dependencies

Small tool to inform you about potential risks in project dependencies list

SBOM quality score - Quality metrics for your sboms

List your dependencies capabilities and monitor if updates require more capabilities.

boostsecurityio/poutine

Signing-key abuse and update exploitation framework