SBOM Quality Score
zarf
SBOM Quality Score | zarf | |
---|---|---|
2 | 6 | |
133 | 1,204 | |
5.3% | 18.2% | |
8.2 | 9.5 | |
19 days ago | 5 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
SBOM Quality Score
-
How good is the sbom that was generated for your product.
Github: https://github.com/interlynk-io/sbomqs
-
sbomqs, an open source tools to quality check your SBOMS
When putting together a previous post on how to use open source tools to create a software bill of materials (SBOM), Ritesh Noronha alerted me to another project, sbomqs that aims to simplify the evaluation of SBOM quality for both producers and consumers. A quality SBOM is one that is accurate, complete, and up-to-date. It should accurately reflect the components and dependencies used in the software application, including their version and optionally any known vulnerabilities. In addition, it should be easily accessible and understandable by stakeholders, such as developers, security teams, and compliance officers. I guess these are some of the heuristics used.
zarf
- Zarf: K8s in Airgapped Environments
-
Air gapped on prem install - what would you do?
There is a tool written for this exact scenario! (disclaimer: I am a maintainer) https://github.com/defenseunicorns/zarf . Zarf can create packages out of all of your images, Helm charts, manifests... and deploy that package w/ zero dependencies on the other side (you can even use k3s built into the default init package if you don't have a cluster). The docs do it more justice https://docs.zarf.dev/docs/zarf-overview .
- Zarf – DevSecOps for Air Gap and Limited-Connection Systems
- GitHub - defenseunicorns/zarf: K8s Airgap Buddy
- zarf: K8s Airgap Buddy - Zarf massively simplifies the setup & administration of kubernetes clusters "across the air gap". It provides a static go binary CLI that can pull, package, and install all the things your clusters need to run. It caches downloads (for speed), hashes packages (for security)
-
What is the Hardest Environment to Deploy to?
We're working on https://github.com/defenseunicorns/zarf which can deploy to bare metal and an airgap environment
What are some alternatives?
in-toto-golang - A Go implementation of in-toto. in-toto is a framework to protect software supply chain integrity.
helmify - Creates Helm chart from Kubernetes yaml
chain-bench - An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
vcluster - vCluster - Create fully functional virtual Kubernetes clusters - Each vcluster runs inside a namespace of the underlying k8s cluster. It's cheaper than creating separate full-blown clusters and it offers better multi-tenancy and isolation than regular namespaces.
kubeclarity - KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems
Flux - Successor: https://github.com/fluxcd/flux2
flux2 - Open and extensible continuous delivery solution for Kubernetes. Powered by GitOps Toolkit.
helmfile - Declaratively deploy your Kubernetes manifests, Kustomize configs, and Charts as Helm releases. Generate all-in-one manifests for use with ArgoCD.
sbom-operator - Catalogue all images of a Kubernetes cluster to multiple targets with Syft
hauler - Airgap Swiss Army Knife
tekton-tasks-kustomize - Customizing Tekton tasks with kustomize
imageswap-webhook - Image Swap Mutating Admission Webhook for Kubernetes