Top 9 Go supply-chain Projects

kubeclarity

5 1,257 7.9 Go

KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems

Project mention: Building Secure Docker Images for Production - Best Practices | dev.to | 2023-06-30

In the following steps, we use a local Kubernetes cluster (such as kind) to test the image. With the cluster up and running, let's install some tooling to help us with image scanning. In this case, we're using KubeClarity. Follow the installation instructions in the README to install it into your development cluster.

rekor

29 832 9.7 Go

Software Supply Chain Transparency Log

Project mention: Obtainium – Get Android App Updates Directly from the Source | news.ycombinator.com | 2023-10-10

There could be asset hashes in sigstore: https://sigstore.dev/
Is there a good way to run native mobile app GUI tests with GitHub Actions?
A VM/container emulator like anbox, waydroid, (or all of ChromeOS Flex in KVM) in a GitHub Action is probably enough to run GUI tests?
"Build your own SLSA 3+ provenance builder on GitHub Actions"

WorkOS

workos.com sponsored

The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
go-tuf

1 596 9.0 Go

Go implementation of The Update Framework (TUF)
bomber

4 453 7.1 Go

Scans Software Bill of Materials (SBOMs) for security vulnerabilities
witness

7 358 9.0 Go

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.

Project mention: We've learned nothing from the SolarWinds hack | news.ycombinator.com | 2023-11-13

We have lots of work to do. https://github.com/in-toto/witness
Full disclosure, I am a member of the steering committee for in-toto and the CEO of TestifySec which in the main contributor to Witness.

minder

2 191 10.0 Go

Software Supply Chain Security Platform (by stacklok)

Project mention: Software Supply Chain Security | news.ycombinator.com | 2024-04-27

It's worth checking out what stacklok.com are up too.
startup founded by the creator of sigstore and a co-founder of kubernetes. They are building a supply chain platform called https://github.com/stacklok/minder
It seems early in and mostly focused on GitHub right now, but I spoke to one of the engineers on the project and they are extending out to other integrations and have sigstore attestation policy available, albeit an early iteration

fatbom

2 32 10.0 Go

fatbom (Fat Bill Of Materials) is a tool which combines the SBOM generated by various tools into one fat SBOM. Thus leveraging each tool's strength.
InfluxDB

www.influxdata.com sponsored

Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
chainmetric-network

1 10 0.0 Go

Hyperledger Fabric network for IoT enabled permissioned blockchain with sensor requirements control Smart Contracts
chainmetric-iot

1 8 0.0 Go

Embedded IoT sensor system for harvesting environment data and publishing it onto the permissioned blockchain network

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020).