Python supply-chain

Open-source Python projects categorized as supply-chain Edit details

Top 6 Python supply-chain Projects

  • in-toto

    in-toto is a framework to protect supply chain integrity.

    Project mention: How do you mitigate supply chain attacks? | reddit.com/r/node | 2021-09-12

    But it's not all doom and gloom because the industry is evolving. Companies like Google are formulating tools like scorecard to heuristically reduce risk by encouraging you to rely on trustable dependencies only. There's also more complex tools like in-toto that actually look at the integrity of your supply chain (don't ask me how this one works, I just know that people like it).

  • pip-audit

    Audits Python environments and dependency trees for known vulnerabilities

    Project mention: I think the CTX package on PyPI has been hacked! | reddit.com/r/Python | 2022-05-23

    Checking could be done if something like this eventually shows up in safety or pip-audit.

  • Scout APM

    Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.

  • or-gym

    Environments for OR and RL Research

    Project mention: Gym like frameworks for combinatorial optimization on Graphs? | reddit.com/r/reinforcementlearning | 2022-06-15

    How about ORGym: https://github.com/hubbs5/or-gym ?

  • sigstore-python

    A codesigning tool for Python packages

    Project mention: Bundling binary tools in Python wheels | news.ycombinator.com | 2022-06-17

    You're right, both the infrastructure and metadata for cryptographic signatures on Python packages (both wheels and sdists) isn't quite there yet.

    At the moment, we're working towards the "e2e" scheme you've described by adding support for Sigstore[1] certificates and signatures, which will allow any number of identities (including email addresses and individual GitHub release workflows) to sign for packages. The integrity/availability of those signing artifacts will in turn be enforced through TUF, like you mentioned.

    You can follow some of the related Sigstore-in-Python work here[2], and the ongoing Warehouse (PyPI) TUF work here[3]. We're also working on adding OpenID Connect token consumption[4] to Warehouse itself, meaning that you'll be able to bootstrap from a trusted GitHub workflow to a PyPI release token without needing to share any secrets.

    [1]: https://www.sigstore.dev/

    [2]: https://github.com/sigstore/sigstore-python

    [3]: https://github.com/pypa/warehouse/pull/10870

    [4]: https://github.com/pypa/warehouse/pull/11272

  • ochrona-cli

    A command line tool for detecting vulnerabilities in Python dependencies and doing safe package installs

    Project mention: ochrona-cli: CLI para detectar vulnerabilidades en las dependencias de Python 🤨 | reddit.com/r/u_esgeeks | 2021-10-25
  • chainjacking

    Find which of your direct GitHub dependencies is susceptible to RepoJacking attacks

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2022-06-17.

Python supply-chain related posts

Index

What are some of the best open-source supply-chain projects in Python? This list will help you:

Project Stars
1 in-toto 590
2 pip-audit 555
3 or-gym 206
4 sigstore-python 68
5 ochrona-cli 44
6 chainjacking 24
Find remote jobs at our new job board 99remotejobs.com. There are 2 new remote jobs listed recently.
Are you hiring? Post a new remote job listing for free.
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com