Ask HN: Pragmatic way to avoid supply chain attacks as a developer

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
hardware-buttons linkedin-bot template-engine-js

CodeRabbit: AI Code Reviews for Developers
Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.
coderabbit.ai
featured
InfluxDB high-performance time series database
Collect, organize, and act on massive volumes of high-resolution data to power real-time intelligent systems.
influxdata.com
featured

  1. syft

    CLI tool and library for generating a Software Bill of Materials from container images and filesystems

    CycloneDX tools offer packages for each and every programming language. [1]

    The dependency track project accumulates all dependency vulnerabilities in a dashboard. [2]

    Container SBOMs can be generated with syft and grype [3] [4]

    [1] https://github.com/CycloneDX

    [2] https://github.com/DependencyTrack

    [3] https://github.com/anchore/syft

    [4] https://github.com/anchore/grype

  2. CodeRabbit

    CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.

    CodeRabbit logo

  3. grype

    A vulnerability scanner for container images and filesystems

    CycloneDX tools offer packages for each and every programming language. [1]

    The dependency track project accumulates all dependency vulnerabilities in a dashboard. [2]

    Container SBOMs can be generated with syft and grype [3] [4]

    [1] https://github.com/CycloneDX

    [2] https://github.com/DependencyTrack

    [3] https://github.com/anchore/syft

    [4] https://github.com/anchore/grype

  4. l7-devenv

    Secure terminal-based IDE for local JS development

    A defense-in-depth approach with a special eye to compartmentalization/separation/sandboxing coupled with principle-of-least privilege is a good stance to take, I think. Also keep in mind that "security is a process, not a product". There is no silver bullet no tool will save you from yourself...

    With this in mind:

    - https://qubes-os.org - Use separate VMs for separate domains. Use disposable VMs for temporary sessions.

    - https://github.com/legobeat/l7-devenv - My project. Separate containers for IDE and (ephemeral) code-under-test. Separation of authentication token. Feedback very welcome!

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Deep Dive 🤿: Where Does Grype Data Come From?

    5 projects | dev.to | 12 Nov 2024

  • Boas Práticas de Segurança e Qualidade no Terraform.

    3 projects | dev.to | 23 Mar 2025

  • Top 8 Docker Alternatives to Consider in 2025

    6 projects | dev.to | 24 Dec 2024

  • Build a Symfony 7 boilerplate using FrankenPHP, Docker, PostgreSQL and php 8.4

    11 projects | dev.to | 23 Dec 2024

  • Default Interface Implementations in C#: Where Inheritance Goes to Troll You

    2 projects | dev.to | 9 Dec 2024

Did you know that Go is
the 4th most popular programming language
based on number of references?

Loading...