Top 8 software-supply-chain Open-Source Projects

chain-bench

3 700 5.1 Go

An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
SBOM Quality Score

2 133 8.2 Go

SBOM quality score - Quality metrics for your sboms
InfluxDB

www.influxdata.com featured

Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
in-toto-golang

0 114 8.3 Go

A Go implementation of in-toto. in-toto is a framework to protect software supply chain integrity.
maloss

3 106 0.0 Java

Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages
cli

12 99 9.2 Rust

Command line interface for the Phylum API (by phylum-dev)

Project mention: Ledger's NPM account has been hacked | news.ycombinator.com | 2023-12-14

Co-funder @ Phylum here (https://phylum.io) We have been actively scanning dependencies across npm (and PyPI, RubyGems, Crates.io, etc.) for nearly three years now; quite successfully, I might add (https://blog.phylum.io/tag/research/). We _automatically_ hit on this package when it was published, and our research team has been all over it.
A collective of us are active in Discord (https://discord.gg/Fe6pr5eW6p), continuing to hunt attacks like these. If that's something that interests you, we'd love to have you!
In addition to this, we've released several open source tools to help protect against supply chain attacks:
1. https://github.com/phylum-dev/birdcage - Birdcage is a cross-platform embeddable sandbox that's been baked into our CLI (which wraps npm, pypi, etc.) to sandbox package installations
2. https://github.com/phylum-dev/cli - Our CLI provides an extension capability so you can lock down random executables you might use during your software development (define _what_ it's allowed to do, e.g. network access, and then lock it down with Birdcage)
We also have a variety of integrations, including Github, Gitlab, BitBucket, CircleCI, Tines, Sophos, etc.
https://docs.phylum.io/docs/integrations_overview
It's unfortunate that software dependency attacks continue to plague open source registries. It seems unlikely this will let up in the near future. We are continuing to work closely with the open source ecosystems to try and get these sorts of packages removed when they pop up.

slsa-provenance-action

1 45 8.3 Go

Github Action implementation of SLSA Provenance Generation
community

1 46 3.0

in-toto is a framework to secure the software supply chain. (by in-toto)
SaaSHub

www.saashub.com featured

SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
changelog-focus

3 0 7.4 TypeScript

Dev tool to aggregate and focus on the changelog relevant to your codebase

Project mention: Changelog Focus: Aggregate and focus on the changelog relevant to you | /r/reactjs | 2023-09-12

Live: https://changelogfocus.dhruvmisra.com

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020).

software-supply-chain related posts

How good is the sbom that was generated for your product.

1 project | /r/devsecops | 16 Feb 2023
CIS Software Supply Chain Security Guide

1 project | /r/CKsTechNews | 19 Jul 2022
CIS Software Supply Chain Security Guide [pdf]

1 project | news.ycombinator.com | 18 Jul 2022