SaaSHub helps you find the best software and product alternatives Learn more →
Top 9 software-supply-chain-security Open-Source Projects
-
chain-bench
An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
malicious-software-packages-dataset
An open-source dataset of malicious software packages found in the wild, 100% vetted by humans.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Project mention: OpenPubkey: Protocol for leveraging OpenID to bind identities to public keys | news.ycombinator.com | 2024-04-21
Project mention: 'everything' blocks devs from removing their own NPM packages | news.ycombinator.com | 2024-01-04Yes. https://securitylabs.datadoghq.com/articles/guarddog-identif....
Project mention: Gittuf – a security layer for Git using some concepts introduced by TUF | news.ycombinator.com | 2023-10-24It's multi-pronged and I imagine adopters may use a subset of features. Broadly, I think folks are going to be interested in a) branch/tag/reference protection rules, b) file protection rules (monorepo or otherwise, though monorepos do pose a very apt usecase for gittuf), and c) general key management for those who primarily care about Git signing.
For those who care about a and b, I think the work we want to do to support [in-toto attestations](https://github.com/in-toto/attestation) for [SLSA's upcoming source track](https://github.com/slsa-framework/slsa/issues/956) could be very interesting as well.
Co-funder @ Phylum here (https://phylum.io) We have been actively scanning dependencies across npm (and PyPI, RubyGems, Crates.io, etc.) for nearly three years now; quite successfully, I might add (https://blog.phylum.io/tag/research/). We _automatically_ hit on this package when it was published, and our research team has been all over it.
A collective of us are active in Discord (https://discord.gg/Fe6pr5eW6p), continuing to hunt attacks like these. If that's something that interests you, we'd love to have you!
In addition to this, we've released several open source tools to help protect against supply chain attacks:
1. https://github.com/phylum-dev/birdcage - Birdcage is a cross-platform embeddable sandbox that's been baked into our CLI (which wraps npm, pypi, etc.) to sandbox package installations
2. https://github.com/phylum-dev/cli - Our CLI provides an extension capability so you can lock down random executables you might use during your software development (define _what_ it's allowed to do, e.g. network access, and then lock it down with Birdcage)
We also have a variety of integrations, including Github, Gitlab, BitBucket, CircleCI, Tines, Sophos, etc.
https://docs.phylum.io/docs/integrations_overview
It's unfortunate that software dependency attacks continue to plague open source registries. It seems unlikely this will let up in the near future. We are continuing to work closely with the open source ecosystems to try and get these sorts of packages removed when they pop up.
Co-funder @ Phylum here (https://phylum.io) We have been actively scanning dependencies across npm (and PyPI, RubyGems, Crates.io, etc.) for nearly three years now; quite successfully, I might add (https://blog.phylum.io/tag/research/). We _automatically_ hit on this package when it was published, and our research team has been all over it.
A collective of us are active in Discord (https://discord.gg/Fe6pr5eW6p), continuing to hunt attacks like these. If that's something that interests you, we'd love to have you!
In addition to this, we've released several open source tools to help protect against supply chain attacks:
1. https://github.com/phylum-dev/birdcage - Birdcage is a cross-platform embeddable sandbox that's been baked into our CLI (which wraps npm, pypi, etc.) to sandbox package installations
2. https://github.com/phylum-dev/cli - Our CLI provides an extension capability so you can lock down random executables you might use during your software development (define _what_ it's allowed to do, e.g. network access, and then lock it down with Birdcage)
We also have a variety of integrations, including Github, Gitlab, BitBucket, CircleCI, Tines, Sophos, etc.
https://docs.phylum.io/docs/integrations_overview
It's unfortunate that software dependency attacks continue to plague open source registries. It seems unlikely this will let up in the near future. We are continuing to work closely with the open source ecosystems to try and get these sorts of packages removed when they pop up.
software-supply-chain-security related posts
-
OpenPubkey: Protocol for leveraging OpenID to bind identities to public keys
-
Ledger's NPM account has been hacked
-
Gittuf – a security layer for Git using some concepts introduced by TUF
-
451 PyPI packages install Chrome extensions to steal crypto
-
Finding malicious PyPI packages through static code analysis: Meet GuardDog
-
CIS Software Supply Chain Security Guide
-
CIS Software Supply Chain Security Guide [pdf]
-
A note from our sponsor - SaaSHub
www.saashub.com | 15 May 2024
Index
What are some of the best open-source software-supply-chain-security projects? This list will help you:
Project | Stars | |
---|---|---|
1 | chain-bench | 700 |
2 | openpubkey | 563 |
3 | guarddog | 493 |
4 | attestation | 197 |
5 | birdcage | 173 |
6 | malicious-software-packages-dataset | 104 |
7 | cli | 99 |
8 | community | 46 |
9 | sigstore-the-easy-way | 14 |
Sponsored