Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →
Top 23 supply-chain Open-Source Projects
-
kubeclarity
KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems
-
tensor-house
A collection of reference Jupyter notebooks and demo AI/ML applications for enterprise use cases: marketing, pricing, supply chain, smart manufacturing, and more.
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
-
pip-audit
Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them
-
packj
Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
cdxgen
Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Slack: https://cyclonedx.slack.com/archives/C04NFFE1962
-
witness
Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.
-
supplychainpy
Supplychainpy is a Python library for supply chain analysis, modelling and simulation. The library assists a workflow that is reliant on Excel and VBA.
-
overlay
Overlay is a browser extension helping developers evaluate open source packages before picking them (by os-scar)
-
HIRS
Trusted Computing based services supporting TPM provisioning and supply chain validation concepts. #nsacyber
-
i-probably-didnt-backdoor-this
A practical experiment on supply-chain security using reproducible builds
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Project mention: Building Secure Docker Images for Production - Best Practices | dev.to | 2023-06-30In the following steps, we use a local Kubernetes cluster (such as kind) to test the image. With the cluster up and running, let's install some tooling to help us with image scanning. In this case, we're using KubeClarity. Follow the installation instructions in the README to install it into your development cluster.
Project mention: Smooth Packaging: Flowing from Source to PyPi with GitLab Pipelines | dev.to | 2024-01-18Next up is making sure, none of the dependencies used throughout the project brings with it any already identified security issue. The makefile target audit, invokes the handy tool pip-audit.
Project mention: Obtainium – Get Android App Updates Directly from the Source | news.ycombinator.com | 2023-10-10There could be asset hashes in sigstore: https://sigstore.dev/
Is there a good way to run native mobile app GUI tests with GitHub Actions?
A VM/container emulator like anbox, waydroid, (or all of ChromeOS Flex in KVM) in a GitHub Action is probably enough to run GUI tests?
"Build your own SLSA 3+ provenance builder on GitHub Actions"
The things you mentioned are not solved by a typical "SBOM" but e.g. CycloneDX has extra fields to record provenance and pedigree and things like in-toto (https://in-toto.io/) or SLSA (https://slsa.dev/) also aim to work in this field.
I've spent the last six months in this field and people will tell you that this or that is an industry best practice or "a standard" but in my experience none of that is true. Everyone is still trying to figure out how best to protect the software supply chain security and things are still very much in flux.
Project mention: Malicious libraries can steal all your application secrets in Elixir | news.ycombinator.com | 2023-07-22I used E in the 90s: http://erights.org/
I haven't kept up with newer systems but I've heard of https://github.com/endojs/endo and just came across http://reports-archive.adm.cs.cmu.edu/anon/home/anon/isr2017... (which says "in the style of the E programming language" -- that's as far as I've read) while looking that up.
WebAssembly was designed to follow the same capability security principles. CHERI too as someone else just brought up.
Creator of Packj [1] here. How do you envision sandboxing/security policies will be specified? Per-lib policies when you've hundreds of dependencies will become overwhelming. Having built an eBPF-based sandbox [2], I anticipate that accuracy will be another challenge here: too restrictive will block functionality, too permissive defeats the purpose.
1. https://github.com/ossillate-inc/packj flags malicious/risky NPM/PyPI/RubyGems/Rust/Maven/PHP packages by carrying out static+dynamic+metadata analysis.
use https://github.com/sandworm-hq/sandworm-audit. if u run it for your app the deprecated libraries will show up in the list of issues found (contributor)
Project mention: Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone | /r/devsecops | 2023-12-05Today, it gives me great pleasure to announce OWASP dep-scan v5. Like everyone, I was constantly frustrated with the amount of false positives generated by all Software Composition Analysis tools (including mine) and wanted to do something. I worked closely with a few colleagues (Caroline, Tim, Saket, and David) for a year to build the various capabilities that together form depscan v5.
We have lots of work to do. https://github.com/in-toto/witness
Full disclosure, I am a member of the steering committee for in-toto and the CEO of TestifySec which in the main contributor to Witness.
It's worth checking out what stacklok.com are up too.
startup founded by the creator of sigstore and a co-founder of kubernetes. They are building a supply chain platform called https://github.com/stacklok/minder
It seems early in and mostly focused on GitHub right now, but I spoke to one of the engineers on the project and they are extending out to other integrations and have sigstore attestation policy available, albeit an early iteration
Project mention: [ANNOUNCEMENT ] The new OriginTrail ecosystem website is now live! | /r/OriginTrail | 2023-06-28👉 https://origintrail.io/
Project mention: Can rustc generate identical binaries, with the same hash, from the same souce code? | /r/rust | 2023-06-25It's well explored for Linux (I wrote documentation for this in the past: https://github.com/kpcyrd/i-probably-didnt-backdoor-this)
supply-chain related posts
-
Software Supply Chain Security
-
UEFI Software Bill of Materials Proposal
-
We've learned nothing from the SolarWinds hack
-
Show HN: One makefile to rule them all
-
Obtainium – Get Android App Updates Directly from the Source
-
A Study of Malicious Code in PyPI Ecosystem
-
Rust Malware Staged on Crates.io
-
A note from our sponsor - InfluxDB
www.influxdata.com | 5 May 2024
Index
What are some of the best open-source supply-chain projects? This list will help you:
Project | Stars | |
---|---|---|
1 | kubeclarity | 1,261 |
2 | tensor-house | 1,163 |
3 | pip-audit | 920 |
4 | rekor | 830 |
5 | in-toto | 831 |
6 | SES-shim | 736 |
7 | packj | 615 |
8 | go-tuf | 597 |
9 | sandworm-audit | 463 |
10 | bomber | 454 |
11 | cdxgen | 453 |
12 | witness | 359 |
13 | or-gym | 355 |
14 | rebuilderd | 344 |
15 | supplychainpy | 270 |
16 | sandworm-guard-js | 248 |
17 | sigstore-python | 211 |
18 | overlay | 209 |
19 | minder | 192 |
20 | ot-node | 180 |
21 | fosslight | 171 |
22 | HIRS | 168 |
23 | i-probably-didnt-backdoor-this | 148 |
Sponsored