Top 23 supply-chain Open-Source Projects

• kubeclarity

  5 1,261 7.9 Go

  KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems

  

Project mention: Building Secure Docker Images for Production - Best Practices | dev.to | 2023-06-30

In the following steps, we use a local Kubernetes cluster (such as kind) to test the image. With the cluster up and running, let's install some tooling to help us with image scanning. In this case, we're using KubeClarity. Follow the installation instructions in the README to install it into your development cluster.

• tensor-house

  4 1,163 7.5 Jupyter Notebook

  A collection of reference Jupyter notebooks and demo AI/ML applications for enterprise use cases: marketing, pricing, supply chain, smart manufacturing, and more.

• SurveyJS

  surveyjs.io featured

  Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.

  

• pip-audit

  22 920 8.8 Python

  Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them

  

Project mention: Smooth Packaging: Flowing from Source to PyPi with GitLab Pipelines | dev.to | 2024-01-18

Next up is making sure, none of the dependencies used throughout the project brings with it any already identified security issue. The makefile target audit, invokes the handy tool pip-audit.

• rekor

  29 830 9.7 Go

  Software Supply Chain Transparency Log

  

Project mention: Obtainium – Get Android App Updates Directly from the Source | news.ycombinator.com | 2023-10-10

There could be asset hashes in sigstore: https://sigstore.dev/

Is there a good way to run native mobile app GUI tests with GitHub Actions?

A VM/container emulator like anbox, waydroid, (or all of ChromeOS Flex in KVM) in a GitHub Action is probably enough to run GUI tests?

"Build your own SLSA 3+ provenance builder on GitHub Actions"

• in-toto

  4 831 8.9 Python

  in-toto is a framework to protect supply chain integrity.

  

Project mention: UEFI Software Bill of Materials Proposal | news.ycombinator.com | 2023-11-14

The things you mentioned are not solved by a typical "SBOM" but e.g. CycloneDX has extra fields to record provenance and pedigree and things like in-toto (https://in-toto.io/) or SLSA (https://slsa.dev/) also aim to work in this field.

I've spent the last six months in this field and people will tell you that this or that is an industry best practice or "a standard" but in my experience none of that is true. Everyone is still trying to figure out how best to protect the software supply chain security and things are still very much in flux.

• SES-shim

  13 736 9.9 JavaScript

  Endo is a distributed secure JavaScript sandbox, based on SES

  

Project mention: Malicious libraries can steal all your application secrets in Elixir | news.ycombinator.com | 2023-07-22

I used E in the 90s: http://erights.org/

I haven't kept up with newer systems but I've heard of https://github.com/endojs/endo and just came across http://reports-archive.adm.cs.cmu.edu/anon/home/anon/isr2017... (which says "in the style of the E programming language" -- that's as far as I've read) while looking that up.

WebAssembly was designed to follow the same capability security principles. CHERI too as someone else just brought up.

• packj

  38 615 7.2 Python

  Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain

  

Project mention: Rust Without Crates.io | news.ycombinator.com | 2023-11-14

Creator of Packj [1] here. How do you envision sandboxing/security policies will be specified? Per-lib policies when you've hundreds of dependencies will become overwhelming. Having built an eBPF-based sandbox [2], I anticipate that accuracy will be another challenge here: too restrictive will block functionality, too permissive defeats the purpose.

1. https://github.com/ossillate-inc/packj flags malicious/risky NPM/PyPI/RubyGems/Rust/Maven/PHP packages by carrying out static+dynamic+metadata analysis.

• InfluxDB

  www.influxdata.com featured

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• go-tuf

  1 597 8.9 Go

  Go implementation of The Update Framework (TUF)

  

• sandworm-audit

  6 463 8.4 JavaScript

  Security & License Compliance For Your App's Dependencies 🪱

  

Project mention: Anyone else’s project use so many deprecated packages | /r/node | 2023-06-08

use https://github.com/sandworm-hq/sandworm-audit. if u run it for your app the deprecated libraries will show up in the list of issues found (contributor)

• bomber

  4 454 6.9 Go

  Scans Software Bill of Materials (SBOMs) for security vulnerabilities

  

• cdxgen

  3 453 9.5 JavaScript

  Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Slack: https://cyclonedx.slack.com/archives/C04NFFE1962

  

Project mention: Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone | /r/devsecops | 2023-12-05

Today, it gives me great pleasure to announce OWASP dep-scan v5. Like everyone, I was constantly frustrated with the amount of false positives generated by all Software Composition Analysis tools (including mine) and wanted to do something. I worked closely with a few colleagues (Caroline, Tim, Saket, and David) for a year to build the various capabilities that together form depscan v5.

• witness

  7 359 9.0 Go

  Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.

  

Project mention: We've learned nothing from the SolarWinds hack | news.ycombinator.com | 2023-11-13

We have lots of work to do. https://github.com/in-toto/witness

Full disclosure, I am a member of the steering committee for in-toto and the CEO of TestifySec which in the main contributor to Witness.

• or-gym

  2 355 0.0 Python

  Environments for OR and RL Research

• rebuilderd

  6 344 5.3 Rust

  Independent verification of binary packages - reproducible builds

• supplychainpy

  1 270 0.0 JavaScript

  Supplychainpy is a Python library for supply chain analysis, modelling and simulation. The library assists a workflow that is reliant on Excel and VBA.

• sandworm-guard-js

  9 248 0.0 JavaScript

  Easy auditing & sandboxing for your JavaScript dependencies 🪱

  

• sigstore-python

  4 211 9.3 Python

  A Sigstore client for Python

  

• overlay

  2 209 7.4 JavaScript

  Overlay is a browser extension helping developers evaluate open source packages before picking them (by os-scar)

  

• minder

  2 192 10.0 Go

  Software Supply Chain Security Platform (by stacklok)

  

Project mention: Software Supply Chain Security | news.ycombinator.com | 2024-04-27

It's worth checking out what stacklok.com are up too.

startup founded by the creator of sigstore and a co-founder of kubernetes. They are building a supply chain platform called https://github.com/stacklok/minder

It seems early in and mostly focused on GitHub right now, but I spoke to one of the engineers on the project and they are extending out to other integrations and have sigstore attestation policy available, albeit an early iteration

• ot-node

  54 180 9.7 JavaScript

  OriginTrail Decentralized Knowledge Graph network node

  

Project mention: [ANNOUNCEMENT ] The new OriginTrail ecosystem website is now live! | /r/OriginTrail | 2023-06-28

👉 https://origintrail.io/

• fosslight

  2 171 9.5 Java

  FOSSLight Hub : Integrated management web-service for Open Source Compliance Process

  

• HIRS

  1 168 6.4 Java

  Trusted Computing based services supporting TPM provisioning and supply chain validation concepts. #nsacyber

  

• i-probably-didnt-backdoor-this

  5 148 0.0 Dockerfile

  A practical experiment on supply-chain security using reproducible builds

Project mention: Can rustc generate identical binaries, with the same hash, from the same souce code? | /r/rust | 2023-06-25

It's well explored for Linux (I wrote documentation for this in the past: https://github.com/kpcyrd/i-probably-didnt-backdoor-this)

• SaaSHub

  www.saashub.com featured

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

supply-chain related posts

• Software Supply Chain Security

  1 project | news.ycombinator.com | 27 Apr 2024

• UEFI Software Bill of Materials Proposal

  8 projects | news.ycombinator.com | 14 Nov 2023

• We've learned nothing from the SolarWinds hack

  2 projects | news.ycombinator.com | 13 Nov 2023

• Show HN: One makefile to rule them all

  3 projects | news.ycombinator.com | 19 Oct 2023

• Obtainium – Get Android App Updates Directly from the Source

  2 projects | news.ycombinator.com | 10 Oct 2023

• A Study of Malicious Code in PyPI Ecosystem

  4 projects | news.ycombinator.com | 8 Sep 2023

• Rust Malware Staged on Crates.io

  3 projects | news.ycombinator.com | 25 Aug 2023
• A note from our sponsor - InfluxDB
  www.influxdata.com | 5 May 2024

  Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com