supply-chain-security

Open-source projects categorized as supply-chain-security
Edit details
Language: + Go + Python + Rust + Shell + TypeScript + JavaScript
Topics: Security security-tools Devsecops sbom security-audit
Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured

Top 22 supply-chain-security Open-Source Projects

  • slsa

    Supply-chain Levels for Software Artifacts

    • Project mention: SLSA – Supply-Chain Levels for Software Artifacts | news.ycombinator.com | 2024-04-02

  • tern

    Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more. (by tern-tools)

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • legitify

    Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets

    • Project mention: GitHub - Legit-Labs/legitify: Detect and remediate misconfigurations and security risks across all your GitHub GitLab assets. Version 1.0 is out, check out the new enterprise-level policies. | /r/netsec | 2023-08-04

  • dep-scan

    OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.

    • Project mention: Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone | /r/devsecops | 2023-12-05

    Depscan v5 is the first opensource SCA tool that can perform precision reachability analysis for Java, JavaScript/TypeScript, and Python applications to triage and prioritize the results. We invented an automatic symbols tagger, a lightweight data-flow analyzer, and a static slicer to compute all reachable flows with or without vulnerabilities. We open-sourced all our work, including the specification.

  • packj

    Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain

    • Project mention: Rust Without Crates.io | news.ycombinator.com | 2023-11-14

    Creator of Packj [1] here. How do you envision sandboxing/security policies will be specified? Per-lib policies when you've hundreds of dependencies will become overwhelming. Having built an eBPF-based sandbox [2], I anticipate that accuracy will be another challenge here: too restrictive will block functionality, too permissive defeats the purpose.

    1. https://github.com/ossillate-inc/packj flags malicious/risky NPM/PyPI/RubyGems/Rust/Maven/PHP packages by carrying out static+dynamic+metadata analysis.

  • harden-runner

    Network egress filtering and runtime security for GitHub-hosted and self-hosted runners

  • rebuilderd

    Independent verification of binary packages - reproducible builds

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo

  • chainloop

    Chainloop is an Open Source Metadata Vault for your Software Supply Chain metadata, SBOMs, VEX, SARIF files, QA reports, and more.

    • Project mention: Choosing the “old stuff” as plugin SDK for Go in 2023 | news.ycombinator.com | 2023-07-06

  • secure-repo

    Orchestrate GitHub Actions Security

  • scout-cli

    Docker Scout CLI

    • Project mention: Distroless images using melange and apko | dev.to | 2023-12-22

    Using Docker Scout:

  • js-x-ray

    JavaScript & Node.js open-source SAST scanner. A static analyser for detecting most common malicious patterns 🔬.

  • sbom-operator

    Catalogue all images of a Kubernetes cluster to multiple targets with Syft

  • vet

    Tool to achieve policy driven vetting of open source dependencies

    • Project mention: Show HN: Vet now supports detecting malicious packages | news.ycombinator.com | 2023-12-31

  • sdc-check

    Small tool to inform you about potential risks in project dependencies list

  • SBOM Quality Score

    SBOM quality score - Quality metrics for your sboms

  • sh4d0wup

    Signing-key abuse and update exploitation framework

  • pacman-bintrans

    Experimental binary transparency for pacman with sigstore and rekor

  • chainalert-github-action

    scans popular packages and alerts in cases there is suspicion of an account takeover

  • solarsploit

    Red team tool that emulates the SolarWinds CI compromise attack vector.

  • bytesafe-ce

    Bytesafe Community Edition is a security platform that protects organizations from open source software supply chain attacks.

    • Project mention: Bytesafe Community Edition | /r/csharp | 2023-05-17

    For more information: https://bytesafe.dev/posts/bytesafe-community-edition/ or view it on GitHub: https://github.com/bitfront-se/bytesafe-ce

  • packj-github-action

    Packj audits pull requests for malicious/risky open-source deps

    • Project mention: The Bogus CVE Problem | news.ycombinator.com | 2023-09-21

    2. https://github.com/ossillate-inc/packj-github-action

  • Azure-DevOps-Server-segmentation-cheat-sheet

    Azure DevOps Server development system segmentation best practices

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020).

supply-chain-security related posts

  • SLSA – Supply-Chain Levels for Software Artifacts

    1 project | news.ycombinator.com | 2 Apr 2024

  • Show HN: Vet now supports detecting malicious packages

    1 project | news.ycombinator.com | 31 Dec 2023

  • 10 reasons you should quit your HTTP client

    5 projects | dev.to | 15 Nov 2023

  • UEFI Software Bill of Materials Proposal

    8 projects | news.ycombinator.com | 14 Nov 2023

  • Gittuf – a security layer for Git using some concepts introduced by TUF

    5 projects | news.ycombinator.com | 24 Oct 2023

  • SLSA • Supply-Chain Levels for Software Artifacts

    1 project | news.ycombinator.com | 5 Oct 2023

  • Password-stealing Linux malware served for 3 years and no one noticed

    2 projects | news.ycombinator.com | 12 Sep 2023
  • A note from our sponsor - InfluxDB
    www.influxdata.com | 6 May 2024
    Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →

Index

What are some of the best open-source supply-chain-security projects? This list will help you:

Project Stars
1 slsa 1,424
2 tern 935
3 legitify 708
4 dep-scan 710
5 packj 615
6 harden-runner 514
7 rebuilderd 344
8 chainloop 306
9 secure-repo 236
10 scout-cli 217
11 js-x-ray 197
12 sbom-operator 180
13 vet 177
14 sdc-check 138
15 SBOM Quality Score 132
16 sh4d0wup 116
17 pacman-bintrans 83
18 chainalert-github-action 39
19 solarsploit 22
20 bytesafe-ce 20
21 packj-github-action 10
22 Azure-DevOps-Server-segmentation-cheat-sheet 6

Sponsored
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com