Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →
Top 22 supply-chain-security Open-Source Projects
-
tern
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more. (by tern-tools)
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
legitify
Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
-
dep-scan
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
-
packj
Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
-
harden-runner
Network egress filtering and runtime security for GitHub-hosted and self-hosted runners
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
chainloop
Chainloop is an Open Source Metadata Vault for your Software Supply Chain metadata, SBOMs, VEX, SARIF files, QA reports, and more.
-
js-x-ray
JavaScript & Node.js open-source SAST scanner. A static analyser for detecting most common malicious patterns 🔬.
-
chainalert-github-action
scans popular packages and alerts in cases there is suspicion of an account takeover
-
bytesafe-ce
Bytesafe Community Edition is a security platform that protects organizations from open source software supply chain attacks.
-
Azure-DevOps-Server-segmentation-cheat-sheet
Azure DevOps Server development system segmentation best practices
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Project mention: SLSA – Supply-Chain Levels for Software Artifacts | news.ycombinator.com | 2024-04-02
Project mention: GitHub - Legit-Labs/legitify: Detect and remediate misconfigurations and security risks across all your GitHub GitLab assets. Version 1.0 is out, check out the new enterprise-level policies. | /r/netsec | 2023-08-04
Project mention: Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone | /r/devsecops | 2023-12-05Depscan v5 is the first opensource SCA tool that can perform precision reachability analysis for Java, JavaScript/TypeScript, and Python applications to triage and prioritize the results. We invented an automatic symbols tagger, a lightweight data-flow analyzer, and a static slicer to compute all reachable flows with or without vulnerabilities. We open-sourced all our work, including the specification.
Creator of Packj [1] here. How do you envision sandboxing/security policies will be specified? Per-lib policies when you've hundreds of dependencies will become overwhelming. Having built an eBPF-based sandbox [2], I anticipate that accuracy will be another challenge here: too restrictive will block functionality, too permissive defeats the purpose.
1. https://github.com/ossillate-inc/packj flags malicious/risky NPM/PyPI/RubyGems/Rust/Maven/PHP packages by carrying out static+dynamic+metadata analysis.
Project mention: Choosing the “old stuff” as plugin SDK for Go in 2023 | news.ycombinator.com | 2023-07-06
Using Docker Scout:
Project mention: Show HN: Vet now supports detecting malicious packages | news.ycombinator.com | 2023-12-31
For more information: https://bytesafe.dev/posts/bytesafe-community-edition/ or view it on GitHub: https://github.com/bitfront-se/bytesafe-ce
2. https://github.com/ossillate-inc/packj-github-action
supply-chain-security related posts
-
SLSA – Supply-Chain Levels for Software Artifacts
-
Show HN: Vet now supports detecting malicious packages
-
10 reasons you should quit your HTTP client
-
UEFI Software Bill of Materials Proposal
-
Gittuf – a security layer for Git using some concepts introduced by TUF
-
SLSA • Supply-Chain Levels for Software Artifacts
-
Password-stealing Linux malware served for 3 years and no one noticed
-
A note from our sponsor - InfluxDB
www.influxdata.com | 6 May 2024
Index
What are some of the best open-source supply-chain-security projects? This list will help you:
Project | Stars | |
---|---|---|
1 | slsa | 1,424 |
2 | tern | 935 |
3 | legitify | 708 |
4 | dep-scan | 710 |
5 | packj | 615 |
6 | harden-runner | 514 |
7 | rebuilderd | 344 |
8 | chainloop | 306 |
9 | secure-repo | 236 |
10 | scout-cli | 217 |
11 | js-x-ray | 197 |
12 | sbom-operator | 180 |
13 | vet | 177 |
14 | sdc-check | 138 |
15 | SBOM Quality Score | 132 |
16 | sh4d0wup | 116 |
17 | pacman-bintrans | 83 |
18 | chainalert-github-action | 39 |
19 | solarsploit | 22 |
20 | bytesafe-ce | 20 |
21 | packj-github-action | 10 |
22 | Azure-DevOps-Server-segmentation-cheat-sheet | 6 |
Sponsored