Production-Grade Container Scheduling and Management

The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

An open source trusted cloud native registry project that stores, signs, and scans content.

Code signing and transparency for containers and binaries

Golang library for managing configuration data from environment variables

OpenSSF Scorecard - Security health metrics for Open Source

OCI Image Format

GUAC aggregates software security metadata into a high fidelity graph database.

VMware Tanzu Community Edition is no longer an actively maintained project. Code is available for historical purposes only.

Reference implementation of OpenPubkey

Graphing SBOM's Fast.

Kratix is an open-source framework for building platforms

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.

Cartographer is a Supply Chain Choreographer.

A universal SBOM representation in protocol buffers

Artifact Ratification Framework (CNCF Sandbox)

Format agnostic SBOM tooling

Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance

Archivista is a graph and storage service for in-toto attestations. Archivista enables the discovery and retrieval of attestations for software artifacts.

RabbitMQ eventing components. Knative Source and Broker.

Go implementation of witness

Cryptographic and general-purpose routines for Golang Secure Systems Lab projects at NYU

Software Supply Chain Attribute Integrity (SCAI) Demos and CLI tools

Command line interface for Kusari

Storage backends for protobom

Integrate OPA Gatekeeper's new ExternalData feature with witness to determine whether the images are valid by verifying them against a witness policy