SDLC evidence store and policy engine for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, and more

The lockfile for the agentic web: snapshot and sign MCP server capabilities (Ed25519 or Sigstore), detect drift, enforce CEL policy.

🔴🟡🟢 The Amazing Multipurpose Policy Engine (and L)

PMG protects developers from getting compromised by malicious packages

Protect against malicious open source packages 🤖

sbomqs: The Comprehensive SBOM Quality & Compliance Tool

Scan GitHub Actions Workflow logs for IOCs

Catalogue all images of a Kubernetes cluster to multiple targets with Syft

SBOM Move - Automate build and transfer of SBOMs across systems

GUAC aggregates software security metadata into a high fidelity graph database.

Sample Go application project with supply chain security workflows conforms to the SLSA Build Level 3 specification

Orchestrate GitHub Actions Security

boostsecurityio/poutine

Security wrapper for package managers using a local MITM proxy and the OSSF malicious-packages DB to block malware before install.

Format agnostic SBOM tooling

Experimental supply chain tools

Verify Git signatures and integrity

A lightweight Go library for validating Software Bill of Materials (SBOM) against industry-standard specifications

An example of something terrible in plain sight

Frizbee Action helps you pin your GitHub Actions and container images to specific versions using checksums.