Supply-chain Levels for Software Artifacts
-
Updated
Dec 15, 2025 - Shell
#
supply-chain-security
Here are 233 public repositories matching this topic...
GUAC aggregates software security metadata into a high fidelity graph database.
security graph supply-chain vulnerability vex spdx vulnerability-management software-supply-chain supply-chain-analytics sbom attestations in-toto cyclonedx slsa supply-chain-security supply-chain-visibility software-supply-chain-security spdx-sbom cyclonedx-sbom
-
Updated
Dec 17, 2025 - Go
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
python docker open-source tool containers compliance dependencies spdx metadata-extraction risk-management software-composition-analysis oss-compliance sbom supply-chain-security
-
Updated
Mar 12, 2024 - Python
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
security-audit containers dependency-analysis vex compliance cve sca vulnerability-scanners security-tools devsecops reachability-analysis sbom cyclonedx supply-chain-security risk-audit dependency-audit
-
Updated
Dec 18, 2025 - Python
Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. It monitors network egress, file integrity, and process activity on those runners, detecting threats in real-time.
actions hardening security-hardening egress-filtering network-security runners runtime-security github-actions supply-chain-security
-
Updated
Dec 16, 2025 - TypeScript
Protect against malicious open source packages 🤖
golang npm security rubygems static-analysis pypi hacktoberfest devsecops software-composition-analysis policy-as-code supply-chain-security
-
Updated
Dec 16, 2025 - Go
Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
github golang security devops gitlab ci security-scanner devsecops supply-chain-security sdlc-security
-
Updated
Mar 28, 2025 - Go
Damn Vulnerable SCA Application
application-security sca software-composition-analysis sast product-security supply-chain-security software-supply-chain-security scagoat
-
Updated
Oct 16, 2025 - Java
Orchestrate GitHub Actions Security
-
Updated
Dec 17, 2025 - Go
Hermeto is a CLI tool that prefetches your project dependencies to aid in making your container build process hermetic.
-
Updated
Dec 17, 2025 - Python
Docker Scout GitHub Action
-
Updated
Dec 16, 2025 - JavaScript
blint is a Binary Linter that checks the security properties and capabilities of your executables. It can also generate a Software Bill-of-Materials (SBOM) for supported binaries.
-
Updated
Nov 23, 2025 - Python
SDLC evidence store and policy engine for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, and more
security open-source-licensing compliance license spdx attestation devsecops ospo oss-compliance sbom in-toto cyclonedx slsa supply-chain-security sbom-distribution slsa-provenance metadata-platform sbom-discovery regulated-industry
-
Updated
Dec 17, 2025 - Go
Packj stops ⚡ Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
python npm security rubygems devops security-audit static-analysis pypi malware supply-chain sandboxing developer-tools dynamic-analysis vulnerability malware-analysis devops-tools vulnerability-scanners security-tools devsecops supply-chain-security
-
Updated
Apr 2, 2024 - Python
A compilation of resources in the software supply chain security domain, with emphasis on open source
static-analysis awesome-list security-vulnerability dependencies vulnerability-management software-supply-chain cve-scanning attestation package-management reproducible-builds devsecops software-composition-analysis vulnerability-scanning dependency-management oss-compliance sbom supply-chain-security supply-chain-attacks software-supply-chain-security
-
Updated
Apr 24, 2023
Catalogue all images of a Kubernetes cluster to multiple targets with Syft
-
Updated
Dec 13, 2025 - Go
safely install npm packages by auditing them pre-install stage
nodejs npm security package-manager security-audit best-practices command-line-tool vulnerabilities appsec vulnerability-scanners security-tools supply-chain-security
-
Updated
Dec 12, 2025 - JavaScript
Detect npm packages compromised in the Shai-Hulud 2.0 supply chain attack (Nov 2025). Scans for 790+ malicious packages, suspicious scripts, TruffleHog activity, SHA1HULUD runners, and secrets exfiltration. GitHub Action with SARIF support.
nodejs npm security sarif devsecops vulnerability-scanner malware-detection credential-theft github-actions open-source-security supply-chain-security sarif-report package-security shai-hulud shai-hulud-detector shai-hulud-attack shai-hulud2-detector shai-hulud2 shai-hulud2-inspector sha1-hulud
-
Updated
Dec 18, 2025 - TypeScript
Improve this page
Add a description, image, and links to the supply-chain-security topic page so that developers can more easily learn about it.
Add this topic to your repo
To associate your repository with the supply-chain-security topic, visit your repo's landing page and select "manage topics."