- Awesome Software Supply Chain Security
- Glossary
- Landscape
- Secret Leakages
- Software Bill of Materials
- Software Composition Analysis
- Static Application Security Testing
- Infrastructure as Code Secure
- Cloud Security Posture Management
- Malware Detection
- Container Security Scanners
- Vulnerabilities Database & Tools
- Artifact Metadata
- Identity Tools
- CI/CD
- Signing Artefacts
- Framework
- Kubernetes Admission Controller
- Risk Management
- OCI Image Tools
- Data Store
- Fuzz Testing
- Demo
- SBOM: Software Bill of Materials
- SCA: Software Composition Analysis
- SAST: Static Application Security Testing
- IAST: Interactive Application Security Testing
- VCS: Version Control System
- OSPO: Open Source Program Office
- CSPM: Cloud Security Posture Management
- OSPO Landscape - The OSPO landscape is intended as a map to explore the OSPO Ecosystem in terms of tooling, adopters and involved communities.
- truffleHog - - Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
- external-secrets - - External Secrets Operator reads information from a third-party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets.
- Gitleaks - - Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
- SecLists - - SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
- SPDX - SPDX is an open standard for communicating SBOM information, including provenance, license, security, and other related information.
- CycloneDX - OWASP CycloneDX is a lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
- Tern - - A software package inspection tool that can create a Software Bill of Materials (SBOM) for containers. It's written in Python3 with a smattering of shell scripts.
- Syft - - CLI tool and library for generating a Software Bill of Materials from container images and filesystems.
- bom - - A utility to generate SPDX-compliant Bill of Materials manifests
- ko - - Build and deploy Go applications on Kubernetes, support generate upload SBOM etc.
- sbom-tool - - Microsoft's SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
- spdx-sbom-generator - - Support CI generation of SBOMs via golang tooling.
- sbom-composer - - A tool that takes two or more micro SBOMs and composes them into one distributable SBOM.
- tejolote - - A highly configurable build executor and observer designed to generate signed SLSA provenance attestations about build runs.
- KiBoM - - Configurable BoM generation tool for KiCad EDA.
- bomsh - - bomsh is collection of tools to explore the GitBOM idea.
- sbom-operator - - Catalogue all images of a Kubernetes cluster to multiple targets with Syft.
- Open Source Insights - Open Source Insights is an experimental service developed and hosted by Google to help developers better understand the structure, construction, and security of open source software packages.
- DependencyTrack - - Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
- DependencyCheck - - OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
- scancode-toolkit - - ScanCode detects licenses, copyrights, package manifests & dependencies and more by scanning code ... to discover and inventory open source and third-party packages used in your code.
- OSS Review Toolkit - - The OSS Review Toolkit (ORT) aims to assist with the tasks that commonly need to be performed in the context of license compliance checks, especially for (but not limited to) Free and Open Source Software dependencies.
- License Finder - - LicenseFinder works with package managers to find dependencies, detect the licenses of the packages in them, compare those licenses against a user-defined list of permitted licenses.
- go-licenses - - Analyzes the dependency tree of a Go package/binary. It can output a report on the libraries used and under what license they can be used. It can also collect all of the license documents, copyright notices and source code into a directory in order to comply with license terms on redistribution.
- Anchore - - A vulnerability scanner for container images and filesystems.
- OpenSCA-Cli - - OpenSCA is now capable of parsing configuration files in the listed programming languages and correspondent package managers.
- MurphySec CLI - - MurphySec CLI is used for detecting vulnerable dependencies from the command-line, and also can be integrated into your CI/CD pipeline.
- Gemnasium - Dependency Scanning analyzer that uses the GitLab Advisory Database.
- reuse-tool - - The tool for checking and helping with compliance with the REUSE recommendations
- lgtm - A code analysis platform for finding zero-days and preventing critical vulnerabilities
- bomber - - Scans SBOMs for security vulnerabilitiesrecommendations
- CVE-2021-44228-Scanner - - Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
- osv-scanner - - Vulnerability scanner written in Go which uses the data provided by https://osv.dev
- trivy - - Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues.
- Horusec - - Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.
- Semgrep - - Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
- Scan - - Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies.
- starter-workflows - GitHub code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production.
- CodeQL - - the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security (code scanning)
- DevSkim - - DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities.
- flawfinder - - a static analysis tool for finding vulnerabilities in C/C++ source code.
- kubectl-kubesec - - Security risk analysis for Kubernetes resources.
- mobsfscan - - mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code.
- njsscan - - njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.
- tfsec - - Security scanner for your Terraform code.
- insider - - SAST Engine focused on covering the OWASP Top 10, support Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Ful...
- SpotBugs - - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
- Find Security Bugs - - The SpotBugs plugin for security audits of Java web applications and Android applications.
- go-license-detector - - a command line application and a library, written in Go. It scans the given directory for license files, normalizes and hashes them and outputs all the fuzzy matches with the list of reference texts.
- askalono - - askalono is a library and command-line tool to help detect license texts. It's designed to be fast, accurate, and to support a wide variety of license texts.
- licensechecker - - licensechecker (lc) a command line application which scans directories and identifies what software license things are under producing reports as either SPDX, CSV, JSON, XLSX or CLI Tabular output. Dual-licensed under MIT or the UNLICENSE.
- licensee - - A Ruby Gem to detect under what license a project is distributed.
- licenseclassifier - - The license classifier is a library and set of tools that can analyze text to determine what type of license it contains. It searches for license texts in a file and compares them to an archive of known licenses.
- licensed - - A Ruby gem to cache and verify the licenses of dependencies
- Tencent Cloud Code Analysis - - Tencent Cloud Code Analysis (TCA for short, code-named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking.
- kics - - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code.
- Checkov - - Prevent cloud misconfigurations during build-time for Terraform, CloudFormation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
- nuclei - - Nuclei is used to send requests across targets based on a template, leading to zero false positives and providing fast scanning on a large number of hosts. Nuclei offers scanning for a variety of protocols, including TCP, DNS, HTTP, SSL, File, Whois, Websocket, Headless etc.
- RiskScanner - - RiskScanner is an open source multi-cloud security compliance scanning platform, Based on Cloud Custodian, Prowler and Nuclei engines, it realizes security compliance scanning and vulnerability scanning of mainstream public (private) cloud resources.
- DefectDojo - - A security orchestration and vulnerability management platform.
- ClamAV - - ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
- YARA - - YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.
- Clair - - Vulnerability Static Analysis for Containers
- Anchore - - A vulnerability scanner for container images and filesystems.
- Dagda - - A tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
- Falco - - Open source cloud native runtime security tool. Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
- Aqua Security - Scanner for vulnerabilities in container images, provided vulnerability scanning and management for orchestrators like Kubernetes.
- Docker Bench - - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
- Harbor - It stores, signs, and scans docker images for vulnerabilities.
- JFrog Xray - Intelligent Supply Chain Security and Compliance at DevOps Speed.
- Container Security - Qualys container security is a tool used to discover, track, and continuously protect container environments.
- Docker Scan - - Docker Scan leverages Synk engine and capable of scanning local Dockerfile, images, and its dependencies to find known vulnerabilities. You can run docker scan from Docker Desktop.
- National Vulnerability Database - The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP).
- NVD Tools - - A set of tools to work with the feeds (vulnerabilities, CPE dictionary etc.) distributed by National Vulnerability Database (NVD)
- CVE Details - CVE Details provides an easy to use web interface to CVE vulnerability data.
- Exploit Database Online - The Exploit Database is the most comprehensive collection of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers.
- Exploit Database Offline - - The official Exploit Database repository.
- VulnDB Data Mirror - - A simple Java command-line utility to mirror the entire contents of VulnDB.
- NIST Data Mirror - - A simple Java command-line utility to mirror the CVE JSON data from NIST.
- Snyk Vulnerability Database - Snyk Vulnerability Database.
- Vuldb - Vulnerability database documenting and explaining security vulnerabilities, threats, and exploits since 1970.
- osv - - Open source vulnerability DB and triage service.
- advisory-database - - Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
- golang/vulndb - - The Go Vulnerability Database
- pypa/advisory-database - - Advisory database for Python packages published on pypi.org
- RustSec/advisory-db - - Security advisory database for Rust crates published through crates.io
- gsd-database - - The Global Security Database (GSD) is a new Working Group project from the Cloud Security Alliance meant to address the gaps in the current vulnerability identifier space.
- oss-fuzz-vulns - - OSS-Fuzz vulnerabilities for OSV.
- vuln-list - - Collect vulnerability information and save it in parsable format automatically.
- CVE PoC - - Gather and update all available and newest CVEs with their PoC.
- CVE List - - The CVE Automation Working Group is piloting use of git to share information about public vulnerabilities.
- cve-ark - - All published CVE and their recent changes, ready to be used by humans and machines.
- in-toto - - An open metadata standard that you can implement in your software's supply chain toolchain.
- Grafeas - - An open-source artifact metadata API that provides a uniform way to audit and govern your software supply chain.
- tkn-intoto-formatter - - A common library to convert any tekton resource to intoto attestation format.
- Spiffe/Spire A universal identity control plane for distributed systems.
- SWID - Software Identification (SWID) tags provide an extensible XML-based structure to identify and describe individual software components, patches, and installation bundles.
- purl - - A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.
- Grafeas - - Grafeas defines an API spec for managing metadata about software resources, such as container images, Virtual Machine (VM) images, JAR files, and scripts.
- CIRCL hashlookup - CIRCL hash lookup is a public API to lookup hash values against known database of files.
- Dex - - Dex is an identity service that uses OpenID Connect to drive authentication for other apps.
- Kaniko - - Build container images in Kubernetes.
- BuildKit - - concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
- Tektoncd - A cloud-native solution for building CI/CD systems.
- Reproducible Builds - Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code.
- Argo - Open source tools for Kubernetes to run workflows, manage clusters, and do GitOps right.
- Jenkins - The leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project.
- Jenkins X - CI/CD solution for modern cloud applications on Kubernetes.
- Prow - - Prow is a Kubernetes based CI/CD system. Jobs can be triggered by various types of events and report their status to many different services.
- jx-git-operator - - An operator which polls a git repository for changes and triggers a Kubernetes Job to process the changes in git.
- Lighthouse - - Lighthouse is a lightweight ChatOps based webhook handler which can trigger Jenkins X Pipelines, Tekton Pipelines or Jenkins Jobs based on webhooks from multiple git providers such as GitHub, GitHub Enterprise, BitBucket Server and GitLab.
- Starter Workflows - - Workflow files for helping people get started with GitHub Actions.
- ko - - Build and deploy Go applications on Kubernetes
- cosign - - Container Signing, Verification and Storage in an OCI registry.
- Fulcio - - A free Root-CA for code signing certs, issuing certificates based on an OIDC email address.
- GPG - GnuPG is a complete and free implementation of the OpenPGP standard, it allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories.
- python-tuf - - Python reference implementation of The Update Framework (TUF).
- go-tuf - - Go implementation of The Update Framework (TUF).
- - - Rust libraries and tools for using and generating TUF repositories.
- Notation - - A project to add signatures as standard items in the registry ecosystem, and to build a set of simple tooling for signing and verifying these signatures.
- k8s-manifest-sigstore - - kubectl plugin for signing Kubernetes manifest YAML files with sigstore
- SLSA - - A security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.
- SCIM - - The proposed SCIM will be an industry standard specification, easing the path for uniform data flow across globally distributed supply chains.
- Software Supply Chain Best Practices - - CNCF provide a comprehensive software supply chain paper highlighting best practices for high and medium risk environments.
- Blueprint Secure Software Pipeline - - Blueprint for building modern, secure software development pipelines
- Witness - - Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact providence.
- Kyverno - - A policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. Kyverno policies are Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.
- Kritis - - An open-source solution for securing your software supply chain for Kubernetes applications, it enforces deploy-time security policies using the Grafeas API.
- Open Policy Agent - - Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.
- Ratify - - The project provides a framework to integrate scenarios that require verification of reference artifacts and provides a set of interfaces that can be consumed by various systems that can participate in artifact ratification.
- Scorecard - - Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10.
- Open Source Project Criticality Score - - Gives criticality score for an open source project
- allstar - - GitHub App to set and enforce security policies
- SSVC - - Stakeholder-Specific Vulnerability Categorization
- Buildah - - A tool that facilitates building OCI images.
- Skopeo - - Work with remote images registries - retrieving information, images, signing content.
- go-containerregistry - - Go library and CLIs for working with container registries
- Buildpacks - - Providind tooling to transform source code into container images using modular, reusable build functions.
- Trillian - - A transparent, highly scalable and cryptographically verifiable data store.
- Rekor - - Software Supply Chain Transparency Log
- ORAS - Registries are evolving as generic artifact stores. To enable this goal, the ORAS project provides a way to push and pull OCI Artifacts to and from OCI Registries.
- OSS-Fuzz - - OSS-Fuzz - continuous fuzzing for open source software.
- ssf - - Prototype implementation of the CNCF's Software Supply Chain Best Practices White Paper
- demonstration of SLSA provenance generation strategies - - A demonstration of SLSA provenance generation strategies that don't require full build system integration.