awesome-software-supply-chain-security
github.com/bureado/awesome-software-supply-chain-security ↗A compilation of resources in the software supply chain security domain, with emphasis on open source
366
GitHub Stars
730
Curated Resources
6
Categories
23 hours ago
Last Refreshed
Dependency intelligencePoint-of-use validationsIdentity, signing and provenanceFrameworks and best practice referencesBuild techniquesTalks, articles, media coverage and other reading
Use this list with your AI agent
Add the Context Awesome MCP server to Claude, Cursor, or any MCP client, then ask:
"Show me getting started and staying fresh resources from awesome-software-supply-chain-security"
Installation instructions →What's inside
Talks, articles, media coverage and other reading
- 2022 Software Supply Chain Security Report • AnchoreGetting started and staying fresh
- 2022 State of Cloud Native Security Report - Palo Alto NetworksGetting started and staying fresh
Palo Alto Networks
- #6: Steve Springett: CycloneDX and the Future of SBOMs - CybellumGetting started and staying fresh
Cybellum
- Acronyms | OpenSCAP portalGetting started and staying fresh
OpenSCAP portal
- AI-BOM Workshop at RSA Conference 2024Getting started and staying fresh
Comprehensive workshop on AI software supply chain security and AI Bill of Materials (AI-BOM) covering ecosystem best practices with industry leaders and CISA representatives, including recorded lightning talks
- Application Security Weekly (Video) on Apple PodcastsGetting started and staying fresh
Dependency intelligence
- 2ndSetAI/good-egg: Trust scoring system for GitHub PR authors based on contribution history across the GitHub ecosystem, using data-driven analysis to detect AI-generated mass PRs and evaluate contributor credibility
- 6mile/super-confused: Dependency confusion analysis tool supporting 17+ file formats and SBOM files
- abhisek/supply-chain-security-gateway: Reference architecture and proof of concept implementation for supply chain security gateway
- A closer look at CVSS scoresVulnerability information exchange
- advanced-security/gh-sbom: Generate SBOMs with gh CLISCA and SBOM
- After the AdvisoryVulnerability information exchange
Point-of-use validations
- advaitpatel/DockSec: AI-powered Docker security scanner that combines Trivy, Hadolint, and Docker Scout with AI analysis to explain vulnerabilities in plain English and suggest specific Dockerfile fixes
- aflock-ai/cilock-action: GitHub Actions security hardening tool that enforces CI/CD pipeline best practices including environment isolation, secret protection, and dependency verification
- analysis-tools-dev/static-analysis: ⚙️ A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.
- anderseknert/awesome-opa: A curated list of OPA related tools, frameworks and articles
- aquasecurity/kube-bench: Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
- aquasecurity/starboard: Kubernetes-native security toolkit
Frameworks and best practice references
- A First Step to Attaining SLSA Level 3 on GitHub
- A MAP for Kubernetes supply chain security
- A Practical Guide to the SLSA Framework
- boostsecurityio/lotp: "Living Off the Pipeline" — inventory and techniques database of development tool abuse capabilities, documenting how CI/CD tools and build pipelines can be exploited for supply chain attacks
- boostsecurityio/smokedmeat: CI/CD red team framework for testing GitHub Actions workflows and pipeline security, exposing CI/CD risks including Log4Shell-like exploits, script injection, and exfiltration vulnerabilities
- Building trust in our software supply chains with SLSA
Build techniques
- alecmocatta/build_id: Obtain a UUID uniquely representing the build of the current binary.
- apiiro/PRevent: Self-hosted GitHub app that scans pull requests for malicious code patterns including dynamic code execution and obfuscation
- appsec-jedi/pipeline-sentinel: eBPF-powered security monitor for CI/CD build pipelines detecting and blocking suspicious process executions to prevent supply chain attacks during the build phase
- aquasecurity/chain-bench: an open-source tool for auditing your software supply chain stack for security compliance
- aquasecurity/chain-bench: an open-source tool for auditing your software supply chain stack for security complianceCIS 1.0 | Vulnerability Database | Aqua Security
Vulnerability Database | Aqua Security
- Attestation concepts
Identity, signing and provenance
- Allow using SSH keys to sign commits · Discussion #7744 · github/feedback
- An exposed apt signing key and how to improve apt security
- Artifactory - Universal Artifact Management
Universal Artifact Management
- asfaload/asfaload: Open-source self-hostable multisignature sign-off solution for securing artifact downloads, container image validation, and deployment approval workflows with configurable m-of-n signature thresholds
- Attestation Crafting | ChainLoop documentation
ChainLoop documentation
- aws-solutions/verifiable-controls-evidence-store: This repository contains the source code of the Verifiable Controls Evidence Store solution
Showing a sample of 730 resources. View the full list on GitHub →