awesome-software-supply-chain-security

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

All published CVE and their recent changes, ready to be used by humans and machines.

CVE Details provides an easy to use web interface to CVE vulnerability data.

The CVE Automation Working Group is piloting use of git to share information about public vulnerabilities.

Gather and update all available and newest CVEs with their PoC.

The official Exploit Database repository.

GitHub App to set and enforce security policies

Gives criticality score for an open source project

Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10.

Stakeholder-Specific Vulnerability Categorization

A vulnerability scanner for container images and filesystems.

Scanner for vulnerabilities in container images, provided vulnerability scanning and management for orchestrators like Kubernetes.

Vulnerability Static Analysis for Containers

Qualys container security is a tool used to discover, track, and continuously protect container environments.

A tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

Open source tools for Kubernetes to run workflows, manage clusters, and do GitOps right.

concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit

The leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project.

CI/CD solution for modern cloud applications on Kubernetes.

An operator which polls a git repository for changes and triggers a Kubernetes Job to process the changes in git.

Build container images in Kubernetes.

askalono is a library and command-line tool to help detect license texts. It's designed to be fast, accurate, and to support a wide variety of license texts.

the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security (code scanning)

DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities.

The SpotBugs plugin for security audits of Java web applications and Android applications.

a static analysis tool for finding vulnerabilities in C/C++ source code.

a command line application and a library, written in Go. It scans the given directory for license files, normalizes and hashes them and outputs all the fuzzy matches with the list of reference texts.

Blueprint for building modern, secure software development pipelines

The proposed SCIM will be an industry standard specification, easing the path for uniform data flow across globally distributed supply chains.

A security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.

CNCF provide a comprehensive software supply chain paper highlighting best practices for high and medium risk environments.

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact providence.

A utility to generate SPDX-compliant Bill of Materials manifests

bomsh is collection of tools to explore the GitBOM idea.

OWASP CycloneDX is a lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

Configurable BoM generation tool for

A tool that takes two or more micro SBOMs and composes them into one distributable SBOM.

Catalogue all images of a Kubernetes cluster to multiple targets with Syft.

Scans SBOMs for security vulnerabilitiesrecommendations

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

Dependency Scanning analyzer that uses the GitLab Advisory Database.

Analyzes the dependency tree of a Go package/binary. It can output a report on the libraries used and under what license they can be used. It can also collect all of the license documents, copyright notices and source code into a directory in order to comply with license terms on redistribution.