awesome-software-supply-chain-security

A compilation of resources in the software supply chain security domain, with emphasis on open source.

• awesome-software-supply-chain-security
  • About this list
  • Dependency intelligence
  • SCA and SBOM
  • Vulnerability information exchange
  • Point-of-use validations
  • Supply chain beyond libraries
  • Identity, signing and provenance
  • Frameworks and best practice references
  • Build techniques
  • Talks, articles, media coverage and other reading
  • Getting started and staying fresh

About this list

There is no prescribed taxonomy for this domain. This list will necessarily have some overlap with disciplines and categories such as DevSecOps, SAST, SCA and more.

The supply-chain-synthesis repo offers a long-form read on why that's the case, plus helpful pointers to understand and navigate it as it evolves.

For awesome-software-supply-chain-security we take the following high-level approach: different actors in the supply chain contribute attestations to the elements represented in the chain.

In this process-centric view, attestations are emitted, augmented (e.g., during composition) and verified.

Another way to look at this was described here by Josh Bressers, and here's a narrative example in the wild from Spotify

Using this lens we can identify a large group of "subjects" (dependencies), distinct categories of "facts" (licenses or vulnerabilities) and the specific role of identity, provenance and build systems. This is the rationale behind the current headings, which are expected to evolve with the domain.

Other examples of the ongoing process to define the domain include Add Bad Design as a supply chain scenario · Issue #249 · slsa-framework/slsa and How does SLSA fit into broader supply chain security? · Issue #276 · slsa-framework/slsa. Check out this tweet from Aeva Black with Dan Lorenc for another in-a-pinch view of a couple key projects.

Dependency intelligence

This section includes: package management, library management, dependency management, vendored dependency management, by-hash searches, package, library and dependency naming, library behavior labeling, library publishing, registries and repositories, publishing gates and scans, dependency lifecycle.

• Open Source Insights
• guacsec/guac: GUAC aggregates software security metadata into a high fidelity graph database.
• package-url/purl-spec: A minimal specification for purl aka. a package "mostly universal" URL, join the discussion at https://gitter.im/package-url/Lobby
• Online services that help understand what a specific dependency is, or at least whether it's known (usually feeding it a package identifier, such as purl, CPE or another form of ecosystem:name:version, or alternatively via hash):
  • NSRL: hashes for COTS software, well-integrated in tooling from sleuthkit/hfind to nsrllookup
  • A source that can be queried via a public API (HTTP and DNS!) and can be more open source-aware is CIRCL hashlookup
  • Repology has legendary coverage for Linux packages across multiple distribution; its repology-updater and other infrastructure pieces are open source. It provides an updater for WikiData which also has properties of interest for the supply chain security domain.
  • Debian's external repositories metadata
  • Tidelift's libraries.io provides an API and supports over 30 package ecosystems (and several useful open source tools)
  • WhiteSource's Unified Agent also offers some sophisticated file matching abilities
  • The Software Heritage Project has massive ingestion capabilities and offers an API which can efficiently check whether a hash is known, and provide certain information on the file if so
  • Also see swh scanner CLI
  • hashdd - Known Good Cryptographic Hashes
  • ClearlyDefined provides licensing information for open source components, given their coordinates
  • LGTM - Code Analysis Platform to Find and Prevent Vulnerabilities allows manually searching by GitHub repo
  • Binary Transparency directory offers an API that allows to search packages by hash and other attributes
  • A somehow related read is the second half of How Cloudflare verifies the code WhatsApp Web serves to users
  • And Subresource Integrity
  • Not to be confused with the legendary read on Binary Transparency
• For inputs acquired e.g., via curl:
  • SpectralOps/preflight: preflight helps you verify scripts and executables to mitigate chain of supply attacks such as the recent Codecov hack.
  • apiaryio/curl-trace-parser: Parser for output from Curl --trace option
  • curl trace attestor · Issue #139 · testifysec/witness
  • Friends don't let friends Curl | Bash
  • And the quite interesting Enable packaging of curl|bash and other wild stuff. by jordansissel · Pull Request #1957 · jordansissel/fpm
  • Falco
  • aquasecurity/tracee: Linux Runtime Security and Forensics using eBPF
  • genuinetools/bane: Custom & better AppArmor profile generator for Docker containers.
  • containers/oci-seccomp-bpf-hook: OCI hook to trace syscalls and generate a seccomp profile
  • bottlerocket-os/hotdog: Hotdog is a set of OCI hooks used to inject the Log4j Hot Patch into containers.
• deepfence/ThreatMapper: 🔥 🔥 Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more. 🔥 🔥
• dependency-check
• ossf/package-analysis: Open Source Package Analysis and ossf/package-feeds: Feed parsing for language package manager updates
  • Related: Introducing Package Analysis: Scanning open source packages for malicious behavior
  • Also Argo Security Automation with OSS-Fuzz, Improving Security by Fuzzing the CNCF landscape and google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.
  • And ClusterFuzzLite
  • For Node.js: CodeIntelligenceTesting/jazzer.js: Coverage-guided, in-process fuzzing for the Node.js
  • Also, although arguably more in the realm of application observability, IntelLabs/control-flag: A system to flag anomalous source code expressions by learning typical expressions from training data
• abhisek/supply-chain-security-gateway: Reference architecture and proof of concept implementation for supply chain security gateway
• cugu/gocap: List your dependencies capabilities and monitor if updates require more capabilities.
• MATE: Interactive Program Analysis with Code Property Graphs and see GaloisInc/MATE: MATE is a suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code using Code Property Graphs and docs
• Checkmarx/chainalert-github-action: scans popular packages and alerts in cases there is suspicion of an account takeover
• Open Source Security Foundation (OpenSSF) Alpha-Omega Project
• Socket - Find and compare millions of open source packages, focused on JavaScript
• diffoscope: in-depth comparison of files, archives, and directories
• RedHatProductSecurity/component-registry: Component Registry (Corgi) aggregates component data across Red Hat's supported products, managed services, and internal product pipeline services.
• OSS Insight, powered by TIDB Cloud, is an insight tool that can help you analyze in depth any single GitHub repository/developers, compare any two repositories using the same metrics, and provide comprehensive, valuable, and trending open source insights.
• Announcing the Private Beta of FOSSA Risk Intelligence
• From Projects | Software Transparency Foundation, see OSSKB | Free Open Source Inventorying
  • And particularly: scanoss.py/PACKAGE.md at main · scanoss/scanoss.py
• Artifact Hub, featuring Packages security report and also verifies with cosign
• crt.sh | Certificate Search
• grep.app | code search
• GitHub code search
• searchcode | source code search engine
• Sourcegraph from Sourcegraph
• Onboard open-source contributors on Open Source Hub, see the docker-slim example in Codesee
• Code Checker from Snyk
• Get Started - FOSSology
• cve-search/git-vuln-finder: Finding potential software vulnerabilities from git commit messages
• chaoss/augur: Python library and web service for Open Source Software Health and Sustainability metrics & data collection. You can find our documentation and new contributor information easily here: https://chaoss.github.io/augur/ and learn more about Augur at our website https://augurlabs.io
• IBM/CBOM: Cryptography Bill of Materials
• AppThreat/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. It is powered by lief.

Also read:

• TaptuIT/awesome-devsecops: Curating the best DevSecOps resources and tooling.
• Read: Contour: A Practical System for Binary Transparency
• Several interesting concepts in: Shopify/seer-prototype: Security Expert Elicitation of Risks

SCA and SBOM

This section includes: package/library scanners and detectors, SBOM formats, standards, authoring and validation, and a few applications. Will likely include SCA.

The most complete reference is awesomeSBOM/awesome-sbom. Another helpful repo focusing on generators is cybeats/sbomgen: List of SBOM Generation Tools.

• GitBOM
  • Also: git-bom/bomsh: bomsh is collection of tools to explore the GitBOM idea
  • yonhan3/gitbom-repo: A repository of gitBOM docs for Linux binaries
  • Listen: GitBOM. It’s not Git or SBOM and GitBOM: Repurposing Git’s Graph for Supply Chain Security & Transparency
  • Also see bomsage/vision.md at main · dpp/bomsage, and pkgconf/main.c at master · pkgconf/pkgconf (more info in this thread)
• nexB/scancode-toolkit: ScanCode detects licenses, copyrights, package manifests & dependencies and more by scanning code ... to discover and inventory open source and third-party packages used in your code.
• OWASP's SCA tools list is comprehensive on its own
• Grafeas: A Component Metadata API
• trailofbits/it-depends: A tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories.
• Mend SCA SBOM, Mend Bolt: Find and Fix Open Source vulnerabilities and Whitesource Renovate: Automated Dependency Updates
  • renovatebot/renovate: Universal dependency update tool that fits into your workflows.
  • Also read Use Cases - Renovate Docs
• JFrog Xray - Universal Component Analysis & Container Security Scanning
• DependencyTrack/dependency-track: Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
  • Good read on Dependency-Track
• oss-review-toolkit/ort: A suite of tools to assist with reviewing Open Source Software dependencies.
• anchore/syft: CLI tool and library for generating a Software Bill of Materials from container images and filesystems from Software supply chain security solutions • Anchore
  • Also note: New docker sbom Command Creates SBOMs Using Syft
  • Creating SBOM Attestations Using Syft and Sigstore
  • Simple flow: utils/ci/github/docker-build-sign-sbom at main · marco-lancini/utils
• ANNOUNCE: Scan is now in maintenance mode · Issue #352 · ShiftLeftSecurity/sast-scan
• Container Security | Qualys, Inc.
• Aqua Cloud Native Security, Container Security & Serverless Security
• tern-tools/tern: Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
• REA-Products/C-SCRM-Use-Case at master · rjb4standards/REA-Products from this tweet
  • Also see Energy SBOM Proof of Concept - INL
• Phylum Analyze PR Action: GitHub Action to analyze Pull Requests for open-source supply chain issues from Phylum | The Software Supply Chain Security Company
• microsoft/component-detection: Scans your project to determine what components you use
• DWARF 5 Standard
• Software Identification (SWID) Tagging | CSRC and Guidelines for the Creation of Interoperable Software Identification (SWID) Tags
• Concise Software Identification Tags
• hughsie/python-uswid: A tiny tool for embedding CoSWID tags in EFI binaries
  • Also see thread
  • And practical example in coreboot
• ckotzbauer/sbom-operator: Catalogue all images of a Kubernetes cluster to multiple targets with Syft
• Security problem management in Dynatrace Application Security
• DefectDojo/django-DefectDojo: DefectDojo is a DevSecOps and vulnerability management tool.
  • Impressive list of integrations with samples: DefectDojo/sample-scan-files: Sample scan files for testing DefectDojo imports
• swingletree-oss/swingletree: Integrate and observe the results of your CI/CD pipeline tools
• mercedes-benz/sechub: SecHub - one central and easy way to use different security tools with one API/Client
• marcinguy/betterscan-ce: Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report (Code, IaC) - Betterscan Community Edition (CE)
• BBVA/susto: Systematic Universal Security Testing Orchestration
• AppThreat/rosa: An experiment that looks very promising so far.
• FOSSA's SBOM Solution
• Rezillion Dynamic SBOM
• opensbom-generator/spdx-sbom-generator: Support CI generation of SBOMs via golang tooling.
• Tauruseer's SBOM tools
• SOOS' Supported Languages & Manifests
• Fortress: Software Bill of Materials
• javixeneize/yasca: Yet Another SCA tool
• Cybeats SBOM Studio
• edgebitio/edgebit-build: GitHub action to upload SBOMs to EdgeBit and receive vulnerability context in your pull requests from EdgeBit - Real-time supply chain security, enabling security teams to target and coordinate vulnerability remediation without toil.
• REA's Software Assurance Guardian Point Man (SAG-PM)
• microsoft/sbom-tool: The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts
• Veracode's SCA to Automate Security Scanning, see demo: How to generate a Software Bill of Materials (SBOM) using Veracode Software Composition Analysis
• Enterprise Edition - BluBracket: Code Security & Secret Detection
• Software Composition Analysis (SCA) | CyberRes
• Nexus Intelligence - Sonatype Data Services
• AppThreat/dep-scan: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories. Supports both local repos and container images. Integrates with various CI environments such as Azure Pipelines, CircleCI, Google CloudBuild. No server required!
• sbs2001/fatbom: fatbom (Fat Bill Of Materials) is a tool which combines the SBOM generated by various tools into one fat SBOM. Thus leveraging each tool's strength.
• Sonatype BOM Doctor
• jhutchings1/spdx-to-dependency-graph-action: A GitHub Action that takes SPDX SBOMs and uploads them to GitHub's dependency submission API to power Dependabot alerts
  • Also see: evryfs/sbom-dependency-submission-action: Submit SBOMs to GitHub's dependency submission API
  • And the Dependency submission docs
• tap8stry/orion: Go beyond package manager discovery for SBOM
• patriksvensson/covenant: A tool to generate SBOM (Software Bill of Material) from source code artifacts.
• CycloneDX/cyclonedx-webpack-plugin: Create CycloneDX Software Bill of Materials (SBOM) from webpack bundles at compile time.
• advanced-security/gh-sbom: Generate SBOMs with gh CLI
• interlynk-io/sbomqs: SBOM quality score - Quality metrics for your sboms
• eBay/sbom-scorecard: Generate a score for your sbom to understand if it will actually be useful.

More interesting resources:

• Brakeing Down Security Podcast: 2020-031-Allan Friedman, SBOM, software transparency, and knowing how the sausage is made
• Episode 312: The Legend of the SBOM
• Reimagining Cyber Podcast: Log4j vulnerability provides harsh lessons in unknown dependencies
• Tech Debt Burndown Podcast Series 1 E11: Allan Friedman and SBOMs
• Sounil Yu on SBOMs, software supply chain security - Security Conversations
• Exploring Security. Criticality of SBOM. Scott McGregor, Cloud Security, Wind River
• Down the Security Rabbithole Podcast: DtSR Episode 487 - Software Supply Chain is a BFD
• Software Composition Analysis Podcast: Software Supply Chain - Episode 1
• Critical Update: Do You Know What’s In Your Software?
• Software Bill of Materials | CISA
• SBOM Use Case - RKVST and RKVST SBOM Hub - RKVST
  • Also read: SBOM Hub - NTIA Attribute Mappings
• BOF: SBOMs for Embedded Systems: What's Working, What's Not? - Kate Stewart, Linux Foundation
• All About That BoM, ‘bout That BoM - Melba Lopez, IBM
• OWASP CycloneDX Launches SBOM Exchange API
• Read: SBOM Management | Six Ways It Prevents SBOM Sprawl
• Read: NTIA's The Minimum Elements For a Software Bill of Materials
• Read: What an SBOM Can Do for You

A few open source projects are documenting, in public, how they acquire dependencies. This intentional, human-parsable, long-form examples can be illustrative:

• envoy/DEPENDENCY_POLICY.md at main · envoyproxy/envoy
• What curl expects from dependencies
• Security: The Value of SBOMs from Flux

Vulnerability information exchange

• OSV
  • Read: SBOM in Action: finding vulnerabilities with a Software Bill of Materials
  • Related: spdx/spdx-to-osv: Produce an Open Source Vulnerability JSON file based on information in an SPDX document
  • Tools: google/osv-scanner: Vulnerability scanner written in Go which uses the data provided by https://osv.dev
• Qualys' Vulnerability Detection Pipeline
• Vuls · Agentless Vulnerability Scanner for Linux/FreeBSD
• Vulnerability Database, an API is also available; see VulDB
• AppThreat/vulnerability-db: Vulnerability database and package search for sources such as OSV, NVD, GitHub and npm.
• aquasecurity/trivy: Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues
• SAST for Code Security | Snyk Code
  • Also see: Choosing Open Source Libraries from Snyk
• Contrast Community Edition
• Known Exploited Vulnerabilities Catalog | CISA
• cve-search/cve-search: cve-search - a tool to perform local searches for known vulnerabilities
• Exein-io/kepler: NIST-based CVE lookup store and API powered by Rust
• nexB/vulnerablecode: A work-in-progress towards a free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode
• toolswatch/vFeed: The Correlated CVE Vulnerability And Threat Intelligence Database API
• ossf/scorecard: Security Scorecards - Security health metrics for Open Source, OpenSSF Metrics and ossf/security-reviews: A community collection of security reviews of open source software components.
  • ossf/scorecard-action: Official GitHub Action for OSSF Scorecards.
  • Note: How OpenSSF Scorecard’s GitHub Action v2 action uses GitHub OIDC with Sigstore
  • Also OpenSSF Security Insights Spec
  • Read: How OpenSSF Scorecards can help to evaluate open-source software risks
  • Great real life example: State of the Eclipse Foundation GitHub repositories
• Lynis - Security auditing and hardening tool for Linux/Unix
• victims/victims-cve-db: CVE database store
• anchore/grype: A vulnerability scanner for container images and filesystems
  • Also see Using Grype to Identify GitHub Action Vulnerabilities
  • And also Grype now supports CycloneDX and SPDX standards
• GitHub Advisory Database now open to community contributions
• Global Security Database Working Group | CSA, also see cloudsecurityalliance/gsd-database: Global Security Database
• trickest/cve: Gather and update all available and newest CVEs with their PoC.
• RFC 9116: A File Format to Aid in Security Vulnerability Disclosure
• An AOSP vuln-to-commit exercise: quarkslab/aosp_dataset: Large Commit Precise Vulnerability Dataset based on AOSP CVE
  • Commit Level Vulnerability Dataset
• nyph-infosec/daggerboard
• davideshay/vulnscan: Vulnerability Scanner Suite based on grype and syft from anchore
• devops-kung-fu/bomber: Scans SBoMs for security vulnerabilities
• Fortress: Vulnerability Management
• Vulnerability Management | aDolus
• secvisogram/secvisogram: Secvisogram is a web tool for creating and editing security advisories in the CSAF 2.0 format
• future-architect/vuls: Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
• infobyte/faraday: Open Source Vulnerability Management Platform from Faraday - Community v4 Release
• mitre/saf: The MITRE Security Automation Framework (SAF) Command Line Interface (CLI) brings together applications, techniques, libraries, and tools developed by MITRE and the security community to streamline security automation for systems and DevOps pipelines
• devops-kung-fu/bomber: Scans Software Bill of Materials (SBOMs) for security vulnerabilities
• Rezilion/mi-x: Determine whether your compute is truly vulnerable to a specific vulnerability by accounting for all factors which affect actual exploitability (runtime execution, configuration, permissions, existence of a mitigation, OS, etc..)
• ossf-cve-benchmark/ossf-cve-benchmark: The OpenSSF CVE Benchmark consists of code and metadata for over 200 real life CVEs, as well as tooling to analyze the vulnerable codebases using a variety of static analysis security testing (SAST) tools and generate reports to evaluate those tools.
• See the Vulnerability Management in the NeuVector Docs for integration examples in container scenarios
• noqcks/xeol: An end-of-life (EOL) package scanner for container images, systems, and SBOMs
• mchmarny/vimp: Compare data from multiple vulnerability scanners to get a more complete picture of potential exposures.

A dedicated section on VEX reads:

• CycloneDX - Vulnerability Exploitability Exchange (VEX)
  • Vulnerability eXploitability Exchange explained: How VEX makes SBOMs actionable
  • How VEX helps SBOM+SLSA improve supply chain visibility | Google Cloud Blog
  • What is VEX and What Does it Have to Do with SBOMs?
  • What is VEX? It's the Vulnerability Exploitability eXchange!
  • The Vulnerability Exploitability eXchange (VEX) standard
  • Vex and SBOMs
  • VDR or VEX – Which Do I Use? Part 1
  • VEX! or... How to Reduce CVE Noise With One Simple Trick! by Frederick Kautz
  • Vulnerability Exploitability eXchange (VEX) - Status Justifications
• Real-time VEX

Also see:

• Vulncode-DB on deprecation path
• GitHub brings supply chain security features to the Rust community
• CyCognito Adopts Mapping ATT&CK to CVE for Impact
• Read: A closer look at CVSS scores, Patch Madness: Vendor Bug Advisories Are Broken, So Broken and An Incomplete Look at Vulnerability Databases & Scoring Methodologies
• Read: How to Analyze an SBOM and How to Generate and Host SBoMs from Cloudsmith
• Read: After the Advisory from Google's Open Source Insights team

Point-of-use validations

This section includes: admission and ingestion policies, pull-time verification and end-user verifications.

• Kyverno
  • Read: Attesting Image Scans With Kyverno
  • And: Managing Kyverno Policies as OCI Artifacts with OCIRepository Sources
  • Also: testifysec/judge-k8s: Proof of concept Kubernetes admission controller using the witness attestation verification library
• ckotzbauer/sbom-operator: Catalogue all images of a Kubernetes cluster to multiple targets with Syft
• CONNAISSEUR - Verify Container Image Signatures in Kubernetes
• sigstore/policy-controller: The policy admission controller used to enforce policy on a cluster on verifiable supply-chain metadata from cosign.
  • Also see: lukehinds/policy-controller-demo: demo of keyless signing with the sigstore kubernetes policy controller
• portieris/POLICIES.md at main · IBM/portieris
• reproducible-containers/repro-get: Reproducible apt/dnf/apk/pacman, with content-addressing
• kpcyrd/pacman-bintrans: Experimental binary transparency for pacman with sigstore and rekor
  • Also see: kpcyrd/apt-swarm: 🥸 p2p gossip network for update transparency, based on pgp 🥸
• Open Policy Agent
• Conftest allows to write tests against structured configuration data using the Open Policy Agent Rego query language: here's an example
• Several pre-commit hooks allow vulnerability checking right before dependency ingestion time into the codebase
  • e.g., pyupio/safety: Safety checks your installed dependencies for known security vulnerabilities
  • Or npm-audit
    • Also see snyk-labs/snync: Mitigate security concerns of Dependency Confusion supply chain security risks
    • And lirantal/lockfile-lint: Lint an npm or yarn lockfile to analyze and detect security issues
  • Or requires.io | Monitor your dependencies
  • Or Brakeman Security Scanner
  • Or trailofbits/pip-audit: Audits Python environments and dependency trees for known vulnerabilities
    • Also see: Dependabot alerts now surface if your code is calling a vulnerability
    • And: Use data-dist-info-metadata (PEP 658) to decouple resolution from downloading by cosmicexplorer · Pull Request #11111 · pypa/pip
  • Interesting Python-related project: Project Thoth, using Artificial Intelligence to analyse and recommend software stacks for Python applications
  • Or Checkmarx/chainjacking: Find which of your go lang direct GitHub dependencies is susceptible to ChainJacking attack
  • Or Cargo Vet and crev-dev/cargo-crev: A cryptographically verifiable code review system for the cargo (Rust) package manager.
  • Not automated validation, but comprehensive guidance for Java with a few critical points relating to supply chain security: Google Best Practices for Java Libraries
• Static analysis is often used at this stage in order to detect dependency acquisition, e.g.:
  • Semgrep
  • Getting started with Semgrep Supply Chain
  • Also see: Catching Security Vulnerabilities With Semgrep
  • graudit/signatures at master · wireghoul/graudit
  • banyanops/collector: A framework for Static Analysis of Docker container images
  • quay/clair: Vulnerability Static Analysis for Containers
  • DataDog/guarddog: GuardDog is a CLI tool to Identify malicious PyPI and npm packages
  • eliasgranderubio/dagda: a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
  • Half brilliant, half funny, full helpful: kpcyrd/libredefender: Imagine the information security compliance guideline says you need an antivirus but you run Arch Linux
  • KICS - Keeping Infrastructure as Code Secure
  • tinkerbell/lint-install: Consistently install reasonable linter rules for open-source projects
  • hadolint rules on package installation, e.g., hadolint/README.md at d16f342c8e70fcffc7a788d122a1ba602075250d · hadolint/hadolint
  • Also dockerfile resource scans - checkov from bridgecrewio/checkov: Prevent cloud misconfigurations during build-time for Terraform, CloudFormation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
  • And: xlab-si/iac-scan-runner: Service that scans your Infrastructure as Code for common vulnerabilities
  • And: aws-samples/automated-security-helper1
• Vulnerability Assessment | OpenSCAP portal
• Detecting Log4Shell with Wazuh
• aquasecurity/starboard: Kubernetes-native security toolkit
  • Get started with Kubernetes Security and Starboard
• armosec/kubescape: Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer and image vulnerabilities scanning.
  • Also: kubescape Visual Studio Code extension
• ckotzbauer/vulnerability-operator: Scans SBOMs for vulnerabilities
• chen-keinan/kube-beacon: Open Source runtime scanner for k8s cluster and perform security audit checks based on CIS Kubernetes Benchmark specification
• aquasecurity/kube-bench: Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark and aquasecurity/kube-hunter: Hunt for security weaknesses in Kubernetes clusters
• openclarity/kubeclarity: KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems
• stackrox/stackrox: The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.
• cloudquery/plugins/source/k8s/policies at main · cloudquery/cloudquery
• quarkslab/kdigger: Kubernetes focused container assessment and context discovery tool for penetration testing
• ossillate-inc/packj: The vetting tool 🚀 behind our large-scale security analysis platform to detect malicious/risky open-source packages and Packj | A vetting tool to avoid "risky" packages
• doowon/sigtool: sigtool for signed PE files in GO
• Introducing "safe npm", a Socket npm Wrapper - Socket
• Introducing SafeDep vet 🚀 | SafeDep

Also see:

• analysis-tools-dev/static-analysis: ⚙️ A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.
• anderseknert/awesome-opa: A curated list of OPA related tools, frameworks and articles
• JupiterOne/secops-automation-examples: Examples on how to maintain security/compliance as code and to automate SecOps using the JupiterOne platform.
  • How We Generate a Software Bill of Materials (SBOM) with CycloneDX
• Securing CICD pipelines with StackRox / RHACS and Sigstore
• Watch: Do you trust your package manager? at Security Fest 2022

Supply chain beyond libraries

And a few things to watch beyond libraries and software dependencies:

• System Transparency | security architecture for bare-metal servers
• Emulated host profiles in fwupd
• GNOME To Warn Users If Secure Boot Disabled, Preparing Other Firmware Security Help
• Kernel Self Protection Project - Linux Kernel Security Subsystem
• keylime/keylime: A CNCF Project to Bootstrap & Maintain Trust on the Edge / Cloud and IoT
• parallaxsecond/parsec: Platform AbstRaction for SECurity service
• TPM Carte Blanche-resistant Boot Attestation

Identity, signing and provenance

This section includes: projects and discussions specifics to developer identity, OIDC, keyrings and related topics.

• Part of sigstore
  • Cosign
  • Fulcio
  • Rekor
  • Also see: Kubernetes taps Sigstore to thwart open-source software supply chain attacks
  • Sigstore-specific view of the OpenSSF Landscape
• cas - cas attestation service
• Witness - testifysec/witness: Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.
  • Watch: Securing the Supply Chain with Witness - Cole Kennedy, TestifySec
  • Also see: testifysec/go-ima: go-ima is a tool that checks if a file has been tampered with. It is useful in ensuring integrity in CI systems
• puerco/tejolote: A highly configurable build executor and observer designed to generate signed SLSA provenance attestations about build runs.
• in-toto-run - GitHub Marketplace and in-toto/github-action: in-toto provenance github action
• General availability of SLSA3 Generic Generator for GitHub Actions
  • slsa-framework/slsa-github-generator: Language-agnostic SLSA provenance generation for Github Actions
  • Also see: Attestation Crafting | ChainLoop documentation
• technosophos/helm-gpg: Chart signing and verification with GnuPG for Helm.
• cashapp/pivit is a command line tool for managing x509 certificates stored on smart cards with PIV applet support that is fully compatible with git
• notaryproject/notary: Notary is a project that allows anyone to have trust over arbitrary collections of data
  • notaryproject/roadmap: Roadmap for NotaryV2
  • notaryproject/notation: Notation is a project to add signatures as standard items in the registry ecosystem, and to build a set of simple tooling for signing and verifying these signatures. Based on Notary V2 standard.
  • notaryproject/tuf: The Update Framework for OCI Registries
  • Also see vmware-labs/repository-editor-for-tuf: Command line tool for editing and maintaining a TUF repository
  • Also see How to easily try out TUF + in-toto
  • Check out Python-TUF reaches version 1.0.0
  • Related project: werf/trdl: The universal solution for delivering your software updates securely from a trusted The Update Framework (TUF) repository.
  • Read: Secure Software Updates via TUF — Part 2
• deislabs/ratify: Artifact Ratification Framework
• latchset/tang: Tang binding daemon
• ietf-rats - Overview
• An exposed apt signing key and how to improve apt security
• See Issue #21 · testifysec/witness for a succinct description of how testifysec/witness: Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact providence. deals with attestation chains
  • Another witness example with GitLab
• Allow using SSH keys to sign commits · Discussion #7744 · github/feedback
• aws-solutions/verifiable-controls-evidence-store: This repository contains the source code of the Verifiable Controls Evidence Store solution
• Read: Monitoring the kernel.org Transparency Log for a year
• Also read: Software Distribution Transparency and Auditability
• paragonie/libgossamer: Public Key Infrastructure without Certificate Authorities, for WordPress and Packagist
  • Read: Solving Open Source Supply Chain Security for the PHP Ecosystem
• johnsonshi/image-layer-provenance, a PoC for Image Layer Provenance and Manifest Layer History
• oras-project/artifacts-spec
• recipy/recipy: Effortless method to record provenance in Python
• spiffe/spire: The SPIFFE Runtime Environment
• Fraunhofer-SIT/charra: Proof-of-concept implementation of the "Challenge/Response Remote Attestation" interaction model of the IETF RATS Reference Interaction Models for Remote Attestation Procedures using TPM 2.0.
• google/trillian: A transparent, highly scalable and cryptographically verifiable data store.
• Artifactory - Universal Artifact Management
• pyrsia/pyrsia: Decentralized Package Network
• transmute-industries/verifiable-actions: Workflow tools for Decentralized Identifiers & Verifiable Credentials
• Watch: Privacy-preserving Approaches to Transparency Logs

Frameworks and best practice references

This section includes: reference architectures and authoritative compilations of supply chain attacks and the emerging categories.

• in-toto | A framework to secure the integrity of software supply chains
• Supply chain Levels for Software Artifacts or SLSA (salsa) is a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.
  • Great read: SLSA | CloudSecDocs
  • Another L50 read: Building trust in our software supply chains with SLSA
  • Read: SLSA for Success: Using SLSA to help achieve NIST’s SSDF and All about that Base(line): How Cybersecurity Frameworks are Evolving with Foundational Guidance
  • Also, a framework mapping put together by Red Hat
  • A Practical Guide to the SLSA Framework by FOSSA
  • Read: Securing Gitpod's Software Supply Chain with SLSA
  • Read: A First Step to Attaining SLSA Level 3 on GitHub
  • And a pattern search across GitHub for inspiration (thanks @infernosec)
• OWASP Application Security Verification Standard, esp. V14 - Configuration
• OWASP/Software-Component-Verification-Standard: Software Component Verification Standard (SCVS)
• CREST launches OWASP Verification Standard (OVS)
• SAFECODE's Fundamental Practices for Secure Software Development, Third Edition, esp. Manage Security Risk Inherent in the Use of Third-party Components
• SSF | The Secure Software Factory and mlieberman85/supply-chain-examples
  • Related: A MAP for Kubernetes supply chain security
• Software Supply Chain Risk Management | BSIMM
• microsoft/scim: Supply Chain Integrity Model
  • Also see: Supply Chain Integrity, Transparency, and Trust (scitt) and What Is SCITT
• Goodbye SDLC, Hello SSDF! What is the Secure Software Development Framework?
  • Also Comply with NIST's secure software supply chain framework with GitLab
• The Supply Chain Risk Management section of SP 800-53 Rev. 5, Security and Privacy Controls for Info Systems and Organizations | CSRC, also see center-for-threat-informed-defense/attack-control-framework-mappings: Security control framework mappings to MITRE ATT&CK
• SP 800-161 Rev. 1, C-SCRM Practices for Systems and Organizations | CSRC
• npm Best Practices Guide (OpenSSF) - Features and recommendations on using npm safely
• CIS Software Supply Chain Security Guide
• microsoft/oss-ssc-framework: Open Source Software Secure Supply Chain Framework
• GitHub's Implementing software security in open source
• Previously referenced: Google Best Practices for Java Libraries
• MITRE's System of Trust
• Securing the Software Supply Chain for Developers was published by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) under the Enduring Security Framework (ESF) initiative
• OpenSSF's Concise Guide for Developing More Secure Software 2022-09-01
• Chris Hughes on the NSA Recommended Practices for Developers: Securing the Software Supply Chain

Also see:

• Zero Trust the Hard Way, Kelsey Hightower
• KubePhilly March 2022- A Look At The Kubernetes SLSA Compliance Project
• Supply Chain Risk Management

Build techniques

This section includes: reproducible builds, hermetic builds, bootstrappable builds, special considerations for CI/CD systems, best practices building artifacts such as OCI containers, etc.

• Reproducible Builds, particularly the Documentation
  • r-b ecosytem mapping
  • Reproducible Builds / reprotest
  • Is NixOS Reproducible?
• Bootstrappable Builds (GNU Mes Reference Manual)
  • Also read Bootstrappable builds from LWN
• tektoncd/chains: Supply Chain Security in Tekton Pipelines
  • Verifiable Supply Chain Metadata for Tekton - CD Foundation
• google/santa: A binary authorization system for macOS
• fepitre/package-rebuilder: Standalone orchestrator for rebuilding Debian, Fedora and Qubes OS packages in order to generate in-toto metadata which can be used with apt-transport-in-toto or dnf-plugin-in-toto to validate reproducible status.
• kpcyrd/rebuilderd-debian-buildinfo-crawler: Reproducible Builds: Scraper/Parser for https://buildinfos.debian.net into structured data
  • Also see Reproducible Builds: Debian and the case of the missing version string - vulns.xyz
• kpcyrd/rebuilderd: Independent verification of binary packages - reproducible builds
• tag-security/sscsp.md at main · cncf/tag-security
• defenseunicorns/zarf: DevSecOps for Air Gap & Limited-Connection Systems. https://zarf.dev/
• Lockheed Martin / hoppr / hoppr is a CLI framework for defining, validating, and transferring dependencies between environments
  • Example using SBOM as an input: Inputs - Hoppr
• On instrumenting runners:
  • Keep an eye on Draft: POC Witness Runner integration (!1) · Merge requests · testifysec / gitlab-runner for GitLab runners
  • Also, edgelesssys/constellation: Constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.
• reposaur/reposaur: Open source compliance tool for development platforms.
• buildsec/frsca is an implementation of the CNCF's Secure Software Factory Reference Architecture. It is also intended to follow SLSA requirements closely and generate in-toto attesttations for SLSA provenance predicates.
• chainloop-dev/chainloop: Chainloop is an open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process.
  • Also see: Software Supply Chain Attestation the Easy Way from the Chainloop documentation
• aquasecurity/chain-bench: an open-source tool for auditing your software supply chain stack for security compliance implementing checks for CIS 1.0 | Vulnerability Database | Aqua Security
• ossf/allstar: GitHub App to set and enforce security policies
• scribe-public/gitgat: Evaluate source control (GitHub) security posture
• Legit-Labs/legitify: Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
• crashappsec/github-analyzer: A tool to check the security settings of Github Organizations.
• wspr-ncsu/github-actions-security-analysis from Characterizing the Security of Github CI Workflows | USENIX
• oss-reproducible - Measures the reproducibility of a package based on its purported source. Part of OSS Gadget
• jart/landlock-make: Sandboxing for GNU Make has never been easier
  • Read: Using Landlock to Sandbox GNU Make
• veraison/veraison: Project Veraison will build software components that can be used to build Attestation Verification Services
• Changelog for Pants 2: The ergonomic build system
• Bazel is an open source build and test tool similar to Make, Maven, and Gradle
• GoogleContainerTools/kaniko: Build Container Images In Kubernetes
• sethvargo/ratchet: A tool for securing CI/CD workflows with version pinning.
• buildsec/vendorme improves the developer workflow by giving you one single place to manage any vendored dependencies, and ensures that those are validated properly to improve the security around your supply chain
• eellak/build-recorder
  • Also see: FOSDEM 2023 - Build recorder: a system to capture detailed information

Also see:

• The reproducible-builds topic on GitHub
• Dependency management as part of Google Cloud's Artifact Registry documentation
• Security hardening for GitHub Actions
  • And: step-security/harden-runner: Security agent for GitHub-hosted runner: block egress traffic & detect code overwrite to prevent breaches
• Handling build-time dependency vulnerabilities from Create guidance on triaging build time dependency vulnerabilities · Issue #855 · cncf/tag-security
• Code Sight
• cider-security-research/cicd-goat: A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.
  • And: step-security/attack-simulator: Simulate past supply chain attacks such as SolarWinds, Codecov, and ua-parser-js
• Read: What Makes a Build Reproducible, Part 2
• Read: Building a Secure Software Supply Chain with GNU Guix
• alecmocatta/build_id: Obtain a UUID uniquely representing the build of the current binary.
• Read: On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Software Vulnerabilities
• Read: Reproducible Builds: Break a log, good things come in trees
• Secure Your Software Factory with melange and apko
  • On the apko pattern, see Shopify/hansel
• kpcyrd/archlinux-inputs-fsck: Lint repository of PKGBUILDs for cryptographically pinned inputs

Talks, articles, media coverage and other reading

Getting started and staying fresh

• A few resources, in addition to this repository, that can help keep up with news and announcements:
  • An RSS feed maintained by @bureado with a mix of open source security, DevSecOps, AppSec and supply chain security news: corner-security
  • tl;dr sec Newsletter
  • Past Issues | CloudSecList
  • News - reproducible-builds.org
  • A great compilation of reads, context and learning materials: chainguard-dev/ssc-reading-list: A reading list for software supply-chain security.
  • A visual reference by Enso Security: AppSec Map
  • A similar one: Jetstack | The Software Supply Chain Toolkit
  • wg-security-tooling/guide.md at main · ossf/wg-security-tooling from ossf/wg-security-tooling: OpenSSF Security Tooling Working Group
  • A toolbox for a secure software supply chain from Chainguard
  • The Technology chapter in Snyk's DevSecOps series
  • A helpful list of acronyms: Acronyms | OpenSCAP portal
  • slsa/terminology.md at main · slsa-framework/slsa
  • tag-security/cloud-native-security-lexicon.md at main · cncf/tag-security
  • Watch: How to start learning about Supply Chain Security
  • Watch: Open Source Supply Chain Security: A Visualization of the Checkmarx Solution, plus the Checkmarx channel on YouTube has excellent explanatory videos for tactics, techniques and procedures in the supply chain security domain, for example: Large Scale Campaign Created Fake GitHub Projects Clones with Fake Commit Added Malware

And a collection of reads and listens, ranging from insightful blog posts, explainers/all-rounders and some long-form analysis (we've tried to keep deep dive reads scoped to other sections)

• Secure Software Development Fundamentals Courses - Open Source Security Foundation
  • Securing Your Software Supply Chain with Sigstore
• Census II of Free and Open Source Software — Application Libraries
• “Chain”ging the Game - how runtime makes your supply chain even more secure
• How to attack cloud infrastructure via a malicious pull request
• The Challenges of Securing the Open Source Supply Chain
• What is a Software Supply Chain Attestation - and why do I need it?
• Open Policy Agent 2021, Year in Review
• Reproducibility · Cloud Native Buildpacks and Buildpacks and SBOM Integration Opportunities
• The state of software bill of materials: SBOM growth could bolster software supply chains
• Secure Your Software Supply Chain with New VMware Tanzu Application Platform Capabilities
  • Secure Software Supply Chains
• A few resources to understand supply chain compromises:
  • Supply Chain Compromise - attackics
  • tag-security/supply-chain-security/compromises at main · cncf/tag-security
  • IQTLabs/software-supply-chain-compromises: A dataset of software supply chain compromises. Please help us maintain it!
  • Taxonomy of Attacks on Open-Source Software Supply Chains and Risk Explorer for Software Supply Chains
  • Endor Labs' version: Risk Explorer for Software Supply Chains
  • Also see a classic, Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks
  • Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages
  • The Software Supply Chain Security Threat Landscape dispatches from Checkmarx are often fresh reading
  • ossf/oss-compromises: Archive of various open source security compromises
  • Python-specific example: Bad actors vs our community: detecting software supply chain... by Ajinkya Rajput and Ashish Bijlani
  • A comprehensive all rounder: Protect Yourself Against Supply Chain Attacks - Rob Bos - NDC Security 2022
  • Not supply chain security specific, but worth tracking: PayDevs/awful-oss-incidents: 🤬 A categorized list of incidents caused by unappreciated OSS maintainers or underfunded OSS projects. Feedback welcome!
• Improving TOFU (trust on first use) With Transparency
• Reports:
  • 2022 State of Cloud Native Security Report - Palo Alto Networks
  • 2022 Software Supply Chain Security Report • Anchore
• End-to-end demos and examples:
  • goreleaser/supply-chain-example: Example goreleaser + github actions config with keyless signing and SBOM generation
  • Improve supply chain security with GitHub actions, Cosign, Kyverno and other open source tools
• Using SARIF to Extend Analysis of SAST Tools
• GitLab's Software Supply Chain Security section
  • Also read GitLab's Software Supply Chain Security Direction
• GitHub's SARIF support for code scanning
• Driving Developer Productivity via Automated Dependency Tracking
• Code scanning finds more vulnerabilities using machine learning
• Securing Open Source Software at the Source
• Security: The Value of SBOMs
• Why SBOMS & Security Scanning Go Together - Upstream: The Software Supply Chain Security Podcast presented by Anchore
• SBOMs in the Windows Supply Chain, from the SPDX User Group
• Whose Sign Is It Anyway? - Marina Moore, NYU & Matthew Riley, Google
• Binary Authorization for Borg: how Google verifies code provenance and implements code identity
• Application Security Weekly (Video) on Apple Podcasts
• How to prioritize the improvement of open source software security
  • And Strengthening digital infrastructure: A policy agenda for free and open source software
• Software Supply Chain Security Turns to Risk Mitigation
• Reproducible Builds: Increasing the Integrity of Software Supply Chains
• sigstore/community: General sigstore community repo
• CycloneDX Use Cases
  • Listen: #6: Steve Springett: CycloneDX and the Future of SBOMs - Cybellum
• Building a Sustainable Software Supply Chain, particularly the section: "The Software Supply Chain Sustainability Maturity Model"
• Dependency Issues: Solving the World’s Open Source Software Security Problem offers a well meditated view on the problem space as well
• The Digital Economy Runs on Open Source. Here’s How to Protect It (HBR)
• Report: 95% of IT leaders say Log4shell was ‘major wake-up call’ for cloud security
• Presentation: Securing the Open Source Software Supply Chain at PyConUS2022 by Dustin Ingram
• Watch: The state of open source security in 2022 with Kurt Seifried
• Podcast: Kubernetes Podcast from Google: Episode 174 - in-toto, with Santiago Torres-Arias
• EO 14028 and Supply Chain Security
• Reducing Open Source Risk Throughout the Development, Delivery and Deployment of SBOMs, a May 2022 paper illustrating at a high level the differences between SBOMs in publishing, distribution and delivery scenarios; see pages 6-9
• Open Source Security Foundation (OpenSSF) Security Mobilization Plan
• Not Just Third Party Risk
• Open Source Security: How Digital Infrastructure Is Built on a House of Cards
• Series: Bootstrapping Trust Part 1 covering encryption, certificates, chains and roots of trust
• Contact sign-up sheet required: The Rise of Continuous Packaging by Cloudsmith and O'Reilly
• Supply Chain Security for Cloud Native Java (from Thomas Vitale)
• Podcast: It Depends with Trail of Bits
• New security concerns for the open-source software supply chain (top level findings from The State of the Software Supply Chain: Open Source Edition 2022)
• Software Supply Chain Primer v0.93 (June 2022)