detect malicious program behaviors

krata is an isolation engine for securing compute workloads

PlugFest-in-a-Box is a powerful tool to reveal key areas of difference between several Software Bills of Materials (SBOMs) and applying thorough metrics to identify any and all quality issues.

Accurately separates a URL’s subdomain, domain, and public suffix, using the Public Suffix List (PSL).

A CLI used to work with the Wolfi OSS project

An SBOM query language and associated utilities

Example CLI project to demo API architecture and protobom library

A universal SBOM representation in protocol buffers

Educational Resources for Software Supply Chain Security

Darkfiles finds orphaned files in container images and makes them to bad deeds

Official GitHub Action for golangci-lint from its authors

sigstore maven plugin

Fast linters runner for Go

This repository contains a list of papers about software supply chain

Build OCI images from APK packages directly without Dockerfile

YOLO-level verifier

Common go library shared across sigstore services and clients

Sigstore OIDC PKI

Software Supply Chain Transparency Log

Code signing and transparency for containers and binaries

An Open Source Java tool to examine binary Java artifacts that we make available to clients and prospects. TAG_PRODUCTION, OWNER_KEN, DC_PUBLIC

Source for the monitoring website in Rekor VIP

sigstore installation walkthrough, local

Comparing the detection and prioritization performance of tools that detect vulnerable dependencies of a software application.

A place to discuss!

Learn the language basics in this 10-part course.

Helping allocate resources to secure the critical open source projects we all depend on.

OBS Studio - Free and open source software for live streaming and screen recording

Python source code auditing and static analysis on a large scale

Do You Know What's In Your Python Packages? A Tool for Visualizing Python Package Registry Security Audit Data