Skip to content
View pwelch's full-sized avatar
:octocat:
:octocat:
152 followers · 136 following

Sponsoring

@Homebrew

Achievements

Achievement: Pair Extraordinairex3Achievement: YOLOAchievement: QuickdrawAchievement: StarstruckAchievement: Pull Sharkx4Achievement: Public SponsorAchievement: Arctic Code Vault Contributor

Achievements

Achievement: Pair Extraordinairex3Achievement: YOLOAchievement: QuickdrawAchievement: StarstruckAchievement: Pull Sharkx4Achievement: Public SponsorAchievement: Arctic Code Vault Contributor

Organizations

@github @sysadvent @dev-sec @sigstore @itamae-plugins

Block or report pwelch

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Please don't include any personal information such as legal names or email addresses. Maximum 100 characters, markdown supported. This note will be visible to only you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
Stars

Supply Chain Security

⛓️ πŸ”’
24 repositories

microsoft / scim

Supply Chain Integrity Model

101 13 Updated Jun 12, 2023

in-toto / in-toto

in-toto is a framework to protect supply chain integrity.

Python 858 135 Updated Aug 12, 2024

sigstore / rekor

Software Supply Chain Transparency Log

Go 872 161 Updated Aug 21, 2024

sigstore / fulcio

Sigstore OIDC PKI

Go 632 134 Updated Aug 22, 2024

sigstore / cosign

Code signing and transparency for containers and binaries

Go 4,332 525 Updated Aug 21, 2024

theupdateframework / python-tuf

Python reference implementation of The Update Framework (TUF)

Python 1,615 269 Updated Aug 22, 2024

ossf / package-analysis

Open Source Package Analysis

Go 720 51 Updated Jul 1, 2024

sigstore / sigstore-js

Code-signing for npm packages

TypeScript 155 22 Updated Aug 21, 2024

in-toto / witness

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.

Go 399 57 Updated Aug 24, 2024

ckotzbauer / vulnerability-operator

Scans SBOMs for vulnerabilities with Grype

Go 78 10 Updated Aug 24, 2024

aquasecurity / chain-bench

An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.

Go 714 62 Updated Jul 17, 2024

guacsec / guac

GUAC aggregates software security metadata into a high fidelity graph database.

Go 1,248 162 Updated Aug 22, 2024

goreleaser / goreleaser

Deliver Go binaries as fast and easily as possible

Go 13,555 918 Updated Aug 23, 2024

chainguard-dev / apko

Build OCI images from APK packages directly without Dockerfile

Go 1,145 112 Updated Aug 23, 2024

chainguard-dev / ssc-reading-list

A reading list for software supply-chain security.

358 13 Updated Nov 21, 2022

GoogleContainerTools / distroless

πŸ₯‘ Language focused docker images, minus the operating system.

Starlark 18,442 1,126 Updated Aug 23, 2024

tstromberg / sigstore-the-local-way

sigstore installation walkthrough, local

Shell 54 8 Updated May 3, 2024

advanced-security / gh-sbom

Generate SBOMs with gh CLI

Go 164 13 Updated Dec 5, 2023

slsa-framework / slsa

Supply-chain Levels for Software Artifacts

Shell 1,508 218 Updated Aug 21, 2024

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems

Go 5,921 545 Updated Aug 24, 2024

actions / attest-build-provenance

Action for generating build provenance attestations for workflow artifacts

TypeScript 256 186 Updated Aug 23, 2024

sigstore / sigstore-ruby

Pure-ruby implementation of sigstore verification

Ruby 4 1 Updated Aug 24, 2024

actions / buildtypes

SLSA buildType for GitHub Actions

2 2 Updated Jun 11, 2024

zarf-dev / zarf

DevSecOps for Air Gap & Limited-Connection Systems. https://zarf.dev/

Go 1,317 157 Updated Aug 23, 2024