Supply Chain Security

npm-check-updatesTypeScript

Upgrades your package.json dependencies to the latest versions while preserving existing semantic versioning policies.

CosignGo

A tool for signing and verifying container images and other artifacts using the Sigstore framework.

zizmorRust

A static analysis tool that finds security vulnerabilities and misconfigurations in GitHub Actions workflows.

scorecardGo

Automated security health metrics for open source projects, assessing security best practices and risks.

Roave Security Advisories

A Composer package that blocks installation of PHP dependencies with known security vulnerabilities.

DevSecOps

A curated list of DevSecOps tools, resources, and training materials for integrating security into the development lifecycle.

LunaSecTypeScript

Open-source supply chain security scanner that automatically detects vulnerabilities like Log4Shell in dependencies and notifies via GitHub pull requests.

Harden Runner GitHub ActionTypeScript

A CI/CD security agent that monitors GitHub Actions runners for threats like network egress, file integrity, and process activity.

SafeDep/vetGo

A CLI tool for real-time malicious package detection and software supply chain security across multiple ecosystems.

lockfile-lintJavaScript

A security linter for npm and yarn lockfiles to detect malicious package injections and enforce trust policies.

rust-auditRust

Embed dependency information into Rust binaries for vulnerability auditing in production.

Common Threat Matrix for CI/CD Pipeline

An ATT&CK-like threat matrix mapping adversary tactics and techniques specific to CI/CD pipeline security.

FireEye's Sunburst CountermeasuresYARA

Open-source detection rules for identifying SolarWinds SunBurst backdoor activities and related vulnerabilities across multiple security tools.

coiPython

A security-hardened container runtime for AI coding agents using Incus system containers with real-time threat detection and credential isolation.

MakesNix

A CI/CD framework powered by Nix for building secure and reproducible software supply chains.

Upload and Scan Files with VirusTotalTypeScript

A GitHub Action to upload and scan files for malware using VirusTotal's analysis engine.

NORARust

A lightweight, single-binary artifact registry supporting Docker, Maven, npm, PyPI, Cargo, and Go with zero dependencies.

SDLC Infrastructure Threat Framework (SITF)HTML

A framework for analyzing and defending against supply chain attacks targeting Software Development Lifecycle infrastructure.

PreflightGo

A tool to verify scripts and executables by hash to prevent supply chain attacks.

verifyfetchTypeScript

A drop-in library for resumable downloads and streaming integrity verification of large files in the browser.

Living off the pipelineHTML

A research project inventorying RCE-by-design features and code execution risks in CI/CD pipeline tools.

Awesome Cloud BuildTypeScript

A curated list of high-signal resources for Google Cloud Build, covering CI/CD, security, and modern delivery pipelines.

Dependency CombobulatorPython

An open-source, modular framework to detect and prevent dependency confusion attacks across multiple package managers.

CetusGuardGo

A security proxy that protects Docker daemon sockets by filtering API endpoint calls with configurable rules.

CycloneDX-PHP-ComposerPHP

A Composer plugin that generates accurate CycloneDX Software Bill of Materials (SBOM) for PHP projects.