#Sbom

Showing 47 of 47 repositories tagged #sbom, ranked by stars

anchore
anchore
syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems

Score
100
★ 9.2k ⑂ 886 +22/day
Go
RetireJS
RetireJS
retire.js

scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.

Score
96
★ 4.2k ⑂ 439 +2/day
JavaScript
DependencyTrack
DependencyTrack
dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

Score
100
★ 4.0k ⑂ 775 +6/day
Java
e-m-b-a
e-m-b-a
emba

EMBA - The firmware security analyzer

Score
92
★ 3.5k ⑂ 312 +4/day
Shell
zarf-dev
zarf-dev
zarf

The Airgap Native Package Manager for Kubernetes

Score
100
★ 2.0k ⑂ 261 +3/day
Go
ossf
ossf
cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 350 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.

Score
88
★ 1.7k ⑂ 637 +2/day
Python
guacsec
guacsec
guac

GUAC aggregates software security metadata into a high fidelity graph database.

Score
83
★ 1.5k ⑂ 205
Go
HummerRisk
HummerRisk
HummerRisk

HummerRisk 是云原生安全平台,包括混合云安全治理和云原生安全检测。

Score
54
★ 1.5k ⑂ 239
Java
lunasec-io
lunasec-io
lunasec

LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/

Score
50
★ 1.5k ⑂ 167
TypeScript
openclarity
openclarity
openclarity

OpenClarity is an open source platform built to enhance security and observability of cloud native applications and infrastructure

Score
79
★ 1.5k ⑂ 173
Go
XmirrorSecurity
XmirrorSecurity
OpenSCA-cli

OpenSCA is an open source software supply chain security solution that supports the detection of open source dependencies, vulnerabilities and license compliance with a widely noticed accuracy by the community.

Score
75
★ 1.1k ⑂ 134
Go
tern-tools
tern-tools
tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.

Score
25
★ 1.0k ⑂ 187
Python
cdxgen
cdxgen
cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server

Score
88
★ 1.0k ⑂ 254 +5/day
JavaScript
rust-secure-code
rust-secure-code
cargo-auditable

Make production Rust binaries auditable

Score
100
★ 832 ⑂ 40 +1/day
Rust
bomfather
bomfather
minefield

Graphing SBOM's Fast.

Score
100
★ 734 ⑂ 26 +1/day
Go
devops-kung-fu
devops-kung-fu
bomber

Scans Software Bill of Materials (SBOMs) for security vulnerabilities

Score
0
★ 622 ⑂ 55 +2/day
Go
kdeldycke
kdeldycke
meta-package-manager

🎁 wraps all package managers with a unifying CLI

Score
100
★ 602 ⑂ 49 +3/day
Python
chainloop-dev
chainloop-dev
chainloop

SDLC evidence store and policy engine for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, and more

Score
71
★ 568 ⑂ 53
Go
CycloneDX
CycloneDX
specification

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX

Score
0
★ 521 ⑂ 88
XSLT
sandworm-hq
sandworm-hq
sandworm-audit

Security & License Compliance For Your App's Dependencies 🪱

Score
21
★ 475 ⑂ 7
JavaScript
kubernetes-sigs
kubernetes-sigs
bom

A utility to generate SPDX-compliant Bill of Materials manifests

Score
50
★ 461 ⑂ 65 +1/day
Go
xeol-io
xeol-io
xeol

A scanner for end-of-life (EOL) software and dependencies in container images, filesystems, and SBOMs

Score
67
★ 442 ⑂ 33 +2/day
Go
CycloneDX
CycloneDX
cyclonedx-python

CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments

Score
0
★ 386 ⑂ 95 +2/day
Python
ckotzbauer
ckotzbauer
sbom-operator

Catalogue all images of a Kubernetes cluster to multiple targets with Syft

Score
62
★ 233 ⑂ 35 +2/day
Go
sbom-tool
sbom-tool
sbom-tools

Semantic SBOM/CBOM diff, quality scoring, and TUI analysis tool for CycloneDX/SPDX — covering component changes, dependency shifts, license conflicts, vulnerabilities, cryptographic inventory grading, and PQC compliance (CNSA 2.0, NIST IR 8547).

Score
50
★ 231 ⑂ 13
Rust
laoshanxi
laoshanxi
app-mesh

A secure, high-performance, multi-tenant micro-service platform for remote "App Management" and "Computing"

Score
50
★ 218 ⑂ 29 +1/day
C++
oracle
oracle
macaron

Macaron is an extensible supply-chain security analysis framework from Oracle Labs that supports a wide range of build systems and CI/CD services. It can be used to prevent supply chain attacks, detect malicious Python packages, or check conformance to frameworks, such as SLSA. Documentation:

Score
58
★ 208 ⑂ 34
Python
konflux-ci
konflux-ci
konflux-ci

Trusted builds made easy! A cloud-native software factory for building, testing, and releasing trusted software artifacts

Score
75
★ 163 ⑂ 139 +3/day
Go
fatihtokus
fatihtokus
scan2html

A Trivy plugin that scans and outputs the results (vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more) to an interactive html file.

Score
38
★ 139 ⑂ 14 +1/day
HTML
relizaio
relizaio
rearm

ReARM - Release Governance Platform for the Agentic Era

Score
46
★ 122 ⑂ 9
Java
gitsocial-org
gitsocial-org
gitsocial

Git-native cross-forge collaboration platform

Score
100
★ 114 ⑂ 5 +1/day
Go
ckotzbauer
ckotzbauer
vulnerability-operator

Scans SBOMs for vulnerabilities with Grype

Score
38
★ 88 ⑂ 11
Go
inno-devops-labs
inno-devops-labs
DevSecOps-Intro

🚀 DevSecOps intro elective — 10 hands-on labs + 2 bonus hardening OWASP Juice Shop: threat modeling (STRIDE/Threagile), signed commits & secret scanning, SBOM/SCA, SAST + DAST, IaC security (Checkov/KICS), container & supply-chain hardening (Trivy, Cosign), runtime detection with Falco, and DefectDojo vuln management.

Score
62
★ 81 ⑂ 135
Shell
arsbr
arsbr
Veritensor

The Anti-Virus for AI Artifacts & RAG Firewall. A static analysis tool scanning Models and Notebooks for RCE, Datasets and RAG docs for Data Poisoning, PII, and Prompt Injections. Secure your AI Supply Chain.

Score
0
★ 80 ⑂ 6
Python
oxsecurity
oxsecurity
codetotal

Analyze any snippet, file, or repository to detect possible security flaws such as secret in code, open source vulnerability, code security, vulnerability, insecure infrastructure as code, and potential legal issues with open source licenses.

Score
4
★ 78 ⑂ 9
TypeScript
docker
docker
github-builder

Official Docker-maintained reusable GitHub Actions workflows to securely build container images

Score
42
★ 74 ⑂ 18 +1/day
edoardottt
edoardottt
depsdev

CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security signals for open source package versions.

Score
33
★ 67 ⑂ 8
Go
bgeesaman
bgeesaman
malicious-compliance

Supporting code and demos for KubeCon EU 2023 talk "Malicious Compliance: Reflections on Trusting Container Image Scanners"

Score
12
★ 67 ⑂ 11
Makefile
meta-fun
meta-fun
awesome-software-supply-chain-security

Sharing software supply chain security open source projects

Score
0
★ 54 ⑂ 5
omonien
omonien
DX.Comply

Generate CycloneDX SBOMs for Delphi projects — EU Cyber Resilience Act compliance in one click

Score
29
★ 52 ⑂ 9 +1/day
Pascal
squid-protocol
squid-protocol
gitgalaxy

An AST-free, LLM-free heuristic knowledge graph engine for deep repository intelligence. Map, secure, and modernize enterprise codebases across 50+ languages at extreme velocity

Score
25
★ 45 ⑂ 2
Python
kxxt
kxxt
cargo-visualize

Know your dependencies via interactive cargo dependency graph visualization. An opinionated fork of cargo-depgraph that focuses on interactivity.

Score
0
★ 41 ⑂ 1
Rust
popey
popey
sbommage

Sbommage is an interactive terminal frontend for viewing Software Bill of Materials (SBOM) files in various formats.

Score
0
★ 39 ⑂ 1
Python
cra-compliance-lab
cra-compliance-lab
awesome-cra-compliance

Curated resources for the EU Cyber Resilience Act (Regulation 2024/2847): regulation, harmonised standards, EUCC, SBOM, vulnerability management, conformity assessment

Score
17
★ 39 ⑂ 5 +2/day
mangod12
mangod12
OneAlert

AI-powered SOC for OT/ICS networks — 6 autonomous agents, MITRE ATT&CK mapping, Suricata/Zeek ingestion, human-in-the-loop response, 330+ tests. Open-source alternative to Claroty/Dragos for SMBs.

Score
12
★ 30 ⑂ 3
Python
lmco
lmco
hoppr-cop

Hoppr Cop is a cli and python library that generates high quality vulnerability information from a cyclone-dx Software Bill of Materials (SBOM) by aggregating data from multiple vulnerability databases. This project is a mirror from gitlab

Score
0
★ 25 ⑂ 8
Python
droidsaw
droidsaw
droidsaw

Pure-Rust Android decompiler and security-audit suite. DEX → Java, Hermes → JavaScript. Cross-layer taint across the React Native bridge. CycloneDX SBOM + OpenVEX. CLI and MCP. Bytecode is not a security layer.

Score
8
★ 21 ⑂ 2
Rust
Related Topics
#security#cyclonedx#supply-chain-security#spdx#supply-chain#devsecops#kubernetes#compliance#security-tools#docker#software-composition-analysis

© 2026 GitRepoTrend · GitHub repositories by topic · Updated weekly