#Supply-chain-security

Showing 58 of 58 repositories tagged #supply-chain-security, ranked by stars

perplexityai
perplexityai
bumblebee

Read-only developer endpoint scanner for on-disk package, extension, and developer-tool metadata, built to check exposure to known software supply-chain compromises.

Score
100
โ˜… 4.8k โ‘‚ 430 +115/day
Go
nolabs-ai
nolabs-ai
nono

Sandbox any AI agent in seconds - zero setup, zero latency.

Score
100
โ˜… 3.0k โ‘‚ 204 +5/day
Rust
sheeki03
sheeki03
tirith

Terminal security for developers and AI agents. Intercepts homograph URLs, pipe-to-shell, ANSI injection, obfuscated payloads, data exfiltration, and malicious AI skills/configs before they execute.

Score
67
โ˜… 2.6k โ‘‚ 86 +3/day
Rust
slsa-framework
slsa-framework
slsa

Supply-chain Levels for Software Artifacts

Score
100
โ˜… 1.9k โ‘‚ 286 +1/day
HTML
lirantal
lirantal
npq

safely install npm packages by auditing them pre-install stage

Score
94
โ˜… 1.8k โ‘‚ 41 โ€”
JavaScript
guacsec
guacsec
guac

GUAC aggregates software security metadata into a high fidelity graph database.

Score
97
โ˜… 1.5k โ‘‚ 205 โ€”
Go
lirantal
lirantal
npm-security-best-practices

Collection of npm package manager Security Best Practices

Score
89
โ˜… 1.2k โ‘‚ 43 +2/day
safedep
safedep
vet

Protect against malicious open source packages ๐Ÿค–

Score
91
โ˜… 1.1k โ‘‚ 103 +5/day
Go
tern-tools
tern-tools
tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.

Score
60
โ˜… 1.0k โ‘‚ 187 โ€”
Python
Legit-Labs
Legit-Labs
legitify

Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets

Score
0
โ˜… 875 โ‘‚ 78 โ€”
Go
toby-bridges
toby-bridges
api-relay-audit

Local security audit for AI API relays and LLM proxies: detects prompt injection, model substitution, tool-call rewriting, SSE anomalies, error leakage, and Web3 wallet risks.

Score
0
โ˜… 748 โ‘‚ 72 +10/day
Python
bomfather
bomfather
minefield

Graphing SBOM's Fast.

Score
100
โ˜… 734 โ‘‚ 26 +1/day
Go
ossillate-inc
ossillate-inc
packj

Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain

Score
80
โ˜… 686 โ‘‚ 37 โ€”
Python
chainloop-dev
chainloop-dev
chainloop

SDLC evidence store and policy engine for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, and more

Score
83
โ˜… 568 โ‘‚ 53 โ€”
Go
boostsecurityio
boostsecurityio
poutine

poutine, a supply chain vulnerability scanner for build pipelines

Score
50
โ˜… 489 โ‘‚ 40 +2/day
Go
docker
docker
scout-cli

Docker Scout CLI

Score
86
โ˜… 453 โ‘‚ 134 +1/day
Shell
safedep
safedep
pmg

PMG protects developers, AI agents from malicious open source packages using proxy, sandbox and SafeDep's threat intelligence feed.

Score
100
โ˜… 452 โ‘‚ 36 +1/day
Go
Raiders0786
Raiders0786
web3-security-resources

Curated Web3 security learning hub for smart contract auditors and protocol teams: roadmaps, audit tools, public reports, fuzzing, formal verification, AI-assisted workflows, offchain security, incident response, and launch checklists.

Score
0
โ˜… 424 โ‘‚ 66 โ€”
Python
arnica
arnica
depsguard

Harden your package manager configs against supply chain attacks.

Score
67
โ˜… 390 โ‘‚ 17 +3/day
Rust
boostsecurityio
boostsecurityio
smokedmeat

A CI/CD Red Team Framework for demonstrating Build Pipeline security risks.

Score
77
โ˜… 365 โ‘‚ 27 +1/day
Go
ckotzbauer
ckotzbauer
sbom-operator

Catalogue all images of a Kubernetes cluster to multiple targets with Syft

Score
80
โ˜… 233 โ‘‚ 35 +2/day
Go
PrismorSec
PrismorSec
prismor

Runtime security for Agents. Blocks dangerous commands, prevent secret leaks, stop prompt injection, gate risky package installs and visibility and control over tool calls.

Score
69
โ˜… 227 โ‘‚ 18 +5/day
Python
getnora-io
getnora-io
nora

Lightweight multi-format artifact registry. 13 formats: Docker, Maven, npm, PyPI, Cargo, Go, NuGet, RubyGems, Terraform, Conan, Ansible Galaxy, Dart Pub, and Raw. Single binary, zero dependencies, <100MB RAM.

Score
33
โ˜… 224 โ‘‚ 22 +12/day
Rust
jestasecurity
jestasecurity
thumper

Thumper is an open-source tripwire for the Shai-Hulud npm worm. Plant fake-but-realistic credentials where the worm scans - the instant one is read, you know the box might be breached. Free and built in the open by Jesta.

Score
66
โ˜… 223 โ‘‚ 13 โ€”
Python
cicd-sensor
cicd-sensor
cicd-sensor

Open-source eBPF runtime security sensor for GitHub Actions and GitLab CI/CD.

Score
60
โ˜… 217 โ‘‚ 7 +1/day
Go
oracle
oracle
macaron

Macaron is an extensible supply-chain security analysis framework from Oracle Labs that supports a wide range of build systems and CI/CD services. It can be used to prevent supply chain attacks, detect malicious Python packages, or check conformance to frameworks, such as SLSA. Documentation:

Score
71
โ˜… 208 โ‘‚ 34 โ€”
Python
boostsecurityio
boostsecurityio
bagel

bagel, a CLI that inventories security-relevant metadata on developer workstations

Score
54
โ˜… 179 โ‘‚ 11 +1/day
Go
Hainrixz
Hainrixz
cyber-neo

Open-source cybersecurity analysis agent for Claude Code. Scans projects for vulnerabilities across all OWASP 2025 Top 10 and CWE Top 25 categories. 11 security domains, 60+ secret patterns, parallel subagent analysis, professional report generation. Built by tododeia.com

Score
51
โ˜… 167 โ‘‚ 21 +2/day
Python
konflux-ci
konflux-ci
konflux-ci

Trusted builds made easy! A cloud-native software factory for building, testing, and releasing trusted software artifacts

Score
100
โ˜… 163 โ‘‚ 139 +3/day
Go
KryptosAI
KryptosAI
mcp-observatory

Test, secure, and monitor MCP servers before agents depend on them.

Score
33
โ˜… 142 โ‘‚ 24 +1/day
TypeScript
gensecaihq
gensecaihq
Shai-Hulud-2.0-Detector

Detect npm packages compromised in the Shai-Hulud 2.0 supply chain attack (Nov 2025). Scans for 790+ malicious packages, suspicious scripts, TruffleHog activity, SHA1HULUD runners, and secrets exfiltration. GitHub Action with SARIF support.

Score
57
โ˜… 141 โ‘‚ 34 โ€”
TypeScript
alexgreensh
alexgreensh
repo-forensics

Offline security scanner for AI-agent repos, skills, plugins, and MCP servers.

Score
0
โ˜… 137 โ‘‚ 18 +11/day
Python
kpcyrd
kpcyrd
sh4d0wup

Signing-key abuse and update exploitation framework

Score
14
โ˜… 131 โ‘‚ 13 โ€”
Rust
sinewaveai
sinewaveai
agent-security-scanner-mcp

Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 1000+ vulnerability rules with AST & taint analysis, auto-fix.

Score
49
โ˜… 112 โ‘‚ 10 +1/day
JavaScript
andreapollastri
andreapollastri
checkpoint

Laravel Security Tool

Score
43
โ˜… 106 โ‘‚ 2 โ€”
PHP
Gk0Wk
Gk0Wk
ClawGuard

The antivirus for OpenClaw โ€” approve dangerous actions, scan skills, block secret leaks, and keep humans in control, for safety.

Score
37
โ˜… 100 โ‘‚ 2 โ€”
TypeScript
ExtensionShield
ExtensionShield
ExtensionShield

Chrome extension risk scanner โ€” scan Chrome Web Store links or CRX/ZIP builds and generate evidence-based security/privacy reports. Open-core.

Score
63
โ˜… 95 โ‘‚ 76 +2/day
Python
kpcyrd
kpcyrd
pacman-bintrans

Experimental pacman integration for Reproducible Builds and Binary Transparency (with sigstore/rekor)

Score
9
โ˜… 86 โ‘‚ 5 โ€”
Rust
garagon
garagon
aguara

The open source security engine for AI agent and supply-chain trust.

Score
46
โ˜… 85 โ‘‚ 15 โ€”
Go
inno-devops-labs
inno-devops-labs
DevSecOps-Intro

๐Ÿš€ DevSecOps intro elective โ€” 10 hands-on labs + 2 bonus hardening OWASP Juice Shop: threat modeling (STRIDE/Threagile), signed commits & secret scanning, SBOM/SCA, SAST + DAST, IaC security (Checkov/KICS), container & supply-chain hardening (Trivy, Cosign), runtime detection with Falco, and DefectDojo vuln management.

Score
74
โ˜… 81 โ‘‚ 135 โ€”
Shell
arsbr
arsbr
Veritensor

The Anti-Virus for AI Artifacts & RAG Firewall. A static analysis tool scanning Models and Notebooks for RCE, Datasets and RAG docs for Data Poisoning, PII, and Prompt Injections. Secure your AI Supply Chain.

Score
0
โ˜… 80 โ‘‚ 6 โ€”
Python
oxsecurity
oxsecurity
codetotal

Analyze any snippet, file, or repository to detect possible security flaws such as secret in code, open source vulnerability, code security, vulnerability, insecure infrastructure as code, and potential legal issues with open source licenses.

Score
6
โ˜… 78 โ‘‚ 9 โ€”
TypeScript
juliensimon
juliensimon
cache-commander

Cache Commander โ€” a TUI and MCP server to explore, audit, and clean developer cache directories. Scan for CVEs, find outdated packages, reclaim disk space. Supports pip, npm, Cargo, HuggingFace, Homebrew, and more.

Score
34
โ˜… 65 โ‘‚ 6 โ€”
Rust
ArmorerLabs
ArmorerLabs
Armorer

Local control plane for running AI agents with sandboxes, approvals, guardrails, credentials, and runtime health.

Score
31
โ˜… 58 โ‘‚ 3 โ€”
TypeScript
meta-fun
meta-fun
awesome-software-supply-chain-security

Sharing software supply chain security open source projects

Score
20
โ˜… 54 โ‘‚ 5 โ€”
Otsmane-Ahmed
Otsmane-Ahmed
KEIP

Kernel-Enforced Install-Time Policies (KEIP): An eBPF/LSM based security tool that detects and blocks malicious network activity during pip install.Kernel-Enforced Install-Time Policies (KEIP): An eBPF/LSM based security tool that detects and blocks malicious network activity during pip install

Score
29
โ˜… 53 โ‘‚ 6 โ€”
Python
squid-protocol
squid-protocol
gitgalaxy

An AST-free, LLM-free heuristic knowledge graph engine for deep repository intelligence. Map, secure, and modernize enterprise codebases across 50+ languages at extreme velocity

Score
26
โ˜… 45 โ‘‚ 2 โ€”
Python
momenbasel
momenbasel
malware-check

Static and dynamic analysis tool for detecting malicious code, suspicious binaries, and privacy violations

Score
23
โ˜… 45 โ‘‚ 6 +1/day
Python
apisec-inc
apisec-inc
AI-Surface

Find and govern AI attack surfaces in application code at PR time. Free, OSS, runs offline.

Score
40
โ˜… 44 โ‘‚ 8 โ€”
Python
guacsec
guacsec
guac-visualizer

Visualizer for GUAC

Score
0
โ˜… 38 โ‘‚ 28 +2/day
TypeScript
koalalab-inc
koalalab-inc
bolt

Secure GitHub actions with 1 line of code

Score
0
โ˜… 38 โ‘‚ 3 โ€”
JavaScript
webpro255
webpro255
awesome-ai-agent-attacks

A curated timeline of real AI agent security incidents, breaches, and vulnerabilities (2024-2026). Every entry sourced and dated.

Score
20
โ˜… 34 โ‘‚ 3 +5/day
kOaDT
kOaDT
oss-oopssec-store

Security training for the apps you actually ship. Open your browser and start hacking.

Score
40
โ˜… 29 โ‘‚ 42 +2/day
TypeScript
ccelikanil
ccelikanil
DFMI

Another FAFO project: Weaponizing MSI installers for fileless code execution

Score
17
โ˜… 26 โ‘‚ 6 โ€”
Python
lmco
lmco
hoppr-cop

Hoppr Cop is a cli and python library that generates high quality vulnerability information from a cyclone-dx Software Bill of Materials (SBOM) by aggregating data from multiple vulnerability databases. This project is a mirror from gitlab

Score
3
โ˜… 25 โ‘‚ 8 โ€”
Python
Swek09
Swek09
DepSentry

๐Ÿ›ก๏ธ Blazing fast Supply Chain Security tool written in Rust. Features ephemeral sandboxing, hybrid analysis (CVE + Heuristics), and entropy-based malware detection.

Score
0
โ˜… 23 โ‘‚ 1 โ€”
Rust
iammrduncan
iammrduncan
thresher

OSS Projects are cool, vulnerabilities and threats arent. AI scan environment for scanning OSS projects for threats, malware, security issues.

Score
11
โ˜… 13 โ‘‚ 1 โ€”
Python
ossillate-inc
ossillate-inc
packj-github-action

Packj audits pull requests for malicious/risky open-source deps

Score
0
โ˜… 10 โ‘‚ 4 โ€”
Related Topics
#security#devsecops#npm#sbom#ai-security#cybersecurity#cli#llm-security#security-tools#supply-chain#static-analysis#agent-security

ยฉ 2026 GitRepoTrend ยท GitHub repositories by topic ยท Updated weekly