#Supply-chain-security
Showing 58 of 58 repositories tagged #supply-chain-security, ranked by stars
Read-only developer endpoint scanner for on-disk package, extension, and developer-tool metadata, built to check exposure to known software supply-chain compromises.
Sandbox any AI agent in seconds - zero setup, zero latency.
Terminal security for developers and AI agents. Intercepts homograph URLs, pipe-to-shell, ANSI injection, obfuscated payloads, data exfiltration, and malicious AI skills/configs before they execute.
Supply-chain Levels for Software Artifacts
safely install npm packages by auditing them pre-install stage
GUAC aggregates software security metadata into a high fidelity graph database.
Collection of npm package manager Security Best Practices
Protect against malicious open source packages ๐ค
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
Local security audit for AI API relays and LLM proxies: detects prompt injection, model substitution, tool-call rewriting, SSE anomalies, error leakage, and Web3 wallet risks.
Graphing SBOM's Fast.
Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
SDLC evidence store and policy engine for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, and more
poutine, a supply chain vulnerability scanner for build pipelines
Docker Scout CLI
PMG protects developers, AI agents from malicious open source packages using proxy, sandbox and SafeDep's threat intelligence feed.
Curated Web3 security learning hub for smart contract auditors and protocol teams: roadmaps, audit tools, public reports, fuzzing, formal verification, AI-assisted workflows, offchain security, incident response, and launch checklists.
Harden your package manager configs against supply chain attacks.
A CI/CD Red Team Framework for demonstrating Build Pipeline security risks.
Catalogue all images of a Kubernetes cluster to multiple targets with Syft
Runtime security for Agents. Blocks dangerous commands, prevent secret leaks, stop prompt injection, gate risky package installs and visibility and control over tool calls.
Lightweight multi-format artifact registry. 13 formats: Docker, Maven, npm, PyPI, Cargo, Go, NuGet, RubyGems, Terraform, Conan, Ansible Galaxy, Dart Pub, and Raw. Single binary, zero dependencies, <100MB RAM.
Thumper is an open-source tripwire for the Shai-Hulud npm worm. Plant fake-but-realistic credentials where the worm scans - the instant one is read, you know the box might be breached. Free and built in the open by Jesta.
Open-source eBPF runtime security sensor for GitHub Actions and GitLab CI/CD.
Macaron is an extensible supply-chain security analysis framework from Oracle Labs that supports a wide range of build systems and CI/CD services. It can be used to prevent supply chain attacks, detect malicious Python packages, or check conformance to frameworks, such as SLSA. Documentation:
bagel, a CLI that inventories security-relevant metadata on developer workstations
Open-source cybersecurity analysis agent for Claude Code. Scans projects for vulnerabilities across all OWASP 2025 Top 10 and CWE Top 25 categories. 11 security domains, 60+ secret patterns, parallel subagent analysis, professional report generation. Built by tododeia.com
Trusted builds made easy! A cloud-native software factory for building, testing, and releasing trusted software artifacts
Test, secure, and monitor MCP servers before agents depend on them.
Detect npm packages compromised in the Shai-Hulud 2.0 supply chain attack (Nov 2025). Scans for 790+ malicious packages, suspicious scripts, TruffleHog activity, SHA1HULUD runners, and secrets exfiltration. GitHub Action with SARIF support.
Offline security scanner for AI-agent repos, skills, plugins, and MCP servers.
Signing-key abuse and update exploitation framework
Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 1000+ vulnerability rules with AST & taint analysis, auto-fix.
Laravel Security Tool
The antivirus for OpenClaw โ approve dangerous actions, scan skills, block secret leaks, and keep humans in control, for safety.
Chrome extension risk scanner โ scan Chrome Web Store links or CRX/ZIP builds and generate evidence-based security/privacy reports. Open-core.
Experimental pacman integration for Reproducible Builds and Binary Transparency (with sigstore/rekor)
The open source security engine for AI agent and supply-chain trust.
๐ DevSecOps intro elective โ 10 hands-on labs + 2 bonus hardening OWASP Juice Shop: threat modeling (STRIDE/Threagile), signed commits & secret scanning, SBOM/SCA, SAST + DAST, IaC security (Checkov/KICS), container & supply-chain hardening (Trivy, Cosign), runtime detection with Falco, and DefectDojo vuln management.
The Anti-Virus for AI Artifacts & RAG Firewall. A static analysis tool scanning Models and Notebooks for RCE, Datasets and RAG docs for Data Poisoning, PII, and Prompt Injections. Secure your AI Supply Chain.
Analyze any snippet, file, or repository to detect possible security flaws such as secret in code, open source vulnerability, code security, vulnerability, insecure infrastructure as code, and potential legal issues with open source licenses.
Cache Commander โ a TUI and MCP server to explore, audit, and clean developer cache directories. Scan for CVEs, find outdated packages, reclaim disk space. Supports pip, npm, Cargo, HuggingFace, Homebrew, and more.
Local control plane for running AI agents with sandboxes, approvals, guardrails, credentials, and runtime health.
Sharing software supply chain security open source projects
Kernel-Enforced Install-Time Policies (KEIP): An eBPF/LSM based security tool that detects and blocks malicious network activity during pip install.Kernel-Enforced Install-Time Policies (KEIP): An eBPF/LSM based security tool that detects and blocks malicious network activity during pip install
An AST-free, LLM-free heuristic knowledge graph engine for deep repository intelligence. Map, secure, and modernize enterprise codebases across 50+ languages at extreme velocity
Static and dynamic analysis tool for detecting malicious code, suspicious binaries, and privacy violations
Find and govern AI attack surfaces in application code at PR time. Free, OSS, runs offline.
Visualizer for GUAC
Secure GitHub actions with 1 line of code
A curated timeline of real AI agent security incidents, breaches, and vulnerabilities (2024-2026). Every entry sourced and dated.
Security training for the apps you actually ship. Open your browser and start hacking.
Another FAFO project: Weaponizing MSI installers for fileless code execution
Hoppr Cop is a cli and python library that generates high quality vulnerability information from a cyclone-dx Software Bill of Materials (SBOM) by aggregating data from multiple vulnerability databases. This project is a mirror from gitlab
๐ก๏ธ Blazing fast Supply Chain Security tool written in Rust. Features ephemeral sandboxing, hybrid analysis (CVE + Heuristics), and entropy-based malware detection.
OSS Projects are cool, vulnerabilities and threats arent. AI scan environment for scanning OSS projects for threats, malware, security issues.
Packj audits pull requests for malicious/risky open-source deps