Sample Go app repo with test and release pipelines optimized for software supply chain security (S3C).

Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance

KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. It scans both runtime K8s clusters and CI/CD pipelines for enhanced software supply chain security.

Sigstore is an open source project for improving software supply chain security. The Sigstore framework and tooling empowers software developers and consumers to securely sign and verify software artifacts such as release files, container images, binaries, software bills of materials (SBOMs), and more. Signatures are generated with ephemeral signing keys so there’s no need to manage keys. Signing events are recorded in a tamper-resistant public log so software developers can audit signing events.

• Sigstore @ GitHub.
• Sigstore documentation.
• Streamline security with keyless signing and verification in GitLab @ GitLab.
• Annotate container images with build provenance using Cosign in GitLab CI/CD @ GitLab.

Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

• Dependency-Check @ GitHub.

A simple measure of software dependency freshness. It is a single number telling you how up-to-date your dependencies are.

Supply-chain Levels for Software Artifacts, or SLSA ("salsa").

SLSA is a specification for describing and incrementally improving supply chain security, established by industry consensus. It is organized into a series of levels that describe increasing security guarantees.

It’s a security framework, a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. It’s how you get from "safe enough" to being as resilient as possible, at any link in the chain.

• SLSA @ GitHub.
• Securing the software supply chain with the SLSA framework @ Trail of Bits Blog.

Secure your supply chain. Ship with confidence.
Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript and Python dependencies.

Socket @ GitHub.

A common and open digital language to develop short supply chains