├── LICENSE
└── README.md


/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Awesome Software Supply Chain Security
  2 | 
  3 | - [Awesome Software Supply Chain Security](#awesome-software-supply-chain-security)
  4 |   - [Glossary](#glossary)
  5 |   - [Landscape](#landscape)
  6 |   - [Secret Leakages](#secret-leakages)
  7 |   - [Software Bill of Materials](#software-bill-of-materials)
  8 |   - [Software Composition Analysis](#software-composition-analysis)
  9 |   - [Static Application Security Testing](#static-application-security-testing)
 10 |   - [Infrastructure as Code Secure](#infrastructure-as-code-secure)
 11 |   - [Cloud Security Posture Management](#cloud-security-posture-management)
 12 |   - [Malware Detection](#malware-detection)
 13 |   - [Container Security Scanners](#container-security-scanners)
 14 |   - [Vulnerabilities Database \& Tools](#vulnerabilities-database--tools)
 15 |   - [Artifact Metadata](#artifact-metadata)
 16 |   - [Identity Tools](#identity-tools)
 17 |   - [CI/CD](#cicd)
 18 |   - [Signing Artefacts](#signing-artefacts)
 19 |   - [Framework](#framework)
 20 |   - [Kubernetes Admission Controller](#kubernetes-admission-controller)
 21 |   - [Risk Management](#risk-management)
 22 |   - [OCI Image Tools](#oci-image-tools)
 23 |   - [Data Store](#data-store)
 24 |   - [Fuzz Testing](#fuzz-testing)
 25 |   - [Demo](#demo)
 26 | 
 27 | ## Glossary
 28 | 
 29 | - SBOM: Software Bill of Materials
 30 | - SCA: Software Composition Analysis
 31 | - SAST: Static Application Security Testing
 32 | - IAST: Interactive Application Security Testing
 33 | - VCS: Version Control System
 34 | - OSPO: Open Source Program Office
 35 | - CSPM: Cloud Security Posture Management
 36 | 
 37 | ## Landscape
 38 | 
 39 | - [OSPO Landscape](https://landscape.todogroup.org/) - The OSPO landscape is intended as a map to explore the OSPO Ecosystem in terms of tooling, adopters and involved communities.
 40 | 
 41 | ## Secret Leakages
 42 | 
 43 | - [truffleHog](https://github.com/trufflesecurity/truffleHog) - ![GitHub stars](https://img.shields.io/github/stars/trufflesecurity/truffleHog?style=flat-square) - Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
 44 | - [external-secrets](https://github.com/external-secrets/external-secrets) - ![GitHub stars](https://img.shields.io/github/stars/external-secrets/external-secrets?style=flat-square) - External Secrets Operator reads information from a third-party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets.
 45 | - [Gitleaks](https://github.com/zricethezav/gitleaks) - ![GitHub stars](https://img.shields.io/github/stars/zricethezav/gitleaks?style=flat-square) - Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
 46 | - [SecLists](https://github.com/danielmiessler/SecLists) - ![GitHub stars](https://img.shields.io/github/stars/danielmiessler/SecLists?style=flat-square) - SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
 47 | 
 48 | ## Software Bill of Materials
 49 | 
 50 | - [SPDX](https://github.com/spdx) - SPDX is an open standard for communicating SBOM information, including provenance, license, security, and other related information.
 51 | - [CycloneDX](https://github.com/CycloneDX) - OWASP CycloneDX is a lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
 52 | - [Tern](https://github.com/tern-tools/tern) - ![GitHub stars](https://img.shields.io/github/stars/tern-tools/tern?style=flat-square) - A software package inspection tool that can create a Software Bill of Materials (SBOM) for containers. It's written in Python3 with a smattering of shell scripts.
 53 | - [Syft](https://github.com/anchore/syft) - ![GitHub stars](https://img.shields.io/github/stars/anchore/syft?style=flat-square) - CLI tool and library for generating a Software Bill of Materials from container images and filesystems.
 54 | - [bom](https://github.com/kubernetes-sigs/bom) - ![GitHub stars](https://img.shields.io/github/stars/kubernetes-sigs/bom?style=flat-square) - A utility to generate SPDX-compliant Bill of Materials manifests
 55 | - [ko](https://github.com/google/ko) - ![GitHub stars](https://img.shields.io/github/stars/google/ko?style=flat-square) - Build and deploy Go applications on Kubernetes, support generate upload SBOM etc.
 56 | - [sbom-tool](https://github.com/microsoft/sbom-tool) - ![GitHub stars](https://img.shields.io/github/stars/microsoft/sbom-tool?style=flat-square) - Microsoft's SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
 57 | - [spdx-sbom-generator](https://github.com/opensbom-generator/spdx-sbom-generator) - ![GitHub stars](https://img.shields.io/github/stars/opensbom-generator/spdx-sbom-generator?style=flat-square) - Support CI generation of SBOMs via golang tooling.
 58 | - [sbom-composer](https://github.com/vmware-samples/sbom-composer) - ![GitHub stars](https://img.shields.io/github/stars/vmware-samples/sbom-composer?style=flat-square) - A tool that takes two or more micro SBOMs and composes them into one distributable SBOM.
 59 | - [tejolote](https://github.com/kubernetes-sigs/tejolote) - ![GitHub stars](https://img.shields.io/github/stars/kubernetes-sigs/tejolote?style=flat-square) - A highly configurable build executor and observer designed to generate signed SLSA provenance attestations about build runs.
 60 | - [KiBoM](https://github.com/SchrodingersGat/KiBoM) - ![GitHub stars](https://img.shields.io/github/stars/SchrodingersGat/KiBoM?style=flat-square) - Configurable BoM generation tool for [KiCad EDA](http://kicad.org/).
 61 | - [bomsh](https://github.com/git-bom/bomsh) - ![GitHub stars](https://img.shields.io/github/stars/git-bom/bomsh?style=flat-square) - bomsh is collection of tools to explore the GitBOM idea.
 62 | - [sbom-operator](https://github.com/ckotzbauer/sbom-operator) - ![GitHub stars](https://img.shields.io/github/stars/ckotzbauer/sbom-operator?style=flat-square) - Catalogue all images of a Kubernetes cluster to multiple targets with Syft.
 63 | 
 64 | ## Software Composition Analysis
 65 | 
 66 | - [Open Source Insights](https://deps.dev/) - Open Source Insights is an experimental service developed and hosted by Google to help developers better understand the structure, construction, and security of open source software packages.
 67 | - [DependencyTrack](https://github.com/DependencyTrack/dependency-track) - ![GitHub stars](https://img.shields.io/github/stars/DependencyTrack/dependency-track?style=flat-square) - Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
 68 | - [DependencyCheck](https://github.com/jeremylong/DependencyCheck) - ![GitHub stars](https://img.shields.io/github/stars/jeremylong/DependencyCheck?style=flat-square) - OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
 69 | - [scancode-toolkit](https://github.com/nexB/scancode-toolkit) - ![GitHub stars](https://img.shields.io/github/stars/nexB/scancode-toolkit?style=flat-square) - ScanCode detects licenses, copyrights, package manifests & dependencies and more by scanning code ... to discover and inventory open source and third-party packages used in your code.
 70 | - [OSS Review Toolkit](https://github.com/oss-review-toolkit/ort) - ![GitHub stars](https://img.shields.io/github/stars/oss-review-toolkit/ort?style=flat-square) - The OSS Review Toolkit (ORT) aims to assist with the tasks that commonly need to be performed in the context of license compliance checks, especially for (but not limited to) Free and Open Source Software dependencies.
 71 | - [License Finder](https://github.com/pivotal/LicenseFinder) - ![GitHub stars](https://img.shields.io/github/stars/pivotal/LicenseFinder?style=flat-square) - LicenseFinder works with package managers to find dependencies, detect the licenses of the packages in them, compare those licenses against a user-defined list of permitted licenses.
 72 | - [go-licenses](https://github.com/google/go-licenses) - ![GitHub stars](https://img.shields.io/github/stars/google/go-licenses?style=flat-square) - Analyzes the dependency tree of a Go package/binary. It can output a report on the libraries used and under what license they can be used. It can also collect all of the license documents, copyright notices and source code into a directory in order to comply with license terms on redistribution.
 73 | - [Anchore](https://github.com/anchore/grype/) - ![GitHub stars](https://img.shields.io/github/stars/anchore/grype?style=flat-square) - A vulnerability scanner for container images and filesystems.
 74 | - [OpenSCA-Cli](https://github.com/XmirrorSecurity/OpenSCA-cli) - ![GitHub stars](https://img.shields.io/github/stars/XmirrorSecurity/OpenSCA-cli?style=flat-square) - OpenSCA is now capable of parsing configuration files in the listed programming languages and correspondent package managers.
 75 | - [MurphySec CLI](https://github.com/murphysecurity/murphysec) - ![GitHub stars](https://img.shields.io/github/stars/murphysecurity/murphysec?style=flat-square) - MurphySec CLI is used for detecting vulnerable dependencies from the command-line, and also can be integrated into your CI/CD pipeline.
 76 | - [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) - Dependency Scanning analyzer that uses the GitLab Advisory Database.
 77 | - [reuse-tool](https://github.com/fsfe/reuse-tool) - ![GitHub stars](https://img.shields.io/github/stars/fsfe/reuse-tool?style=flat-square) - The tool for checking and helping with compliance with the REUSE recommendations
 78 | - [lgtm](https://lgtm.com/) - A code analysis platform for finding zero-days and preventing critical vulnerabilities
 79 | - [bomber](https://github.com/devops-kung-fu/bomber) - ![GitHub stars](https://img.shields.io/github/stars/devops-kung-fu/bomber?style=flat-square) - Scans SBOMs for security vulnerabilitiesrecommendations
 80 | - [CVE-2021-44228-Scanner](https://github.com/logpresso/CVE-2021-44228-Scanner) - ![GitHub stars](https://img.shields.io/github/stars/logpresso/CVE-2021-44228-Scanner?style=flat-square) - Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
 81 | - [osv-scanner](https://github.com/google/osv-scanner) - ![GitHub stars](https://img.shields.io/github/stars/google/osv-scanner?style=flat-square) - Vulnerability scanner written in Go which uses the data provided by https://osv.dev
 82 | 
 83 | ## Static Application Security Testing
 84 | 
 85 | - [trivy](https://github.com/aquasecurity/trivy) - ![GitHub stars](https://img.shields.io/github/stars/aquasecurity/trivy?style=flat-square) - Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues.
 86 | - [Horusec](https://github.com/ZupIT/horusec) - ![GitHub stars](https://img.shields.io/github/stars/ZupIT/horusec?style=flat-square) - Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.
 87 | - [Semgrep](https://github.com/returntocorp/semgrep) - ![GitHub stars](https://img.shields.io/github/stars/returntocorp/semgrep?style=flat-square) - Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
 88 | - [Scan](https://github.com/ShiftLeftSecurity/sast-scan) - ![GitHub stars](https://img.shields.io/github/stars/ShiftLeftSecurity/sast-scan?style=flat-square) - Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies.
 89 | - [starter-workflows](https://github.com/actions/starter-workflows/tree/main/code-scanning) - GitHub code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production.
 90 | - [CodeQL](https://github.com/github/codeql) - ![GitHub stars](https://img.shields.io/github/stars/github/codeql?style=flat-square) - the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security (code scanning)
 91 | - [DevSkim](https://github.com/microsoft/DevSkim) - ![GitHub stars](https://img.shields.io/github/stars/microsoft/DevSkim?style=flat-square) - DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities.
 92 | - [flawfinder](https://github.com/david-a-wheeler/flawfinder) - ![GitHub stars](https://img.shields.io/github/stars/david-a-wheeler/flawfinder?style=flat-square) - a static analysis tool for finding vulnerabilities in C/C++ source code.
 93 | - [kubectl-kubesec](https://github.com/controlplaneio/kubectl-kubesec) - ![GitHub stars](https://img.shields.io/github/stars/controlplaneio/kubectl-kubesec?style=flat-square) - Security risk analysis for Kubernetes resources.
 94 | - [mobsfscan](https://github.com/MobSF/mobsfscan) - ![GitHub stars](https://img.shields.io/github/stars/MobSF/mobsfscan?style=flat-square) - mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code.
 95 | - [njsscan](https://github.com/ajinabraham/njsscan) - ![GitHub stars](https://img.shields.io/github/stars/ajinabraham/njsscan?style=flat-square) - njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.
 96 | - [tfsec](https://github.com/aquasecurity/tfsec) - ![GitHub stars](https://img.shields.io/github/stars/aquasecurity/tfsec?style=flat-square) - Security scanner for your Terraform code.
 97 | - [insider](https://github.com/insidersec/insider) - ![GitHub stars](https://img.shields.io/github/stars/insidersec/insider?style=flat-square) - SAST Engine focused on covering the OWASP Top 10, support Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Ful...
 98 | - [SpotBugs](https://github.com/spotbugs/spotbugs) - ![GitHub stars](https://img.shields.io/github/stars/spotbugs/spotbugs?style=flat-square) - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
 99 | - [Find Security Bugs](https://github.com/find-sec-bugs/find-sec-bugs) - ![GitHub stars](https://img.shields.io/github/stars/find-sec-bugs/find-sec-bugs?style=flat-square) - The SpotBugs plugin for security audits of Java web applications and Android applications.
100 | - [go-license-detector](https://github.com/src-d/go-license-detector) - ![GitHub stars](https://img.shields.io/github/stars/src-d/go-license-detector?style=flat-square) - a command line application and a library, written in Go. It scans the given directory for license files, normalizes and hashes them and outputs all the fuzzy matches with the list of reference texts.
101 | - [askalono](https://github.com/jpeddicord/askalono) - ![GitHub stars](https://img.shields.io/github/stars/jpeddicord/askalono?style=flat-square) - askalono is a library and command-line tool to help detect license texts. It's designed to be fast, accurate, and to support a wide variety of license texts.
102 | - [licensechecker](https://github.com/boyter/lc) - ![GitHub stars](https://img.shields.io/github/stars/boyter/lc?style=flat-square) - licensechecker (lc) a command line application which scans directories and identifies what software license things are under producing reports as either SPDX, CSV, JSON, XLSX or CLI Tabular output. Dual-licensed under MIT or the UNLICENSE.
103 | - [licensee](https://github.com/licensee/licensee) - ![GitHub stars](https://img.shields.io/github/stars/licensee/licensee?style=flat-square) - A Ruby Gem to detect under what license a project is distributed.
104 | - [licenseclassifier](https://github.com/google/licenseclassifier) - ![GitHub stars](https://img.shields.io/github/stars/google/licenseclassifier?style=flat-square) - The license classifier is a library and set of tools that can analyze text to determine what type of license it contains. It searches for license texts in a file and compares them to an archive of known licenses.
105 | - [licensed](https://github.com/github/licensed) - ![GitHub stars](https://img.shields.io/github/stars/github/licensed?style=flat-square) - A Ruby gem to cache and verify the licenses of dependencies
106 | - [Tencent Cloud Code Analysis](https://github.com/Tencent/CodeAnalysis) - ![GitHub stars](https://img.shields.io/github/stars/Tencent/CodeAnalysis?style=flat-square) - Tencent Cloud Code Analysis (TCA for short, code-named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking.
107 | 
108 | ## Infrastructure as Code Secure
109 | 
110 | - [kics](https://github.com/Checkmarx/kics) - ![GitHub stars](https://img.shields.io/github/stars/Checkmarx/kics?style=flat-square) - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code.
111 | - [Checkov](https://github.com/bridgecrewio/checkov) - ![GitHub stars](https://img.shields.io/github/stars/bridgecrewio/checkov?style=flat-square) - Prevent cloud misconfigurations during build-time for Terraform, CloudFormation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
112 | 
113 | ## Cloud Security Posture Management
114 | 
115 | - [nuclei](https://github.com/projectdiscovery/nuclei) - ![GitHub stars](https://img.shields.io/github/stars/projectdiscovery/nuclei?style=flat-square) - Nuclei is used to send requests across targets based on a template, leading to zero false positives and providing fast scanning on a large number of hosts. Nuclei offers scanning for a variety of protocols, including TCP, DNS, HTTP, SSL, File, Whois, Websocket, Headless etc.
116 | - [RiskScanner](https://github.com/fit2cloud/riskscanner) - ![GitHub stars](https://img.shields.io/github/stars/fit2cloud/riskscanner?style=flat-square) - RiskScanner is an open source multi-cloud security compliance scanning platform, Based on Cloud Custodian, Prowler and Nuclei engines, it realizes security compliance scanning and vulnerability scanning of mainstream public (private) cloud resources.
117 | - [DefectDojo](https://github.com/DefectDojo/django-DefectDojo) - ![GitHub stars](https://img.shields.io/github/stars/DefectDojo/django-DefectDojo?style=flat-square) - A security orchestration and vulnerability management platform.
118 | 
119 | ## Malware Detection
120 | 
121 | - [ClamAV](https://github.com/Cisco-Talos/clamav) - ![GitHub stars](https://img.shields.io/github/stars/Cisco-Talos/clamav?style=flat-square) - ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
122 | - [YARA](https://github.com/VirusTotal/yara) - ![GitHub stars](https://img.shields.io/github/stars/VirusTotal/yara?style=flat-square) - YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.
123 | 
124 | ## Container Security Scanners
125 | 
126 | - [Clair](https://github.com/quay/clair) - ![GitHub stars](https://img.shields.io/github/stars/quay/clair?style=flat-square) - Vulnerability Static Analysis for Containers
127 | - [Anchore](https://github.com/anchore/grype/) - ![GitHub stars](https://img.shields.io/github/stars/anchore/grype?style=flat-square) - A vulnerability scanner for container images and filesystems.
128 | - [Dagda](https://github.com/eliasgranderubio/dagda/) - ![GitHub stars](https://img.shields.io/github/stars/eliasgranderubio/dagda?style=flat-square) - A tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
129 | - [Falco](https://github.com/falcosecurity/falco) - ![GitHub stars](https://img.shields.io/github/stars/falcosecurity/falco?style=flat-square) - Open source cloud native runtime security tool. Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
130 | - [Aqua Security](https://github.com/aquasecurity) - Scanner for vulnerabilities in container images, provided vulnerability scanning and management for orchestrators like Kubernetes.
131 | - [Docker Bench](https://github.com/docker/docker-bench-security) - ![GitHub stars](https://img.shields.io/github/stars/docker/docker-bench-security?style=flat-square) - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
132 | - [Harbor](https://goharbor.io/) - It stores, signs, and scans docker images for vulnerabilities.
133 | - [JFrog Xray](https://jfrog.com/xray/) - Intelligent Supply Chain Security and Compliance at DevOps Speed.
134 | - [Container Security](https://www.qualys.com/apps/container-security/) - Qualys container security is a tool used to discover, track, and continuously protect container environments.
135 | - [Docker Scan](https://github.com/docker/scan-cli-plugin) - ![GitHub stars](https://img.shields.io/github/stars/docker/scan-cli-plugin?style=flat-square) - Docker Scan leverages Synk engine and capable of scanning local Dockerfile, images, and its dependencies to find known vulnerabilities. You can run docker scan from Docker Desktop.
136 | 
137 | ## Vulnerabilities Database & Tools
138 | 
139 | - [National Vulnerability Database](https://nvd.nist.gov/) - The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP).
140 | - [NVD Tools](https://github.com/facebookincubator/nvdtools) - ![GitHub stars](https://img.shields.io/github/stars/facebookincubator/nvdtools?style=flat-square) - A set of tools to work with the feeds (vulnerabilities, CPE dictionary etc.) distributed by National Vulnerability Database (NVD)
141 | - [CVE Details](https://www.cvedetails.com/) - CVE Details provides an easy to use web interface to CVE vulnerability data.
142 | - [Exploit Database Online](https://www.exploit-db.com/) - The Exploit Database is the most comprehensive collection of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers.
143 | - [Exploit Database Offline](https://github.com/offensive-security/exploitdb) - ![GitHub stars](https://img.shields.io/github/stars/offensive-security/exploitdb?style=flat-square) - The official Exploit Database repository.
144 | - [VulnDB Data Mirror](https://github.com/stevespringett/vulndb-data-mirror) - ![GitHub stars](https://img.shields.io/github/stars/stevespringett/vulndb-data-mirror?style=flat-square) - A simple Java command-line utility to mirror the entire contents of VulnDB.
145 | - [NIST Data Mirror](https://github.com/stevespringett/nist-data-mirror) - ![GitHub stars](https://img.shields.io/github/stars/stevespringett/nist-data-mirror?style=flat-square) - A simple Java command-line utility to mirror the CVE JSON data from NIST.
146 | - [Snyk Vulnerability Database](https://security.snyk.io/vuln) - Snyk Vulnerability Database.
147 | - [Vuldb](https://vuldb.com/) - Vulnerability database documenting and explaining security vulnerabilities, threats, and exploits since 1970.
148 | - [osv](https://github.com/google/osv) - ![GitHub stars](https://img.shields.io/github/stars/google/osv?style=flat-square) - Open source vulnerability DB and triage service.
149 | - [advisory-database](https://github.com/github/advisory-database) - ![GitHub stars](https://img.shields.io/github/stars/github/advisory-database?style=flat-square) - Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
150 | - [golang/vulndb](https://github.com/golang/vulndb) - ![GitHub stars](https://img.shields.io/github/stars/golang/vulndb?style=flat-square) - The Go Vulnerability Database
151 | - [pypa/advisory-database](https://github.com/pypa/advisory-database) - ![GitHub stars](https://img.shields.io/github/stars/pypa/advisory-database?style=flat-square) - Advisory database for Python packages published on pypi.org
152 | - [RustSec/advisory-db](https://github.com/RustSec/advisory-db) - ![GitHub stars](https://img.shields.io/github/stars/RustSec/advisory-db?style=flat-square) - Security advisory database for Rust crates published through crates.io
153 | - [gsd-database](https://github.com/cloudsecurityalliance/gsd-database) - ![GitHub stars](https://img.shields.io/github/stars/cloudsecurityalliance/gsd-database?style=flat-square) - The Global Security Database (GSD) is a new Working Group project from the Cloud Security Alliance meant to address the gaps in the current vulnerability identifier space.
154 | - [oss-fuzz-vulns](https://github.com/google/oss-fuzz-vulns) - ![GitHub stars](https://img.shields.io/github/stars/google/oss-fuzz-vulns?style=flat-square) - OSS-Fuzz vulnerabilities for OSV.
155 | - [vuln-list](https://github.com/aquasecurity/vuln-list) - ![GitHub stars](https://img.shields.io/github/stars/aquasecurity/vuln-list?style=flat-square) - Collect vulnerability information and save it in parsable format automatically.
156 | - [CVE PoC](https://github.com/trickest/cve) - ![GitHub stars](https://img.shields.io/github/stars/trickest/cve?style=flat-square) - Gather and update all available and newest CVEs with their PoC.
157 | - [CVE List](https://github.com/CVEProject/cvelist) - ![GitHub stars](https://img.shields.io/github/stars/CVEProject/cvelist?style=flat-square) - The CVE Automation Working Group is piloting use of git to share information about public vulnerabilities.
158 | - [cve-ark](https://github.com/goncalor/cve-ark) - ![GitHub stars](https://img.shields.io/github/stars/goncalor/cve-ark?style=flat-square) - All published CVE and their recent changes, ready to be used by humans and machines.
159 | 
160 | ## Artifact Metadata
161 | 
162 | - [in-toto](https://github.com/in-toto/in-toto) - ![GitHub stars](https://img.shields.io/github/stars/in-toto/in-toto?style=flat-square) - An open metadata standard that you can implement in your software's supply chain toolchain.
163 | - [Grafeas](https://github.com/grafeas/grafeas) - ![GitHub stars](https://img.shields.io/github/stars/grafeas/grafeas?style=flat-square) - An open-source artifact metadata API that provides a uniform way to audit and govern your software supply chain.
164 | - [tkn-intoto-formatter](https://github.com/OpenSecureSupplyChain/tkn-intoto-formatter) - ![GitHub stars](https://img.shields.io/github/stars/OpenSecureSupplyChain/tkn-intoto-formatter?style=flat-square) - A common library to convert any tekton resource to intoto attestation format.
165 | 
166 | ## Identity Tools
167 | 
168 | - [Spiffe/Spire](https://spiffe.io/) A universal identity control plane for distributed systems.
169 | - [SWID](https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-18.html) - Software Identification (SWID) tags provide an extensible XML-based structure to identify and describe individual software components, patches, and installation bundles.
170 | - [purl](https://github.com/package-url/purl-spec) - ![GitHub stars](https://img.shields.io/github/stars/package-url/purl-spec?style=flat-square) - A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.
171 | - [Grafeas](https://github.com/grafeas/grafeas) - ![GitHub stars](https://img.shields.io/github/stars/grafeas/grafeas?style=flat-square) - Grafeas defines an API spec for managing metadata about software resources, such as container images, Virtual Machine (VM) images, JAR files, and scripts.
172 | - [CIRCL hashlookup](https://www.circl.lu/services/hashlookup/) - CIRCL hash lookup is a public API to lookup hash values against known database of files.
173 | - [Dex](https://github.com/dexidp/dex) - ![GitHub stars](https://img.shields.io/github/stars/dexidp/dex?style=flat-square) - Dex is an identity service that uses OpenID Connect to drive authentication for other apps.
174 | 
175 | ## CI/CD
176 | 
177 | - [Kaniko](https://github.com/GoogleContainerTools/kaniko) - ![GitHub stars](https://img.shields.io/github/stars/GoogleContainerTools/kaniko?style=flat-square) - Build container images in Kubernetes.
178 | - [BuildKit](https://github.com/moby/buildkit) - ![GitHub stars](https://img.shields.io/github/stars/moby/buildkit?style=flat-square) - concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
179 | - [Tektoncd](https://github.com/tektoncd/) - A cloud-native solution for building CI/CD systems.
180 | - [Reproducible Builds](https://reproducible-builds.org/) - Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code.
181 | - [Argo](https://argoproj.github.io/) - Open source tools for Kubernetes to run workflows, manage clusters, and do GitOps right.
182 | - [Jenkins](https://www.jenkins.io/) - The leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project.
183 | - [Jenkins X](https://github.com/jenkins-x) - CI/CD solution for modern cloud applications on Kubernetes.
184 | - [Prow](https://github.com/kubernetes/test-infra/tree/master/prow) - ![GitHub stars](https://img.shields.io/github/stars/kubernetes/test-infra?style=flat-square) - Prow is a Kubernetes based CI/CD system. Jobs can be triggered by various types of events and report their status to many different services.
185 | - [jx-git-operator](https://github.com/jenkins-x/jx-git-operator) - ![GitHub stars](https://img.shields.io/github/stars/jenkins-x/jx-git-operator?style=flat-square) - An operator which polls a git repository for changes and triggers a Kubernetes Job to process the changes in git.
186 | - [Lighthouse](https://github.com/jenkins-x/lighthouse) - ![GitHub stars](https://img.shields.io/github/stars/jenkins-x/lighthouse?style=flat-square) - Lighthouse is a lightweight ChatOps based webhook handler which can trigger Jenkins X Pipelines, Tekton Pipelines or Jenkins Jobs based on webhooks from multiple git providers such as GitHub, GitHub Enterprise, BitBucket Server and GitLab.
187 | - [Starter Workflows](https://github.com/actions/starter-workflows) - ![GitHub stars](https://img.shields.io/github/stars/actions/starter-workflows?style=flat-square) - Workflow files for helping people get started with GitHub Actions.
188 | - [ko](https://github.com/google/ko) - ![GitHub stars](https://img.shields.io/github/stars/google/ko?style=flat-square) - Build and deploy Go applications on Kubernetes
189 | 
190 | ## Signing Artefacts
191 | 
192 | - [cosign](https://github.com/sigstore/cosign) - ![GitHub stars](https://img.shields.io/github/stars/sigstore/cosign?style=flat-square) - Container Signing, Verification and Storage in an OCI registry.
193 | - [Fulcio](https://github.com/sigstore/fulcio) - ![GitHub stars](https://img.shields.io/github/stars/sigstore/fulcio?style=flat-square) - A free Root-CA for code signing certs, issuing certificates based on an OIDC email address.
194 | - [GPG](https://www.gnupg.org/index.html) - GnuPG is a complete and free implementation of the OpenPGP standard, it allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories.
195 | - [python-tuf](https://github.com/theupdateframework/python-tuf) - ![GitHub stars](https://img.shields.io/github/stars/theupdateframework/python-tuf?style=flat-square) - Python reference implementation of The Update Framework (TUF).
196 | - [go-tuf](https://github.com/theupdateframework/go-tuf) - ![GitHub stars](https://img.shields.io/github/stars/theupdateframework/go-tuf?style=flat-square) - Go implementation of The Update Framework (TUF).
197 | - [](https://github.com/awslabs/tough) - ![GitHub stars](https://img.shields.io/github/stars/awslabs/tough?style=flat-square) - Rust libraries and tools for using and generating TUF repositories.
198 | - [Notation](https://github.com/notaryproject/notation) - ![GitHub stars](https://img.shields.io/github/stars/notaryproject/notation?style=flat-square) - A project to add signatures as standard items in the registry ecosystem, and to build a set of simple tooling for signing and verifying these signatures.
199 | - [k8s-manifest-sigstore](https://github.com/sigstore/k8s-manifest-sigstore) - ![GitHub stars](https://img.shields.io/github/stars/sigstore/k8s-manifest-sigstore?style=flat-square) - kubectl plugin for signing Kubernetes manifest YAML files with sigstore
200 | 
201 | ## Framework
202 | 
203 | - [SLSA](https://github.com/slsa-framework/slsa) - ![GitHub stars](https://img.shields.io/github/stars/slsa-framework/slsa?style=flat-square) - A security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.
204 | - [SCIM](https://github.com/microsoft/scim) - ![GitHub stars](https://img.shields.io/github/stars/microsoft/scim?style=flat-square) - The proposed SCIM will be an industry standard specification, easing the path for uniform data flow across globally distributed supply chains.
205 | - [Software Supply Chain Best Practices](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md) - ![GitHub stars](https://img.shields.io/github/stars/cncf/tag-security?style=flat-square) - CNCF provide a comprehensive software supply chain paper highlighting best practices for high and medium risk environments.
206 | - [Blueprint Secure Software Pipeline](https://github.com/Venafi/blueprint-securesoftwarepipeline) - ![GitHub stars](https://img.shields.io/github/stars/Venafi/blueprint-securesoftwarepipeline?style=flat-square) - Blueprint for building modern, secure software development pipelines
207 | - [Witness](https://github.com/testifysec/witness) - ![GitHub stars](https://img.shields.io/github/stars/testifysec/witness?style=flat-square) - Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact providence.
208 | 
209 | ## Kubernetes Admission Controller
210 | 
211 | - [Kyverno](https://github.com/kyverno/kyverno) - ![GitHub stars](https://img.shields.io/github/stars/kyverno/kyverno?style=flat-square) - A policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. Kyverno policies are Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.
212 | - [Kritis](https://github.com/grafeas/kritis) - ![GitHub stars](https://img.shields.io/github/stars/grafeas/kritis?style=flat-square) - An open-source solution for securing your software supply chain for Kubernetes applications, it enforces deploy-time security policies using the Grafeas API.
213 | - [Open Policy Agent](https://github.com/open-policy-agent/opa) - ![GitHub stars](https://img.shields.io/github/stars/open-policy-agent/opa?style=flat-square) - Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.
214 | - [Ratify](https://github.com/deislabs/ratify) - ![GitHub stars](https://img.shields.io/github/stars/deislabs/ratify?style=flat-square) - The project provides a framework to integrate scenarios that require verification of reference artifacts and provides a set of interfaces that can be consumed by various systems that can participate in artifact ratification.
215 | 
216 | ## Risk Management
217 | 
218 | - [Scorecard](https://github.com/ossf/scorecard) - ![GitHub stars](https://img.shields.io/github/stars/ossf/scorecard?style=flat-square) - Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10.
219 | - [Open Source Project Criticality Score](https://github.com/ossf/criticality_score) - ![GitHub stars](https://img.shields.io/github/stars/ossf/criticality_score?style=flat-square) - Gives criticality score for an open source project
220 | - [allstar](https://github.com/ossf/allstar) - ![GitHub stars](https://img.shields.io/github/stars/ossf/allstar?style=flat-square) - GitHub App to set and enforce security policies
221 | - [SSVC](https://github.com/CERTCC/SSVC) - ![GitHub stars](https://img.shields.io/github/stars/CERTCC/SSVC?style=flat-square) - Stakeholder-Specific Vulnerability Categorization
222 | 
223 | ## OCI Image Tools
224 | 
225 | - [Buildah](https://github.com/containers/buildah) - ![GitHub stars](https://img.shields.io/github/stars/containers/buildah?style=flat-square) - A tool that facilitates building OCI images.
226 | - [Skopeo](https://github.com/containers/skopeo) - ![GitHub stars](https://img.shields.io/github/stars/containers/skopeo?style=flat-square) - Work with remote images registries - retrieving information, images, signing content.
227 | - [go-containerregistry](https://github.com/google/go-containerregistry) - ![GitHub stars](https://img.shields.io/github/stars/google/go-containerregistry?style=flat-square) - Go library and CLIs for working with container registries
228 | - [Buildpacks](https://github.com/GoogleCloudPlatform/buildpacks) - ![GitHub stars](https://img.shields.io/github/stars/GoogleCloudPlatform/buildpacks?style=flat-square) - Providind tooling to transform source code into container images using modular, reusable build functions.
229 | 
230 | ## Data Store
231 | 
232 | - [Trillian](https://github.com/google/trillian) - ![GitHub stars](https://img.shields.io/github/stars/google/trillian?style=flat-square) - A transparent, highly scalable and cryptographically verifiable data store.
233 | - [Rekor](https://github.com/sigstore/rekor) - ![GitHub stars](https://img.shields.io/github/stars/sigstore/rekor?style=flat-square) - Software Supply Chain Transparency Log
234 | - [ORAS](https://oras.land/) - Registries are evolving as generic artifact stores. To enable this goal, the ORAS project provides a way to push and pull OCI Artifacts to and from OCI Registries.
235 | 
236 | ## Fuzz Testing
237 | 
238 | - [OSS-Fuzz](https://github.com/google/oss-fuzz) - ![GitHub stars](https://img.shields.io/github/stars/google/oss-fuzz?style=flat-square) - OSS-Fuzz - continuous fuzzing for open source software.
239 | 
240 | ## Demo
241 | 
242 | - [ssf](https://github.com/thesecuresoftwarefactory/ssf) - ![GitHub stars](https://img.shields.io/github/stars/thesecuresoftwarefactory/ssf?style=flat-square) - Prototype implementation of the CNCF's Software Supply Chain Best Practices White Paper
243 | - [demonstration of SLSA provenance generation strategies](https://github.com/slsa-framework/provenance-architecture-demo) - ![GitHub stars](https://img.shields.io/github/stars/slsa-framework/provenance-architecture-demo?style=flat-square) - A demonstration of SLSA provenance generation strategies that don't require full build system integration.
244 | 


--------------------------------------------------------------------------------