Software Composition Analysis

Ossprey is a software supply chain security platform that uses AI-powered scanning to detect malicious open source code and prevent supply chain attacks through automated policy enforcement and dependency analysis.

A device security analysis platform that provides comprehensive vulnerability scanning, SBOM management, and supply chain security monitoring for connected devices and their components.

An application security platform that combines SCA, SAST, container security, dependency management, and AI model risk analysis with integrated workflows for development and security teams.

An integrated software supply chain platform that combines repository management, security scanning, and DevSecOps capabilities for managing and securing the entire software development lifecycle.

A software supply chain security platform that analyzes binaries and software components to detect malware, vulnerabilities, exposed secrets, and tampering throughout the development lifecycle.

A software composition analysis tool that identifies vulnerabilities, malicious code, and license risks in open source dependencies throughout the software development lifecycle.

Black Duck is an application security platform that provides software composition analysis and supply chain security capabilities to identify vulnerabilities, ensure license compliance, and manage SBOMs throughout the software development lifecycle.

Anchore Enterprise is a platform that protects and secures software supply chains end-to-end.

A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems.

JavaScript library scanner and SBOM generator

AuditJS is a command-line tool that scans JavaScript projects for known vulnerabilities and outdated packages in npm dependencies using the OSS Index API or Nexus IQ Server.

An extensible, heuristic-based vulnerability scanning tool for installed npm packages.

A tool to run YARA rules against node_module folders to identify suspicious scripts

Comprehensive suite for advanced file analysis and software supply chain security.

Preflight is a Go-based verification tool that helps organizations validate scripts and executables to prevent supply chain attacks by enabling secure self-compilation and trusted distribution methods.

A cryptographic framework that secures software update systems by enabling publishers to sign content offline and consumers to verify authenticity through trusted verification mechanisms.

NodeSecure is a cybersecurity project that provides security monitoring and analysis capabilities specifically designed for Node.js applications.

A security tool that detects potential Dependency Confusion attack vectors by identifying private package names that are not reserved on public registries.

Reverts sha1 integrity back to sha512 in lock files for enhanced security.

A developer added malicious code to a popular open-source package, wiping files on computers in Russia and Belarus as a protest.

Pac-resolver, a popular NPM package with 3 million weekly downloads, has a severe remote code execution flaw.

Patch-level verification tool for bundler to check for vulnerable gems and insecure sources.

A set of tools for securing JavaScript projects against software supply chain attacks.

An open-source framework that detects and prevents dependency confusion attacks across multiple package management systems and development environments.