Software Supply Chain Security Tools
Tools that secure the build and CI/CD pipeline plus artifact integrity through provenance, signing, and malicious-package detection.
Browse 66 software supply chain security tools
FEATURED
USE CASES
A centralized platform for managing open source components and automating software supply chain security.
Automate software supply chain security by blocking malicious open source components
A dependency security scanner that identifies potential supply chain vulnerabilities by checking for available package namespace registrations across Python, JavaScript, PHP, and Maven repositories.
Package verification tool for npm with various verification and testing capabilities.
Helm plugin for cryptographically signing and verifying charts with GnuPG integration.
Preflight is a Go-based verification tool that helps organizations validate scripts and executables to prevent supply chain attacks by enabling secure self-compilation and trusted distribution methods.
npm-zoo is a curated database of known malicious NPM packages that helps developers and security researchers identify and avoid potentially harmful dependencies in their projects.
A Python script that scans Nexus Repository Manager for artifacts with identical names across repositories to identify dependency confusion attack vulnerabilities.
A security tool that detects potential Dependency Confusion attack vectors by identifying private package names that are not reserved on public registries.
A tool that safely installs packages with npm/yarn by auditing them as part of your install process.
Lint lockfiles for improved security and trust policies.
A set of tools for securing JavaScript projects against software supply chain attacks.
A tool that checks for hijackable packages in NPM and Python Pypi registries
An open-source framework that detects and prevents dependency confusion attacks across multiple package management systems and development environments.
A CLI tool for signing and verifying npm and yarn packages.
Grafeas is an API specification for managing and auditing metadata about software resources across the software supply chain.
GuardDog is a CLI tool that identifies malicious PyPI and npm packages using heuristics-based analysis of source code and metadata.
