EdgeBit

EdgeBit is a software supply chain security platform that focuses on identifying, fixing, and merging dependency vulnerabilities across development pipelines and production environments. It has been acquired by FOSSA. Core capabilities: - Continuous Software Composition Analysis (SCA): Catalogs open source usage, scans for vulnerabilities, and maps findings to running workloads in production. - SBOM Generation: Produces and manages Software Bills of Materials (SBOMs) for containers, Linux machines, and cloud workloads, enabling inventory visibility and customer communication. - Dependency Autofix: Uses static analysis, code reachability analysis, and AI to automatically generate and merge safe dependency update pull requests, reducing manual remediation effort. - Reachability Analysis: Evaluates vulnerability reachability at both build time and runtime to reduce noise and prioritize only exploitable issues in the actual execution path. - Build Pipeline Integration: Integrates with CI/CD pipelines (GitHub, GitLab, Jenkins, Buildkite) to block vulnerable dependencies before they are merged. - Production Workload Monitoring: Deploys agents to Kubernetes clusters, ECS, and Linux servers to monitor running workloads and map vulnerabilities to live environments. - Vulnerability Management: Helps security and engineering teams prioritize and burn down vulnerability backlogs based on real-world impact. - Supply Chain Regulation Compliance: Provides automation to meet software supply chain regulatory requirements. - Open Source Governance: Guides engineers in evaluating open source dependencies before adoption. The platform is built on open standards including SPDX, VEX, eBPF, sigstore, in-toto, OCI/Docker, and Kubernetes. It includes open-source components such as a Linux agent, cluster agent, CLI, and GitHub Build Action.