Kusari Software Supply Chain Security

Kusari is a software supply chain security platform designed for DevSecOps teams. It continuously maps every component in a software environment, providing visibility into what components are present, where they came from, what risks they carry, and how to remediate issues. Core capabilities: - Provenance Tracking: Traces each library, binary, and container back to its original source, providing verifiable origin and history for all shipped components. This helps identify typosquatted packages and unknown binaries. - Vulnerability Prioritization: Rather than surfacing every alert from scanners, Kusari applies contextual analysis (exploitability, user-facing status, infrastructure criticality) to reduce noise and surface only actionable threats. It provides a real-time blast radius graph showing every app/service affected by a given CVE. - Policy Enforcement: Allows teams to set automated rules to block insecure or unapproved components within CI/CD pipelines. Components that fail policy checks trigger instant build alerts before reaching production. - SBOM and Compliance Artifacts: Every build automatically generates a signed Software Bill of Materials (SBOM), a Vulnerability Exploitability eXchange (VEX) report, and a provenance attestation, creating an audit-ready compliance packet for customers and regulators. - Risk Scoring: Provides per-dependency risk scores, license issue checks, and provenance verification for developers. The platform targets regulated industries including healthcare/medical devices, defense, critical infrastructure/utilities, and financial services. Kusari is also a contributor to open source supply chain security tooling, including the GUAC (Graph for Understanding Artifact Composition) project.