bureado/awesome-software-supply-chain-security

# awesome-software-supply-chain-security [](https://awesome.re) 软件供应链安全领域的资源汇编，重点关注开源。 - [awesome-software-supply-chain-security](#awesome-software-supply-chain-security) - [关于本列表](#about-this-list) - [依赖情报](#dependency-intelligence) - [SCA 和 SBOM](#sca-and-sbom) - [漏洞信息交换](#vulnerability-information-exchange) - [使用点验证](#point-of-use-validations) - [库之外的供应链](#supply-chain-beyond-libraries) - [身份、签名和来源](#identity-signing-and-provenance) - [框架和最佳实践参考](#frameworks-and-best-practice-references) - [构建技术](#build-techniques) - [演讲、文章、媒体报道和其他阅读材料](#talks-articles-media-coverage-and-other-reading) - [入门与保持更新](#getting-started-and-staying-fresh) ## 关于本列表 该领域没有规定的分类法。本列表必然与 DevSecOps、SAST、SCA 等学科和类别有一些重叠。 [supply-chain-synthesis](https://github.com/AevaOnline/supply-chain-synthesis/) 仓库提供了一篇长文，解释了为什么会发生这种情况，并提供了有帮助的指导，以理解和应对其演变过程。 对于 `awesome-software-supply-chain-security`，我们采用以下高层方法：供应链中的不同参与者向链中代表的元素贡献**证明**。 在这个以过程为中心的视图中，证明被_发出_、_增强_（例如，在组合期间）和_验证_。 通过这个视角，我们可以识别一大群“主体”，不同类别的“事实”（许可证或漏洞），以及身份、来源和构建系统的具体角色。这是当前标题背后的基本原理，预计将随着领域的发展而演变。 ## 依赖情报 * [picatz/deputy: Comprehensive dependency management tool for secure dependency lifecycle management covering vulnerability scans, diffs, fixes, SBOMs, sandboxed execution, and policy-as-code enforcement across repos, images, and registries](https://github.com/picatz/deputy)。阅读：[Introduction to Deputy](https://picatz.github.io/blog/2026/1/21/introduction-to-deputy) * 阅读：[HyperRes: A Formal System for Cross-Ecosystem Dependency Resolution](https://arxiv.org/abs/2506.10803)，通过支持跨语言生态系统的版本化依赖解析，无需用户更换包管理器，从而解决多语言项目的问题 * [Open Source Insights](https://deps.dev/) * [guacsec/guac: GUAC aggregates software security metadata into a high fidelity graph database.](https://github.com/guacsec/guac) * [package-url/purl-spec: A minimal specification for purl aka. a package "mostly universal" URL, join the discussion at https://gitter.im/package-url/Lobby](https://github.com/package-url/purl-spec) * 帮助理解特定依赖_是什么_，或者至少它是否已知的在线服务（通常输入包标识符，例如 `purl`、CPE 或另一种形式的 `ecosystem:name:version`，或者通过哈希）： * [NSRL](https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl/about-nsrl/library-contents)：[COTS software](https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl/about-nsrl/library-contents) 的哈希值，很好地集成在从 [sleuthkit/hfind](http://manpages.ubuntu.com/manpages/bionic/man1/hfind.1.html) 到 [nsrllookup](https://github.com/rjhansen/nsrllookup) 的工具中 * 可以通过公共 API（HTTP 和 DNS！）查询且更具开源意识的来源是 [CIRCL hashlookup](https://www.circl.lu/services/hashlookup/) * [Repology](https://repology.org/) 对跨多个发行版的 Linux 包具有传奇般的覆盖率；其 [repology-updater](https://github.com/repology/repology-updater) 和其他基础设施部分是开源的。它为 [WikiData](https://github.com/repology/repology-wikidata-bot) 提供更新器，后者也具有供应链安全领域感兴趣的属性。 * Debian 的 [external repositories metadata](https://salsa.debian.org/extrepo-team/extrepo-data/-/tree/master/repos/debian) * Tidelift 的 [libraries.io](https://libraries.io/) 提供了一个 [API](https://libraries.io/api) 并支持超过 30 个包生态系统（以及 [several useful open source tools](https://github.com/librariesio)） * WhiteSource 的 [Unified Agent](https://whitesource.atlassian.net/wiki/spaces/WD/pages/1140852201/Getting+Started+with+the+Unified+Agent#Binary-and-Source-File-Matching-Overview) 也提供了一些复杂的文件匹配功能 * [Software Heritage Project](https://archive.softwareheritage.org/) 拥有海量摄取能力，并 [offers an API](https://archive.softwareheritage.org/api/1/known/doc/)，可以有效地检查哈希是否已知，并在已知时提供有关文件的某些信息 * 另见 [swh scanner CLI](https://docs.softwareheritage.org/devel/swh-scanner/cli.html) * [hashdd - Known Good Cryptographic Hashes](https://www.hashdd.com/#approach) * [ClearlyDefined](https://docs.clearlydefined.io/using-data) 根据开源组件的坐标提供许可信息 * [LGTM - Code Analysis Platform to Find and Prevent Vulnerabilities](https://lgtm.com/#explore) 允许通过 GitHub 仓库手动搜索 * [Binary Transparency directory](https://bintra.directory/) 提供了一个 API，允许通过哈希和其他属性搜索包 * 一个某种程度上相关的读物是 [How Cloudflare verifies the code WhatsApp Web serves to users](https://blog.cloudflare.com/cloudflare-verifies-code-whatsapp-web-serves-users/#security-needs-to-be-convenient) 的后半部分 * 以及 [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) * 不要与关于 [Binary Transparency](https://binary.transparency.dev/) 的传奇读物混淆 * 对于通过例如 `curl` 获取的输入： * [SpectralOps/preflight: preflight helps you verify scripts and executables to mitigate chain of supply attacks such as the recent Codecov hack.](https://github.com/spectralops/preflight) * [apiaryio/curl-trace-parser: Parser for output from Curl --trace option](https://github.com/apiaryio/curl-trace-parser) * [curl trace attestor · Issue #139 · testifysec/witness](https://github.com/testifysec/witness/issues/139) * [Friends don't let friends Curl | Bash](https://sysdig.com/blog/friends-dont-let-friends-curl-bash/) * 以及非常有趣的 [Enable packaging of curl|bash and other wild stuff. by jordansissel · Pull Request #1957 · jordansissel/fpm](https://github.com/jordansissel/fpm/pull/1957#issuecomment-1304978342) * [Falco](https://falco.org/) * [aquasecurity/tracee: Linux Runtime Security and Forensics using eBPF](https://github.com/aquasecurity/tracee) * [genuinetools/bane: Custom & better AppArmor profile generator for Docker containers.](https://github.com/genuinetools/bane) * [containers/oci-seccomp-bpf-hook: OCI hook to trace syscalls and generate a seccomp profile](https://github.com/containers/oci-seccomp-bpf-hook) * [bottlerocket-os/hotdog: Hotdog is a set of OCI hooks used to inject the Log4j Hot Patch into containers.](https://github.com/bottlerocket-os/hotdog) * [deepfence/ThreatMapper: 🔥 🔥 Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more. 🔥 🔥](https://github.com/deepfence/ThreatMapper) * [dependency-check](https://jeremylong.github.io/DependencyCheck/index.html) * [6mile/super-confused: Dependency confusion analysis tool supporting 17+ file formats and SBOM files](https://github.com/6mile/super-confused)，识别 npm, PyPI, Cargo, Packagist, RubyGems, Maven, Go 和其他生态系统中的混淆机会 * [apiiro/combobulator: Dependency Combobulator is an open-source, modular, and extensible framework to detect and prevent dependency confusion attacks](https://github.com/apiiro/combobulator) * [DataDog/ghbuster: Detects suspicious GitHub repositories and users using heuristics to identify potentially malicious or inauthentic accounts](https://github.com/DataDog/ghbuster) * [mchmarny/reputer: CLI tool that calculates contributor reputation scores from Git provider APIs (GitHub, GitLab) as an identity confidence indicator based on cryptographic signing, 2FA enablement, account age, and engagement depth](https://github.com/mchmarny/reputer). 阅读：[Scoring Contributor Reputation](https://blog.chmarny.com/posts/reputer-scoring-contributor-reputation/) * [DataDog/supply-chain-firewall: Python tool for preventing installation of malicious and vulnerable PyPI and npm packages, protecting developers' workstations from supply chain attacks](https://github.com/DataDog/supply-chain-firewall). 阅读：[Introducing Supply-Chain Firewall](https://securitylabs.datadoghq.com/articles/introducing-supply-chain-firewall/) * [JorianWoltjer/git-authors: Enumerate authors in Git logs across repositories for OSINT, extracting names and emails from commit history](https://github.com/JorianWoltjer/git-authors) * [ossf/package-analysis: Open Source Package Analysis](https://github.com/ossf/package-analysis) 和 [ossf/package-feeds: Feed parsing for language package manager updates](https://github.com/ossf/package-feeds) * 相关：[Introducing Package Analysis: Scanning open source packages for malicious behavior](https://openssf.org/blog/2022/04/28/introducing-package-analysis-scanning-open-source-packages-for-malicious-behavior/) * 另见 [Argo Security Automation with OSS-Fuzz](https://blog.argoproj.io/argo-security-automation-with-oss-fuzz-da38c1f86452)，[Improving Security by Fuzzing the CNCF landscape](https://www.cncf.io/blog/2022/06/28/improving-security-by-fuzzing-the-cncf-landscape/) 和 [google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.](https://github.com/google/oss-fuzz) * 以及 [ClusterFuzzLite](https://google.github.io/clusterfuzzlite/) * 对于 Node.js: [CodeIntelligenceTesting/jazzer.js: Coverage-guided, in-process fuzzing for the Node.js](https://github.com/CodeIntelligenceTesting/jazzer.js) * 此外，虽然可以说更多属于应用程序可观察性领域，但 [IntelLabs/control-flag: A system to flag anomalous source code expressions by learning typical expressions from training data](https://github.com/IntelLabs/control-flag) * [abhisek/supply-chain-security-gateway: Reference architecture and proof of concept implementation for supply chain security gateway](https://github.com/abhisek/supply-chain-security-gateway) * [cugu/gocap: List your dependencies capabilities and monitor if updates require more capabilities.](https://github.com/cugu/gocap) * [MATE: Interactive Program Analysis with Code Property Graphs](https://galois.com/blog/2022/08/mate-interactive-program-analysis-with-code-property-graphs/) 并参见 [GaloisInc/MATE: MATE is a suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code using Code Property Graphs](https://github.com/GaloisInc/MATE) 和 [docs](https://galoisinc.github.io/MATE/) * [Checkmarx/chainalert-github-action: scans popular packages and alerts in cases there is suspicion of an account takeover](https://github.com/Checkmarx/chainalert-github-action) * Open Source Security Foundation (OpenSSF) [Alpha-Omega Project](https://openssf.org/community/alpha-omega/) * [Socket - Find and compare millions of open source packages](https://socket.dev/)，专注于 JavaScript * [Shai Hulud 2.0 Scanner](https://github.com/nxgn-kd01/shai-hulud-scanner) - 快速、全面的扫描器，用于检测 Shai Hulud 2.0 npm 供应链攻击（796+ 个受损包）。扫描恶意文件、凭据盗窃模式和受损的包生态系统。 * [diffoscope: in-depth comparison of files, archives, and directories](https://diffoscope.org/) * [RedHatProductSecurity/component-registry: Component Registry (Corgi) aggregates component data across Red Hat's supported products, managed services, and internal product pipeline services.](https://github.com/RedHatProductSecurity/component-registry) * [OSS Insight](https://ossinsight.io/)，由 TIDB Cloud 驱动，是一款洞察工具，可以帮助您深入分析任何单个 GitHub 仓库/开发者，使用相同的指标比较任何两个仓库，并提供全面、有价值且流行的开源洞察。 * [Announcing the Private Beta of FOSSA Risk Intelligence](https://fossa.com/blog/announcing-private-beta-risk-intelligence/) * 来自 [Projects | Software Transparency Foundation](https://st.foundation/projects)，见 [OSSKB | Free Open Source Inventorying](https://osskb.org/) * 特别是：[scanoss.py/PACKAGE.md at main · scanoss/scanoss.py](https://github.com/scanoss/scanoss.py/blob/main/PACKAGE.md) * [Artifact Hub](https://artifacthub.io/)，具有 [Packages security report](https://artifacthub.io/docs/topics/security_report/) 并且也 [verifies with cosign](https://artifacthub.io/docs/topics/repositories/#kubewarden-policies-repositories) * [ocicl/ocicl: ASDF system package manager for Common Lisp](https://github.com/ocicl/ocicl) - 所有由 ocicl 管理的包都将其签名存储在 Rekor 透明度日志中 * [crt.sh | Certificate Search](https://crt.sh/) * [grep.app | code search](https://grep.app/) * [GitHub code search](https://github.com/features/code-search) * [searchcode | source code search engine](https://searchcode.com/) * [SpecterOps/DeepPass2: Multi-layer secrets detection using regex patterns, fine-tuned BERT, and LLM verification](https://github.com/SpecterOps/DeepPass2) 用于识别文档中的结构化令牌和依赖上下文的自由格式密码 * [mongodb/kingfisher: High-performance secret scanner that detects and validates secrets by testing against external systems](https://github.com/mongodb/kingfisher)，通过熵分析和跨 AWS、Azure、GCP 和其他平台的实时验证来减少误报 * [rohitcoder/hawk-eye: Command-line tool for discovering secrets and PII across infrastructure including S3, databases, cloud storage, Google Drive, Slack, and file systems using text analysis and OCR on various document formats](https://github.com/rohitcoder/hawk-eye) * [safedep/pmg: Package Manager Guard wraps package managers (npm, pip, poetry, uv, etc.) to block malicious packages at install time using SafeDep's realtime malware analysis and threat detection](https://github.com/safedep/pmg) * 来自 Sourcegraph 的 [Sourcegraph](https://sourcegraph.com/search) * [Onboard open-source contributors on Open Source Hub](https://opensourcehub.io/)，参见 Codesee 中的 [docker-slim](https://opensourcehub.io/docker-slim/docker-slim) 示例 * 来自 Snyk 的 [Code Checker](https://snyk.io/code-checker/) * [Get Started - FOSSology](https://www.fossology.org/get-started/) * [cve-search/git-vuln-finder: Finding potential software vulnerabilities from git commit messages](https://github.com/cve-search/git-vuln-finder) [chaoss/augur: Python library and web service for Open Source Software Health and Sustainability metrics & data collection. You can find our documentation and new contributor information easily here: https://chaoss.github.io/augur/ and learn more about Augur at our website https://augurlabs.io](https://github.com/chaoss/augur) * [IBM/CBOM: Cryptography Bill of Materials](https://github.com/IBM/CBOM) * [AppThreat/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. It is powered by lief.](https://github.com/AppThreat/blint) * [trailofbits/vendetect: Command-line tool for automatically detecting vendored and copy/pasted code between repositories](https://github.com/trailofbits/vendetect) 使用相似性检测算法来识别代码重用和潜在的知识产权问题 * [Software-Transparency-Foundation/stf-plagicheck: High-performance code plagiarism detection using winnowing fingerprints and snippet matching to scan source code against the osskb-core-open-dataset for potential code reuse](https://github.com/Software-Transparency-Foundation/stf-plagicheck) * [GitXray: Security tool for analyzing GitHub repositories to detect threat actors, fake repositories, tampered commits, sensitive information disclosures, and supply chain risks using GitHub REST API](https://gitxray.com/) 另请阅读： * [TaptuIT/awesome-devsecops: Curating the best DevSecOps resources and tooling.](https://github.com/TaptuIT/awesome-devsecops#dependency-management) * 阅读：[Contour: A Practical System for Binary Transparency](https://arxiv.org/abs/1712.08427) * 一些有趣的概念见于：[Shopify/seer-prototype: Security Expert Elicitation of Risks](https://github.com/Shopify/seer-prototype/tree/main) ### SCA 和 SBOM 最完整的参考是 [awesomeSBOM/awesome-sbom](https://github.com/awesomeSBOM/awesome-sbom)。另一个专注于生成器的有用仓库是 [cybeats/sbomgen: List of SBOM Generation Tools](https://github.com/cybeats/sbomgen)。 * [AppSec Santa — SCA Tools](https://appsecsanta.com/sca-tools) - SCA 工具的精选比较，包含功能、定价和替代品。 * [GitBOM](https://gitbom.dev/) * 另见：[git-bom/bomsh: bomsh is collection of tools to explore the GitBOM idea](https://github.com/git-bom/bomsh#Reproducible-Build-and-Bomsh) * [yonhan3/gitbom-repo: A repository of gitBOM docs for Linux binaries](https://github.com/yonhan3/gitbom-repo) * 收听：[GitBOM. It’s not Git or SBOM](https://thectoadvisor.com/gitbom-podcast/) 和 [GitBOM: Repurposing Git’s Graph for Supply Chain Security & Transparency](https://www.youtube.com/watch?v=qcQFIv6pCSE) * 另请参阅 [bomsage/vision.md at main · dpp/bomsage](https://github.com/dpp/bomsage/blob/main/info/vision.md)，以及 [pkgconf/main.c at master · pkgconf/pkgconf](https://github.com/pkgconf/pkgconf/blob/master/cli/bomtool/main.c)（更多信息见 [this thread](https://twitter.com/ariadneconill/status/1558074556723728387)） * [nexB/scancode-toolkit: ScanCode detects licenses, copyrights, package manifests & dependencies and more by scanning code ... to discover and inventory open source and third-party packages used in your code.](https://github.com/nexB/scancode-toolkit) * OWASP 的 [SCA tools](https://owasp.org/www-community/Source_Code_Analysis_Tools) 列表本身就很全面 * [Grafeas: A Component Metadata API](https://github.com/grafeas/grafeas) * [trailofbits/it-depends: A tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories.](https://github.com/trailofbits/it-depends) * [Mend SCA SBOM](https://www.mend.io/sbom/)，[Mend Bolt: Find and Fix Open Source vulnerabilities](https://www.mend.io/free-developer-tools/bolt/) 和 [Whitesource Renovate: Automated Dependency Updates](https://www.whitesourcesoftware.com/free-developer-tools/renovate/) * [renovatebot/renovate: Universal dependency update tool that fits into your workflows.](https://github.com/renovatebot/renovate) * 另请阅读 [Use Cases - Renovate Docs](https://docs.renovatebot.com/getting-started/use-cases/) * [JFrog Xray - Universal Component Analysis & Container Security Scanning](https://jfrog.com/xray/) * [DependencyTrack/dependency-track: Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.](https://github.com/DependencyTrack/dependency-track) * [关于 Dependency-Track 的好文](https://tomalrichblog.blogspot.com/2022/06/the-first-complete-sbom-tool.html?m=1) * [guacsec/trustify](https://github.com/guacsec/trustify) 在 CycloneDX/SPDX SBOM 之上提供可搜索的抽象，交叉引用安全公告以识别漏洞。参见 [docs](https://docs.trustification.dev/trustify/index.html) * [trustification/trustification: A collection of services for storing and managing SBOMs and VEX documents](https://github.com/trustification/trustification) (Bombastic, Vexination, V11y, Collectorist, Spog) 具有漏洞查询、影响分析、搜索和共享功能，可通过 Helm chart 或单个二进制文件使用 * [eclipse-sw360/sw360](https://github.com/eclipse-sw360/sw360) 是一个开源软件组件目录，用于管理软件组件、许可证和 SPDX 支持的合规性。参见 [eclipse.dev/sw360/](https://eclipse.dev/sw360/) * [oss-review-toolkit/ort: A suite of tools to assist with reviewing Open Source Software dependencies.](https://github.com/oss-review-toolkit/ort) * [fosslight/fosslight: FOSSLight is an integrated open source management system that supports the open source software lifecycle, including dependency analysis, license compliance, and SBOM generation.](https://github.com/fosslight/fosslight) 参见 [fosslight.org](https://fosslight.org/) * [fsfe/reuse-tool: REUSE is a tool to check and annotate source files with SPDX license identifiers, making license and copyright information machine-readable.](https://git.fsfe.org/reuse/tool) 参见 [reuse.software](https://reuse.software/) * [anchore/syft: CLI tool and library for generating a Software Bill of Materials from container images and filesystems](https://github.com/anchore/syft) 来自 [Software supply chain security solutions • Anchore](https://anchore.com/) * 另请注意：[New `docker sbom` Command Creates SBOMs Using Syft](https://anchore.com/sbom/docker-sbom-command-creates-sbom-using-syft/) * [Creating SBOM Attestations Using Syft and Sigstore](https://anchore.com/sbom/creating-sbom-attestations-using-syft-and-sigstore/) * 简单流程：[utils/ci/github/docker-build-sign-sbom at main · marco-lancini/utils](https://github.com/marco-lancini/utils/tree/main/ci/github/docker-build-sign-sbom) * [sony/esstra: GCC plugin and Python tool that embeds source file information into binaries during compilation to enhance software transparency, traceability, and SBOM generation for open-source license compliance and vulnerability management](https://github.com/sony/esstra) * [e-m-b-a/emba: Security analyzer for firmware of embedded devices, supporting static and dynamic analysis via emulation, SBOM generation, and vulnerability reporting](https://github.com/e-m-b-a/emba) * [ANNOUNCE: Scan is now in maintenance mode · Issue #352 · ShiftLeftSecurity/sast-scan](https://github.com/ShiftLeftSecurity/sast-scan/issues/352) * [Container Security | Qualys, Inc.](https://www.qualys.com/apps/container-security/) * [Aqua Cloud Native Security, Container Security & Serverless Security](https://www.aquasec.com/) * [tern-tools/tern: Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.](https://github.com/tern-tools/tern) * [REA-Products/C-SCRM-Use-Case at master · rjb4standards/REA-Products](https://github.com/rjb4standards/REA-Products/tree/master/C-SCRM-Use-Case) 来自 [this tweet](https://twitter.com/rjb4standards/status/1481250447331573761?s=12) * 另请参阅 [Energy SBOM Proof of Concept - INL](https://inl.gov/sbom-poc/) * [Phylum Analyze PR Action: GitHub Action to analyze Pull Requests for open-source supply chain issues](https://github.com/phylum-dev/phylum-analyze-pr-action) 来自 [Phylum | The Software Supply Chain Security Company](https://phylum.io/) * [microsoft/component-detection: Scans your project to determine what components you use](https://github.com/microsoft/component-detection/) * [DWARF 5 Standard](https://dwarfstd.org/Dwarf5Std.php) * [Software Identification (SWID) Tagging | CSRC](https://csrc.nist.gov/projects/software-identification-swid/guidelines) 和 [Guidelines for the Creation of Interoperable Software Identification (SWID) Tags](https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8060.pdf) * [Concise Software Identification Tags](https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-18.html) * [hughsie/python-uswid: A tiny tool for embedding CoSWID tags in EFI binaries](https://github.com/hughsie/python-uswid) * 另请参阅 [thread](https://twitter.com/hughsient/status/1498259857341915139?s=120) * 以及 [in coreboot](https://review.coreboot.org/c/coreboot/+/63639) 中的实际示例 * [ckotzbauer/sbom-operator: Catalogue all images of a Kubernetes cluster to multiple targets with Syft](https://github.com/ckotzbauer/sbom-operator) * Dynatrace Application Security 中的 [Security problem management](https://www.dynatrace.com/support/help/how-to-use-dynatrace/application-security/security-problem-management) * [DefectDojo/django-DefectDojo: DefectDojo is a DevSecOps and vulnerability management tool.](https://github.com/DefectDojo/django-DefectDojo) * 令人印象深刻的集成示例列表：[DefectDojo/sample-scan-files: Sample scan files for testing DefectDojo imports](https://github.com/DefectDojo/sample-scan-files) * [swingletree-oss/swingletree: Integrate and observe the results of your CI/CD pipeline tools](https://github.com/swingletree-oss/swingletree) * [mercedes-benz/sechub: SecHub - one central and easy way to use different security tools with one API/Client](https://github.com/mercedes-benz/sechub) * [marcinguy/betterscan-ce: Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report (Code, IaC) - Betterscan Community Edition (CE)](https://github.com/marcinguy/betterscan-ce) * [BBVA/susto: Systematic Universal Security Testing Orchestration](https://github.com/BBVA/susto) * [AppThreat/rosa: An experiment that looks very promising so far.](https://github.com/AppThreat/rosa) * FOSSA 的 [SBOM Solution](https://fossa.com/lp/simplify-sbom-generation-fossa) * [Rezillion Dynamic SBOM](https://www.rezilion.com/platform/dynamic-sbom/) * [opensbom-generator/spdx-sbom-generator: Support CI generation of SBOMs via golang tooling.](https://github.com/opensbom-generator/spdx-sbom-generator) * Tauruseer 的 [SBOM tools](https://www.tauruseer.com/platform/dynamic-software-bill-of-materials-SBOM) * SOOS' [Supported Languages & Manifests](https://kb.soos.io/help/soos-languages-supported) * Fortress: [Software Bill of Materials](https://www.fortressinfosec.com/sbom) * [javixeneize/yasca: Yet Another SCA tool](https://github.com/javixeneize/yasca) * Cybeats [SBOM Studio](https://www.cybeats.com/sbom-studio) * 来自 Deepbits 的 [DeepBOM](https://www.deepbits.com/platform)，一个用于 SBOM 管理、漏洞评估、恶意软件检测和许可证合规的 AI 驱动平台 * [edgebitio/edgebit-build: GitHub action to upload SBOMs to EdgeBit and receive vulnerability context in your pull requests](https://github.com/edgebitio/edgebit-build) 来自 [EdgeBit - Real-time supply chain security, enabling security teams to target and coordinate vulnerability remediation without toil.](https://edgebit.io/) * REA 的 [Software Assurance Guardian Point Man (SAG-PM)](https://reliableenergyanalytics.com/products) * [microsoft/sbom-tool: The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts](https://github.com/microsoft/sbom-tool) * Veracode 的 [SCA to Automate Security Scanning](https://www.veracode.com/products/software-composition-analysis)，参见演示：[How to generate a Software Bill of Materials (SBOM) using Veracode Software Composition Analysis](https://www.youtube.com/watch?v=FfTgeHjEwkk) * [Enterprise Edition - BluBracket: Code Security & Secret Detection](https://blubracket.com/products/enterprise-edition/) * [Software Composition Analysis (SCA) | CyberRes](https://www.microfocus.com/en-us/cyberres/application-security/software-composition-analysis) * [Nexus Intelligence - Sonatype Data Services](https://www.sonatype.com/products/intelligence) * [kubernetes-sigs/bom: A utility to generate SBOM for Kubernetes projects, supporting SPDX format with file checksums, package information, and license data](https://github.com/kubernetes-sigs/bom) * [AppThreat/cdxgen: Generates CycloneDX Software Bill of Materials (SBOM) for many languages and package managers including Java, JavaScript, Python, Go, Rust, Ruby, PHP, and more](https://github.com/AppThreat/cdxgen) * [AppThreat/dep-scan: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories. Supports both local repos and container images. Integrates with various CI environments such as Azure Pipelines, CircleCI, Google CloudBuild. No server required!](https://github.com/AppThreat/dep-scan) * [sbs2001/fatbom: fatbom (Fat Bill Of Materials) is a tool which combines the SBOM generated by various tools into one fat SBOM. Thus leveraging each tool's strength.](https://github.com/sbs2001/fatbom) * [Sonatype BOM Doctor](https://bomdoctor.sonatype.dev/#/home) * [Sonatype OSS Index](https://ossindex.sonatype.org/) 是一项免费服务，用于编目开源组件并识别已知漏洞，可通过 Web 和 REST API 使用。集成包括： * [sonatype/ossindex-maven: Sonatype OSS Index - Maven Integrations](https://github.com/sonatype/ossindex-maven) (Maven plugin and enforcer rules) * [atype-nexus-community/scan-gradle-plugin: A Gradle plugin for scanning dependencies with OSS Index and Nexus Lifecycle](https://github.com/sonatype-nexus-community/scan-gradle-plugin) * [sonatype-nexus-community/auditjs: Audit JavaScript projects using Sonatype OSS Index or Nexus Lifecycle](https://github.com/sonatype-nexus-community/auditjs) * [sonatype-nexus-community/nancy: Checks for vulnerabilities in your Golang dependencies using OSS Index](https://github.com/sonatype-nexus-community/nancy) * [sonatype-nexus-community/jake: Check your Python environments and dependencies for known vulnerabilities using OSS Index](https://github.com/sonatype-nexus-community/jake) * [illikainen/ossaudit: Audit Python packages for known vulnerabilities using OSS Index](https://github.com/illikainen/ossaudit) * [sonatype-nexus-community/chelsea: Interact with Sonatype OSS Index to check for vulnerabilities in your Ruby Gems](https://github.com/sonatype-nexus-community/chelsea) * [sonatype-nexus-community/bach: Interact with Sonatype OSS Index to check for vulnerabilities in your PHP (Composer) dependencies](https://github.com/sonatype-nexus-community/bach) * [sonatype-nexus-community/cargo-pants: Check for vulnerabilities in your Rust Cargo dependencies using OSS Index](https://github.com/sonatype-nexus-community/cargo-pants) * [sonatype-nexus-community/oysteR: Secure your R dependencies against known vulnerabilities using OSS Index](https://github.com/sonatype-nexus-community/oysteR) * [sonatype-nexus-community/ahab: Scan for vulnerabilities in your apt or yum managed dependencies using OSS Index](https://github.com/sonatype-nexus-community/ahab) * [sonatype-nexus-community/cheque: Checks for vulnerabilities in your C/C++ dependencies using OSS Index](https://github.com/sonatype-nexus-community/cheque) * [sonatype-nexus-community/DevAudit: Open-source, cross-platform, multi-purpose security auditing tool targeting developers and DevSecOps teams](https://github.com/sonatype-nexus-community/DevAudit) * [jhutchings1/spdx-to-dependency-graph-action: A GitHub Action that takes SPDX SBOMs and uploads them to GitHub's dependency submission API to power Dependabot alerts](https://github.com/jhutchings1/spdx-to-dependency-graph-action) * 另请参阅：[evryfs/sbom-dependency-submission-action: Submit SBOMs to GitHub's dependency submission API](https://github.com/evryfs/sbom-dependency-submission-action) * 以及 [Dependency submission](https://docs.github.com/en/rest/dependency-graph/dependency-submission) 文档 * [tap8stry/orion: Go beyond package manager discovery for SBOM](https://github.com/tap8stry/orion) * [patriksvensson/covenant: A tool to generate SBOM (Software Bill of Material) from source code artifacts.](https://github.com/patriksvensson/covenant) * [CycloneDX/cyclonedx-webpack-plugin: Create CycloneDX Software Bill of Materials (SBOM) from webpack bundles at compile time.](https://github.com/CycloneDX/cyclonedx-webpack-plugin) * [advanced-security/gh-sbom: Generate SBOMs with gh CLI](https://github.com/advanced-security/gh-sbom) * [SoftwareDesignLab/SBOM-in-a-Box](https://github.com/SoftwareDesignLab/SBOM-in-a-Box)，一个用于 SBOM 生成（使用集成的开源工具）、转换、VEX 生成、质量指标、比较和合并的统一平台 * [philips-software/SPDXMerge: Tool for merging multiple SPDX JSON/Tag-value SBOMs into a parent SBOM](https://github.com/philips-software/SPDXMerge)，支持深度合并（合并内容）和浅合并（创建引用），并提供 GitHub Action 和 Docker 支持 * [interlynk-io/sbomqs: SBOM quality score - Quality metrics for your sboms](https://github.com/interlynk-io/sbomqs) * [interlynk-io/sbommv: Tool for transferring SBOMs between systems with modular adapter-based architecture, supporting GitHub, S3, local folders as sources and Dependency-Track, Interlynk Platform, S3, local folders as destinations](https://github.com/interlynk-io/sbommv) * [eBay/sbom-scorecard: Generate a score for your sbom to understand if it will actually be useful.](https://github.com/eBay/sbom-scorecard) * [Sbomify: SBOM platform with attestation verification support using Sigstore and GitHub attestations, SPDX 2.3 export, product lifecycle management, and compliance tracking](https://sbomify.com/). 阅读：[Announcing Sbomify v0.25: Attestations](https://sbomify.com/2026/01/23/announcing-sbomify-v0-25-the-one-with-attestations/) * 阅读：[An Empirical Study of the SBOM Landscape](https://arxiv.org/abs/2303.11102)，深入研究了 6 种 SBOM 工具及其为复杂的开源 Java 项目生成的 SBOM 的准确性 (IEEE Security & Privacy, 2023) * 另请参阅：来自 Endor Labs 的 [How to Quickly Measure SBOM Accuracy for Free](https://www.endorlabs.com/learn/how-to-quickly-measure-sbom-accuracy-for-free)，并在 [endorlabs/sbom-lab](https://github.com/endorlabs/sbom-lab) 提供了可重现的脚本 * 阅读：[Software Bill of Materials (SBOM) Harmonization Plugfest 2024](https://www.sei.cmu.edu/news/study-finds-key-causes-of-divergence-in-software-bills-of-materials/)，由 CMU 的 SEI 编写，分析了来自 21 家工具供应商的 243 个样本 SBOM 产生分歧的原因，并推荐了协调方法 * 阅读：[OWASP CycloneDX — Authoritative Guide to SBOM](https://cyclonedx.org/guides/OWASP_CycloneDX-Authoritative-Guide-to-SBOM-en.pdf)，一份关于软件物料清单、格式和最佳实践的综合 PDF 指南 * [SBOM Insights](https://sbom-insights.dev/) 博客，涵盖 SBOM 合规框架（NTIA 最低要素、BSI 标准）、使用 sbomqs 的质量评分以及实际的 SBOM 用例 * [cyfinoid/aibommaker: AI BOM Generator](https://github.com/cyfinoid/aibommaker)，一个客户端 Web 工具，用于分析 GitHub 仓库的 AI/LLM 使用情况，并以 CycloneDX 1.7 和 SPDX 3.0.1 格式生成 AI 物料清单，包含硬件、基础设施和治理检测 * [trustification/AIBOM-generator: Generate AI Bills of Materials for Hugging Face models](https://github.com/trustification/AIBOM-generator)，记录 AI 模型依赖项和来源 * [Trusera/ai-bom: AI Bill of Materials generator for agent workflows](https://github.com/Trusera/ai-bom)，扫描 n8n、LangGraph 和 CrewAI 工作流中的 AI 组件，并以 CycloneDX 和 SPDX 格式生成 SBOM 输出 更多有趣的资源： * [Brakeing Down Security Podcast: 2020-031-Allan Friedman, SBOM, software transparency, and knowing how the sausage is made](https://brakeingsecurity.com/2020-031-allan-friedman-sbom-software-transparency-and-knowing-how-the-sausage-is-made?tdest_id=282477) * [Episode 312: The Legend of the SBOM](https://opensourcesecurity.io/2022/02/27/episode-312-the-legend-of-the-sbom/) * [Reimagining Cyber Podcast: Log4j vulnerability provides harsh lessons in unknown dependencies](https://community.microfocus.com/cyberres/b/sws-22/posts/reimagining-cyber-podcast-log4j-vulnerability-provides-harsh-lessons-in-unknown-dependencies) * [Tech Debt Burndown Podcast Series 1 E11: Allan Friedman and SBOMs](https://techdebtburndown.com/episode11/) * [Sounil Yu on SBOMs, software supply chain security - Security Conversations](https://securityconversations.com/episode/sounil-yu-on-sboms-software-supply-chain-security/) * [Exploring Security. Criticality of SBOM. Scott McGregor, Cloud Security, Wind River](https://soundcloud.com/cybercrimemagazine/exploring-security-criticality-of-sbom-scott-mcgregor-cloud-security-wind-river) * [Down the Security Rabbithole Podcast: DtSR Episode 487 - Software Supply Chain is a BFD](http://podcast.wh1t3rabbit.net/dtsr-episode-487-software-supply-chain-is-a-bfd?tdest_id=609232) * [Software Composition Analysis Podcast: Software Supply Chain - Episode 1](https://www.youtube.com/watch?v=ryRV-bAyHXY&list=PLnaFG2n4CcbNi9wtjKZLh2m4cANoqNcgu) * [Critical Update: Do You Know What’s In Your Software?](https://www.nextgov.com/podcasts/2021/05/critical-update-do-you-know-whats-your-software/174100/) * [Software Bill of Materials | CISA](https://www.cisa.gov/sbom) * [SBOM Use Case - RKVST](https://www.rkvst.com/share-sboms/) 和 [RKVST SBOM Hub - RKVST](https://www.rkvst.com/rkvst-sbom-hub/) * 另请阅读：[SBOM Hub - NTIA Attribute Mappings](https://support.rkvst.com/hc/en-gb/articles/6023134387601-SBOM-Hub-NTIA-Attribute-Mappings) * [BOF: SBOMs for Embedded Systems: What's Working, What's Not? - Kate Stewart, Linux Foundation](https://www.youtube.com/watch?v=E17RvPlVbQI) * [All About That BoM, ‘bout That BoM - Melba Lopez, IBM](https://www.youtube.com/watch?v=lm7ySgCeALk) * [OWASP CycloneDX Launches SBOM Exchange API](https://cyclonedx.org/news/owasp-cyclonedx-launches-sbom-exchange-api-standardizing-sbom-distribution/) * 阅读：[SBOM Management | Six Ways It Prevents SBOM Sprawl](https://anchore.com/sbom/sbom-management-and-six-ways-it-prevents-sbom-sprawl/) * 阅读：NTIA 的 [The Minimum Elements For a Software Bill of Materials](https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf) * 阅读：[What an SBOM Can Do for You](https://blog.chainguard.dev/what-an-sbom-can-do-for-you/) 一些开源项目正在公开记录它们如何获取依赖项。这些有意的、人类可解析的、长篇形式的例子可以作为说明： * [envoy/DEPENDENCY_POLICY.md at main · envoyproxy/envoy](https://github.com/envoyproxy/envoy/blob/main/DEPENDENCY_POLICY.md) * [What curl expects from dependencies](https://daniel.haxx.se/blog/2022/03/28/what-curl-expects-from-dependencies/) * 来自 Flux 的 [Security: The Value of SBOMs](https://fluxcd.io/blog/2022/02/security-the-value-of-sboms/) ### 漏洞信息交换 * [OSV](https://osv.dev/) * 阅读：[SBOM in Action: finding vulnerabilities with a Software Bill of Materials](https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html?m=1) * 阅读：[Announcing OSV-Scanner V2: Vulnerability scanner and remediation tool for open source](https://security.googleblog.com/2025/03/announcing-osv-scanner-v2-vulnerability.html) * 相关：[spdx/spdx-to-osv: Produce an Open Source Vulnerability JSON file based on information in an SPDX document](https://github.com/spdx/spdx-to-osv/) * 工具：[google/osv-scanner: Vulnerability scanner written in Go which uses the data provided by https://osv.dev](https://github.com/google/osv-scanner) * Qualys 的 [Vulnerability Detection Pipeline](https://community.qualys.com/vulnerability-detection-pipeline/) * [Vuls · Agentless Vulnerability Scanner for Linux/FreeBSD](https://vuls.io/) * [Vulnerability Database](https://vuldb.com/?)，也有一个 [API](https://vuldb.com/?kb.api)；参见 [VulDB](https://github.com/vuldb) * [AppThreat/vulnerability-db: Vulnerability database and package search for sources such as OSV, NVD, GitHub and npm.](https://github.com/AppThreat/vulnerability-db) * [vulnerability-lookup/vulnerability-lookup: Vulnerability correlation platform with multi-source feeds](https://github.com/vulnerability-lookup/vulnerability-lookup) (NVD, GitHub, OSV, national databases), CVD management, sightings tracking, comments, bundles, and API for rapid lookup and cross-source correlation * [aquasecurity/trivy: Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues](https://github.com/aquasecurity/trivy) * [SAST for Code Security | Snyk Code](https://snyk.io/product/snyk-code/) * 另见：来自 Snyk 的 [Choosing Open Source Libraries](https://www.youtube.com/watch?app=desktop&v=Q4Yv3VGPiy4) * [Contrast Community Edition](https://www.contrastsecurity.com/contrast-community-edition) * [Known Exploited Vulnerabilities Catalog | CISA](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) * [TURROKS/CVE_Prioritizer: Prioritize vulnerability patching by combining CVSS, EPSS, CISA KEV, and VulnCheck data](https://github.com/TURROKS/CVE_Prioritizer) * [cve-search/cve-search: cve-search - a tool to perform local searches for known vulnerabilities](https://github.com/cve-search/cve-search) * [Exein-io/kepler: NIST-based CVE lookup store and API powered by Rust](https://github.com/Exein-io/kepler) * [nexB/vulnerablecode: A work-in-progress towards a free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode](https://github.com/nexB/vulnerablecode) * [toolswatch/vFeed: The Correlated CVE Vulnerability And Threat Intelligence Database API](https://github.com/toolswatch/vFeed) * [ossf/scorecard: Security Scorecards - Security health metrics for Open Source](https://github.com/ossf/scorecard)，[OpenSSF Metrics](https://metrics.openssf.org/) 和 [ossf/security-reviews: A community collection of security reviews of open source software components.](https://github.com/ossf/security-reviews) * [ossf/scorecard-action: Official GitHub Action for OSSF Scorecards.](https://github.com/ossf/scorecard-action) * 注意：[How OpenSSF Scorecard’s GitHub Action v2 action uses GitHub OIDC with Sigstore](https://github.com/sigstore/community/issues/125#issuecomment-1240965050) * 另有 [OpenSSF Security Insights Spec](https://github.com/ossf/security-insights-spec) * 阅读：[How OpenSSF Scorecards can help to evaluate open-source software risks](https://www-csoonline-com.cdn.ampproject.org/c/s/www.csoonline.com/article/3668192/how-openssf-scorecards-can-help-to-evaluate-open-source-software-risks.amp.html) * 很好的现实生活示例：[State of the Eclipse Foundation GitHub repositories](https://mikael.barbero.tech/blog/post/eclipsefdn-scorecard-aug2022/) * 另请参阅：[naveensrinivasan/scorecard-1000-critical-projects](https://github.com/naveensrinivasan/scorecard-1000-critical-projects)，使用 Scorecard API 分析来自 [Criticality Score](https://github.com/ossf/criticality_score) 数据集的 1000 个关键开源项目 * [Lynis - Security auditing and hardening tool for Linux/Unix](https://cisofy.com/lynis/) * [victims/victims-cve-db: CVE database store](https://github.com/victims/victims-cve-db) * [anchore/grype: A vulnerability scanner for container images and filesystems](https://github.com/anchore/grype) * 另请参阅 [Using Grype to Identify GitHub Action Vulnerabilities](https://anchore.com/blog/using-grype-to-identify-github-action-vulnerabilities/) * 以及 [Grype now supports CycloneDX and SPDX standards](https://anchore.com/sbom/grype-support-cyclonedx-spdx/) * [GitHub Advisory Database now open to community contributions](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/) * [Global Database Working Group | CSA](https://cloudsecurityalliance.org/research/working-groups/global-security-database/)，另请参阅 [cloudsecurityalliance/gsd-database: Global Security Database](https://github.com/cloudsecurityalliance/gsd-database) * [trickest/cve: Gather and update all available and newest CVEs with their PoC.](https://github.com/trickest/cve) * [RFC 9116: A File Format to Aid in Security Vulnerability Disclosure](https://www.rfc-editor.org/rfc/rfc9116) * 一个 AOSP 漏洞到提交的练习：[quarkslab/aosp_dataset: Large Commit Precise Vulnerability Dataset based on AOSP CVE](https://github.com/quarkslab/aosp_dataset) * [Commit Level Vulnerability Dataset](https://blog.quarkslab.com/commit-level-vulnerability-dataset.html) * [nyph-infosec/daggerboard](https://github.com/nyph-infosec/daggerboard) * [davideshay/vulnscan: Vulnerability Scanner Suite based on grype and syft from anchore](https://github.com/davideshay/vulnscan#readme) * [devops-kung-fu/bomber: Scans SBoMs for security vulnerabilities](https://github.com/devops-kung-fu/bomber) * Fortress: [Vulnerability Management](https://www.fortressinfosec.com/product-security/vulnerability-management) * [Vulnerability Management | aDolus](https://adolus.com/solutions/vulnerability-management/) * [secvisogram/secvisogram: Secvisogram is a web tool for creating and editing security advisories in the CSAF 2.0 format](https://github.com/secvisogram/secvisogram/) * [future-architect/vuls: Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices](https://github.com/future-architect/vuls) * [infobyte/faraday: Open Source Vulnerability Management Platform](https://github.com/infobyte/faraday) 来自 [Faraday - Community v4 Release](https://faradaysec.com/community-v4/) * [mitre/saf: The MITRE Security Automation Framework (SAF) Command Line Interface (CLI) brings together applications, techniques, libraries, and tools developed by MITRE and the security community to streamline security automation for systems and DevOps pipelines](https://github.com/mitre/saf) * [devops-kung-fu/bomber: Scans Software Bill of Materials (SBOMs) for security vulnerabilities](https://github.com/devops-kung-fu/bomber) * [Rezilion/mi-x: Determine whether your compute is truly vulnerable to a specific vulnerability by accounting for all factors which affect *actual* exploitability (runtime execution, configuration, permissions, existence of a mitigation, OS, etc..)](https://github.com/Rezilion/mi-x) * [ossf-cve-benchmark/ossf-cve-benchmark: The OpenSSF CVE Benchmark consists of code and metadata for over 200 real life CVEs, as well as tooling to analyze the vulnerable codebases using a variety of static analysis security testing (SAST) tools and generate reports to evaluate those tools.](https://github.com/ossf-cve-benchmark/ossf-cve-benchmark) * 参见 NeuVector 文档中的 [Vulnerability Management](https://open-docs.neuvector.com/scanning/scanning/vulnerabilities)，了解容器场景中的集成示例 * [noqcks/xeol: An end-of-life (EOL) package scanner for container images, systems, and SBOMs](https://github.com/noqcks/xeol) * [mchmarny/vimp: Compare data from multiple vulnerability scanners to get a more complete picture of potential exposures.](https://github.com/mchmarny/vimp) 关于 VEX 的专门阅读部分： * [CycloneDX - Vulnerability Exploitability Exchange (VEX)](https://cyclonedx.org/capabilities/vex/) * [Vulnerability eXploitability Exchange explained: How VEX makes SBOMs actionable](https://www.csoonline.com/article/3669810/vulnerability-exploitability-exchange-explained-how-vex-makes-sboms-actionable.html) * [How VEX helps SBOM+SLSA improve supply chain visibility | Google Cloud Blog](https://cloud.google.com/blog/products/identity-security/how-vex-helps-sbomslsa-improve-supply-chain-visibility) * [What is VEX and What Does it Have to Do with SBOMs?](https://blog.adolus.com/what-is-vex-and-what-does-it-have-to-do-with-sboms) * [What is VEX? It's the Vulnerability Exploitability eXchange!](https://zt.dev/posts/what-is-vex/) * [The Vulnerability Exploitability eXchange (VEX) standard](https://www.linkedin.com/pulse/vulnerability-exploitability-exchange-vex-standard-walter-haydock) * [Vex and SBOMs](https://docs.google.com/presentation/d/1lfhwgSnBXUViSAUNKVPVMUi0sGROwTNWImk5dzPiF38/edit?usp=sharing) * [VDR or VEX – Which Do I Use? Part 1](https://www.linkedin.com/pulse/vdr-vex-which-do-i-use-tony-turner) * [VEX! or... How to Reduce CVE Noise With One Simple Trick!](https://www.youtube.com/watch?v=OWAn3ynhyzQ)，作者 Frederick Kautz * [Vulnerability Exploitability eXchange (VEX) - Status Justifications](https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf) * [Real-time VEX](https://tomalrichblog.blogspot.com/2022/09/real-time-vex.html?m=1) 另见： * [Vulncode-DB](https://www.vulncode-db.com/end) 处于弃用路径 * [GitHub brings supply chain security features to the Rust community](https://github.blog/2022-06-06-github-brings-supply-chain-security-features-to-the-rust-community/) * [CyCognito Adopts Mapping ATT&CK to CVE for Impact](https://info.mitre-engenuity.org/hubfs/Center%20for%20Threat%20Informed%20Defense/Adoption%20Spotlight_CVE%20for%20Impact_CTID_CyCognito_20220622_Final.pdf) * 阅读：[A closer look at CVSS scores](https://theoryof.predictable.software/articles/a-closer-look-at-cvss-scores/)，[Patch Madness: Vendor Bug Advisories Are Broken, So Broken](https://www.darkreading.com/risk/patch-madness-vendor-bug-advisories-broken) 和 [An Incomplete Look at Vulnerability Databases & Scoring Methodologies](https://medium.com/@chris.hughes_11070/an-incomplete-look-at-vulnerability-databases-scoring-methodologies-7be7155661e8) * 阅读：来自 Cloudsmith 的 [How to Analyze an SBOM](https://cloudsmith.com/blog/how-to-analyze-an-sbom/) 和 [How to Generate and Host SBoMs](https://cloudsmith.com/blog/how-to-generate-and-host-an-sbom/) * 阅读：来自 Google Open Source Insights 团队的 [After the Advisory](https://blog.deps.dev/after-the-advisory/) ## 使用点验证 * [grafeas/kritis: Solution for securing your software supply chain for Kubernetes apps, enforcing deploy-time security policies](https://github.com/grafeas/kritis) * [aquasecurity/trivy-operator: Kubernetes-native security toolkit that continuously scans the cluster for vulnerabilities, misconfiguration, secrets, and exposed sensitive information](https://github.com/aquasecurity/trivy-operator) * [goodwithtech/dockle: Container image linter for security, detects vulnerabilities, helps build best-practice Dockerfiles and supports CIS Benchmarks](https://github.com/goodwithtech/dockle) * [Kyverno](https://kyverno.io/) * 阅读：[Attesting Image Scans With Kyverno](https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno/) * 以及：[Managing Kyverno Policies as OCI Artifacts with OCIRepository Sources](https://fluxcd.io/blog/2022/08/manage-kyverno-policies-as-ocirepositories/) * 另有：[testifysec/judge-k8s: Proof of concept Kubernetes admission controller using the witness attestation verification library](https://github.com/testifysec/judge-k8s) * [ckotzbauer/sbom-operator: Catalogue all images of a Kubernetes cluster to multiple targets with Syft](https://github.com/ckotzbauer/sbom-operator) * [CONNAISSEUR - Verify Container Image Signatures in Kubernetes](https://sse-secure-systems.github.io/connaisseur/v2.0.0/) * [Kubewarden](https://kubewarden.io/) 是一个 Kubernetes 策略引擎，使用 sigstore 签名和验证其 WebAssembly 策略，允许策略作者利用 sigstore 验证功能在其策略中验证 OCI 制品 * [sigstore/policy-controller: The policy admission controller used to enforce policy on a cluster on verifiable supply-chain metadata from cosign.](https://github.com/sigstore/policy-controller) * 另见：[lukehinds/policy-controller-demo: demo of keyless signing with the sigstore kubernetes policy controller](https://github.com/lukehinds/policy-controller-demo) * [portieris/POLICIES.md at main · IBM/portieris](https://github.com/IBM/portieris/blob/main/POLICIES.md) * [reproducible-containers/repro-get: Reproducible apt/dnf/apk/pacman, with content-addressing](https://github.com/reproducible-containers/repro-get) * [asfaload/checksums: Repository holding checksums of internet artifacts to improve security of downloads by hosting duplicate verification points](https://github.com/asfaload/checksums) * [kpcyrd/pacman-bintrans: Experimental binary transparency for pacman with sigstore and rekor](https://github.com/kpcyrd/pacman-bintrans) * 另见：[kpcyrd/apt-swarm: 🥸 p2p gossip network for update transparency, based on pgp 🥸](https://github.com/kpcyrd/apt-swarm) * [Open Policy Agent](https://www.openpolicyagent.org/) * 阅读：[GitHub Artifact Attestations OPA Provider: Enforce admission policies with artifact attestations in Kubernetes](https://github.blog/changelog/2025-06-23-enforce-admission-policies-with-artifact-attestations-in-kubernetes-using-opa-gatekeeper/) - 将 GitHub Artifact Attestations（构建来源、SBOM、自定义）与 OPA Gatekeeper 集成，用于 Kubernetes 准入控制 * [netskopeoss/beam: Behavioral Evaluation of Application Metrics (BEAM) detects supply chain compromises by analyzing network traffic](https://github.com/netskopeoss/beam) 使用机器学习和 SHAP 可解释性来识别恶意行为模式 * [GitLab Libbehave (Experiment): Scans dependencies during merge request pipelines to identify newly added libraries and their risky behaviors](https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/) - 为 OS 命令执行、动态代码评估和文件系统访问等行为分配风险评分 * [Conftest](https://www.conftest.dev/examples/) 允许使用 Open Policy Agent Rego 查询语言针对结构化配置数据编写测试：[here's an example](https://github.com/open-policy-agent/conftest/blob/master/examples/docker/policy/commands.rego) * 几个 [pre-commit](https://pre-commit.com/hooks.html) 钩子允许在依赖项被摄取到代码库之前立即进行漏洞检查 * 例如，[pyupio/safety: Safety checks your installed dependencies for known security vulnerabilities](https://github.com/pyupio/safety) * 或 [npm-audit](https://docs.npmjs.com/cli/v8/commands/npm-audit) * 另见 [snyk-labs/snync: Mitigate security concerns of Dependency Confusion supply chain security risks](https://github.com/snyk-labs/snync) * 以及 [lirantal/lockfile-lint: Lint an npm or yarn lockfile to analyze and detect security issues](https://github.com/lirantal/lockfile-lint) * [KTH-LangSec/nodeshield: Runtime enforcement of SBOMs and Capabilities Bill of Materials (CBOM) for Node.js to prevent supply chain attacks](https://github.com/KTH-LangSec/nodeshield) * [chains-project/goleash: eBPF-based runtime policy enforcement for Go applications, enforcing least privilege at the package level to detect and block malicious behavior from compromised dependencies](https://github.com/chains-project/goleash) * [avilum/secimport: eBPF-based module-level sandboxing for Python applications, enforcing syscall restrictions per Python module to mitigate risks from vulnerable or malicious dependencies](https://github.com/avilum/secimport) * 或 [requires.io | Monitor your dependencies](https://requires.io/) * 或 [Brakeman Security Scanner](https://brakemanscanner.org/) * 或 [trailofbits/pip-audit: Audits Python environments and dependency trees for known vulnerabilities](https://github.com/trailofbits/pip-audit) * 另见：[Dependabot alerts now surface if your code is calling a vulnerability](https://github.blog/2022-04-14-dependabot-alerts-now-surface-if-code-is-calling-vulnerability/) * 以及：[Use data-dist-info-metadata (PEP 658) to decouple resolution from downloading by cosmicexplorer · Pull Request #11111 · pypa/pip](https://github.com/pypa/pip/pull/11111) * 有趣的 Python 相关项目：[Project Thoth](https://thoth-station.ninja/)，使用人工智能分析和推荐 Python 应用程序的软件堆栈 * 或 [Checkmarx/chainjacking: Find which of your go lang direct GitHub dependencies is susceptible to ChainJacking attack](https://github.com/Checkmarx/chainjacking) * 或 [Cargo Vet](https://mozilla.github.io/cargo-vet/) 和 [crev-dev/cargo-crev: A cryptographically verifiable code review system for the cargo (Rust) package manager.](https://github.com/crev-dev/cargo-crev) * 不是自动验证，而是针对 Java 的全面指南，其中包含一些与供应链安全相关的关键点：[Google Best Practices for Java Libraries](https://jlbp.dev/) * 静态分析通常在此阶段用于检测依赖项获取，例如： * [Semgrep](https://semgrep.dev/) * [Getting started with Semgrep Supply Chain](https://semgrep.dev/docs/semgrep-sc/scanning-open-source-dependencies/) * 另见：[Catching Security Vulnerabilities With Semgrep](https://www.codedbrain.com/catching-security-vulnerabilities-with-semgrep/) * [graudit/signatures at master · wireghoul/graudit](https://github.com/wireghoul/graudit/tree/master/signatures) * [banyanops/collector: A framework for Static Analysis of Docker container images](https://github.com/banyanops/collector) * [quay/clair: Vulnerability Static Analysis for Containers](https://github.com/quay/clair) * [DataDog/guarddog: GuardDog is a CLI tool to Identify malicious PyPI and npm packages](https://github.com/datadog/guarddog) * [eliasgranderubio/dagda: a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities](https://github.com/eliasgranderubio/dagda) * 一半精彩，一半有趣，完全有用：[kpcyrd/libredefender: Imagine the information security compliance guideline says you need an antivirus but you run Arch Linux](https://github.com/kpcyrd/libredefender) * [target/strelka: Real-time, container-based file scanning system for threat hunting, detection, and incident response with file extraction and metadata collection at enterprise scale](https://github.com/target/strelka) * [Mandiant capa: Reverse engineering tool that recognizes behaviors in binaries through expert-crafted rules for API calls, constants, and strings; supports static and dynamic analysis via IDA Pro, Binary Ninja, and Ghidra](https://mandiant.github.io/capa/) * [KICS - Keeping Infrastructure as Code Secure](https://kics.io/) * [tinkerbell/lint-install: Consistently install reasonable linter rules for open-source projects]() * 关于包安装的 `hadolint` 规则，例如，[hadolint/README.md at d16f342c8e70fcffc7a788d122a1ba602075250d · hadolint/hadolint](https://github.com/hadolint/hadolint/blob/d16f342c8e70fcffc7a788d122a1ba602075250d/README.md#rules) * 另见 [dockerfile resource scans - checkov](https://www.checkov.io/5.Policy%20Index/dockerfile.html) 来自 [bridgecrewio/checkov: Prevent cloud misconfigurations during build-time for Terraform, CloudFormation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.](https://github.com/bridgecrewio/checkov) * 以及：[xlab-si/iac-scan-runner: Service that scans your Infrastructure as Code for common vulnerabilities](https://github.com/xlab-si/iac-scan-runner) * 以及：[aws-samples/automated-security-helper](https://github.com/aws-samples/automated-security-helper)1 * 以及：[GeekMasher/quibble](https://github.com/GeekMasher/quibble)，一个基于 Rust 的 Docker 和 Podman Compose 文件安全 linter，检查 socket 挂载、不受信任的注册表、硬编码机密等。阅读 [intro post](https://geekmasher.dev/sec/quibble/22-12-08--quibble-intro/) * [Vulnerability Assessment | OpenSCAP portal](https://www.open-scap.org/features/vulnerability-assessment/) * [Detecting Log4Shell with Wazuh](https://wazuh.com/blog/detecting-log4shell-with-wazuh/) * [aquasecurity/starboard: Kubernetes-native security toolkit](https://github.com/aquasecurity/starboard) * [Get started with Kubernetes Security and Starboard](https://www.youtube.com/watch?v=QgctrpTpJec) * [armosec/kubescape: Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer and image vulnerabilities scanning.](https://github.com/armosec/kubescape) * 另有：[kubescape Visual Studio Code extension](https://www.armosec.io/blog/find-kubernetes-security-issues-while-coding/) * [ckotzbauer/vulnerability-operator: Scans SBOMs for vulnerabilities](https://github.com/ckotzbauer/vulnerability-operator) * [chen-keinan/kube-beacon: Open Source runtime scanner for k8s cluster and perform security audit checks based on CIS Kubernetes Benchmark specification](https://github.com/chen-keinan/kube-beacon) * [aquasecurity/kube-bench: Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark](https://github.com/aquasecurity/kube-bench) 和 [aquasecurity/kube-hunter: Hunt for security weaknesses in Kubernetes clusters](https://github.com/aquasecurity/kube-hunter) * [openclarity/kubeclarity: KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems](https://github.com/openclarity/kubeclarity) * [HarborGuard/HarborGuard: Comprehensive container security scanning platform with intuitive web UI for managing and visualizing security assessments of Docker images](https://github.com/HarborGuard/HarborGuard) * [stackrox/stackrox: The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.](https://github.com/stackrox/stackrox) * [cloudquery/plugins/source/k8s/policies at main · cloudquery/cloudquery](https://github.com/cloudquery/cloudquery/tree/main/plugins/source/k8s/policies) * [quarkslab/kdigger: Kubernetes focused container assessment and context discovery tool for penetration testing](https://github.com/quarkslab/kdigger) * [ossillate-inc/packj: The vetting tool 🚀 behind our large-scale security analysis platform to detect malicious/risky open-source packages](https://github.com/ossillate-inc/packj) 和 [Packj | A vetting tool to avoid "risky" packages](https://packj.dev/) * [doowon/sigtool: sigtool for signed PE files in GO](https://github.com/doowon/sigtool) * [Introducing "safe npm", a Socket npm Wrapper - Socket](https://socket.dev/blog/introducing-safe-npm) * [Introducing SafeDep vet 🚀 | SafeDep](https://safedep.io/blog/introducing-safedep-vet/) 另见： * [analysis-tools-dev/static-analysis: ⚙️ A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.](https://github.com/analysis-tools-dev/static-analysis/) * [anderseknert/awesome-opa: A curated list of OPA related tools, frameworks and articles](https://github.com/anderseknert/awesome-opa) * [JupiterOne/secops-automation-examples: Examples on how to maintain security/compliance as code and to automate SecOps using the JupiterOne platform.](https://github.com/JupiterOne/secops-automation-examples) * [How We Generate a Software Bill of Materials (SBOM) with CycloneDX](https://try.jupiterone.com/how-we-generate-a-software-bill-of-materials-sbom-with-cyclonedx) * [Securing CICD pipelines with StackRox / RHACS and Sigstore](https://rcarrata.com/kubernetes/sign-images-acs-1/) * 观看：[Do you trust your package manager?](https://www.youtube.com/watch?app=desktop&v=VfBShgNnQt4&feature=youtu.be)，Security Fest 2022 ### 库之外的供应链 除了库和软件依赖项之外，还有一些值得关注的事情： * [System Transparency | security architecture for bare-metal servers](https://system-transparency.org/) * [sigsum.org: Transparent and verifiable build logs using stronger threat models than centralized transparency logs](https://sigsum.org/) * [Tillitis: Building open, trustworthy hardware and software for secure computation](https://tillitis.se/) * [Emulated host profiles in fwupd](https://blogs.gnome.org/hughsie/2022/07/29/emulated-host-profiles-in-fwupd/) * [GNOME To Warn Users If Secure Boot Disabled, Preparing Other Firmware Security Help](https://www.phoronix.com/news/GNOME-Secure-Boot-Warning) * [Kernel Self Protection Project - Linux Kernel Security Subsystem](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project) * [keylime/keylime: A CNCF Project to Bootstrap & Maintain Trust on the Edge / Cloud and IoT](https://github.com/keylime/keylime) * [parallaxsecond/parsec: Platform AbstRaction for SECurity service](https://github.com/parallaxsecond/parsec) * [TPM Carte Blanche-resistant Boot Attestation](https://www.dlp.rip/tcb-attestation) ## 身份、签名和来源 * [sigstore](https://www.sigstore.dev/) 的一部分 * [Cosign](https://docs.sigstore.dev/cosign/overview) * [Fulcio](https://docs.sigstore.dev/fulcio/overview) * [Rekor](https://docs.sigstore.dev/rekor/overview) * 另见：[Kubernetes taps Sigstore to thwart open-source software supply chain attacks](https://www.zdnet.com/article/kubernetes-taps-sigstore-to-thwart-open-source-software-supply-chain-attacks/) * [OpenSSF Landscape](https://landscape.openssf.org/sigstore) 的 Sigstore 特定视图 * 阅读：[Sigstore Bundle Format](https://www.trustification.io/blog/2023/01/13/sigstore-bundle-format/) 介绍了 Sigstore 离线验证包的结构，包括签名、证书和 Rekor 包含证明 * [sigstore/model-transparency: Signing and verification for ML model integrity and provenance via Sigstore](https://github.com/sigstore/model-transparency) - 将模型供应链安全扩展到 ML 制品 * [stacklok/toolhive: MCP server deployment platform with Sigstore-based provenance verification and attestation support for container images and binaries](https://github.com/stacklok/toolhive) * [cas - cas attestation service](https://cas.codenotary.com/) * [Witness](https://witness.dev/) - [testifysec/witness: Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.](https://github.com/testifysec/witness) * 观看：[Securing the Supply Chain with Witness - Cole Kennedy, TestifySec](https://www.youtube.com/watch?v=cZD_4u7DZPM) * 另见：[testifysec/go-ima: go-ima is a tool that checks if a file has been tampered with. It is useful in ensuring integrity in CI systems](https://github.com/testifysec/go-ima) * [puerco/tejolote: A highly configurable build executor and observer designed to generate signed SLSA provenance attestations about build runs.](https://github.com/puerco/tejolote) * [in-toto-run - GitHub Marketplace](https://github.com/marketplace/actions/in-toto-run) 和 [in-toto/github-action: in-toto provenance github action](https://github.com/in-toto/github-action) * [kusaridev/spector](https://github.com/kusaridev/spector) 是一个 Rust 工具和库，用于严格生成、验证和验证供应链元数据文档，支持 SLSA 1.0 Provenance 和 in-toto 1.0 Statement。阅读 [announcement](https://www.kusari.dev/blog/kusari-open-sources-spector) * [General availability of SLSA3 Generic Generator for GitHub Actions](https://slsa.dev/blog/2022/08/slsa-github-workflows-generic-ga) * [slsa-framework/slsa-github-generator: Language-agnostic SLSA provenance generation for Github Actions](https://github.com/slsa-framework/slsa-github-generator) * 另见：[Attestation Crafting | ChainLoop documentation](https://docs.chainloop.dev/getting-started/attestation-crafting) * [technosophos/helm-gpg: Chart signing and verification with GnuPG for Helm.](https://github.com/technosophos/helm-gpg) * [sigstore/helm-sigstore: Helm plugin for publishing and verifying signed Helm charts in the Rekor transparency log](https://github.com/sigstore/helm-sigstore) 和 [sigstore/helm-charts: Helm charts for deploying sigstore components in Kubernetes](https://github.com/sigstore/helm-charts) * [cashapp/pivit](https://github.com/cashapp/pivit) 是一个命令行工具，用于管理存储在支持 PIV applet 的智能卡上的 x509 证书，并且与 `git` 完全兼容 * [notaryproject/notary: Notary is a project that allows anyone to have trust over arbitrary collections of data](https://github.com/notaryproject/notary) * [notaryproject/roadmap: Roadmap for NotaryV2](https://github.com/notaryproject/roadmap) * [notaryproject/notation: Notation is a project to add signatures as standard items in the registry ecosystem, and to build a set of simple tooling for signing and verifying these signatures. Based on Notary V2 standard.](https://github.com/notaryproject/notation) * [notaryproject/tuf: The Update Framework for OCI Registries](https://github.com/notaryproject/tuf) * 另见 [vmware-labs/repository-editor-for-tuf: Command line tool for editing and maintaining a TUF repository](https://github.com/vmware-labs/repository-editor-for-tuf) * 另见 [How to easily try out TUF + in-toto](https://badhomb.re/ci/security/2020/05/01/tuf-in-toto.html) * 查看 [Python-TUF reaches version 1.0.0](https://ssl.engineering.nyu.edu/blog/2022-02-21-tuf-1_0_0) * 相关项目：[werf/trdl: The universal solution for delivering your software updates securely from a trusted The Update Framework (TUF) repository.](https://github.com/werf/trdl) * 阅读：[Secure Software Updates via TUF — Part 2](https://medium.com/@mulgundmath/secure-software-updates-via-tuf-part-2-412c6a2b10ab) * [goharbor/harbor: Trusted cloud native registry project supporting content signing and verification, RBAC, and vulnerability scanning for OCI artifacts](https://github.com/goharbor/harbor) * [deislabs/ratify: Artifact Ratification Framework](https://github.com/deislabs/ratify) * [OpenAttestation: Blockchain-based framework for endorsing and verifying documents with cryptographic trust (archived as of October 2025, transitioning to TrustVC)](https://www.openattestation.com/). Supports verifiable credentials, selective disclosure, decentralized rendering, and verified issuer identity * [latchset/tang: Tang binding daemon](https://github.com/latchset/tang) * [ietf-rats - Overview](https://github.com/ietf-rats) * [An exposed apt signing key and how to improve apt security](https://blog.cloudflare.com/dont-use-apt-key/) * 参见 [Issue #21 · testifysec/witness](https://github.com/testifysec/witness/issues/21#issuecomment-991774080)，简要描述了 [testifysec/witness: Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.](https://github.com/testifysec/witness/) 如何处理证明链 * 另一个 [witness example with GitLab](https://gitlab.com/testifysec/demos/witness-demo) * [Allow using SSH keys to sign commits · Discussion #7744 · github/feedback](https://github.com/github/feedback/discussions/7744#discussioncomment-1794438) * 阅读：[Introducing "Trusted Publishers"](https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/)，关于 PyPI 使用 OpenID Connect 从 GitHub Actions 进行短期、无令牌发布，从而无需长期存在的 API 令牌 * [aws-solutions/verifiable-controls-evidence-store: This repository contains the source code of the Verifiable Controls Evidence Store solution](https://github.com/aws-solutions/verifiable-controls-evidence-store) * 阅读：[Monitoring the kernel.org Transparency Log for a year](https://linderud.dev/blog/monitoring-the-kernel.org-transparency-log-for-a-year/) * 阅读：[Using Rekor Monitor](https://blog.sigstore.dev/using-rekor-monitor/) (Sigstore 博客)，涵盖 Rekor 和 Fulcio 透明度日志的一致性检查和身份监控 * 阅读：[Guide to Rekor Monitor and Its Integration with Red Hat Trusted Artifact Signer](https://www.redhat.com/en/blog/guide-rekor-monitor-and-its-integration-red-hat-trusted-artifact-signer) (Red Hat)，涵盖具有持续监控和 Prometheus 指标的透明度日志完整性验证 * 阅读：[Catching Malicious Package Releases Using a Transparency Log](https://blog.trailofbits.com/2025/12/12/catching-malicious-package-releases-using-a-transparency-log/) (Trail of Bits)，解释 rekor-monitor 如何通过 Rekor 透明度日志检测受损的签名身份和恶意发布 * 另请阅读：[Software Distribution Transparency and Auditability](https://arxiv.org/abs/1711.07278) * [paragonie/libgossamer: Public Key Infrastructure without Certificate Authorities, for WordPress and Packagist](https://github.com/paragonie/libgossamer) * 阅读：[Solving Open Source Supply Chain Security for the PHP Ecosystem](https://paragonie.com/blog/2022/01/solving-open-source-supply-chain-security-for-php-ecosystem) * [johnsonshi/image-layer-provenance](https://github.com/johnsonshi/image-layer-provenance)，Image Layer Proven 和 Manifest Layer History 的 PoC * [oras-project/artifacts-spec](https://github.com/oras-project/artifacts-spec/) * [recipy/recipy: Effortless method to record provenance in Python](https://github.com/recipy/recipy) * [spiffe/spire: The SPIFFE Runtime Environment](https://github.com/spiffe/spire) * [Fraunhofer-SIT/charra: Proof-of-concept implementation of the "Challenge/Response Remote Attestation" interaction model of the IETF RATS Reference Interaction Models for Remote Attestation Procedures using TPM 2.0.](https://github.com/Fraunhofer-SIT/charra) * [google/trillian: A transparent, highly scalable and cryptographically verifiable data store.](https://github.com/google/trillian) * [Artifactory - Universal Artifact Management](https://jfrog.com/artifactory/) * [pyrsia/pyrsia: Decentralized Package Network](https://github.com/pyrsia/pyrsia) * [transmute-industries/verifiable-actions: Workflow tools for Decentralized Identifiers & Verifiable Credentials](https://github.com/transmute-industries/verifiable-actions/tree/main) * [IOTA Notarization](https://www.iota.org/products/notarization) 是一个开源工具包，用于在去中心化账本上锚定、更新和验证数据完整性，支持锁定（不可变）和动态公证模式。参见 GitHub 上的 [iotaledger](https://github.com/iotaledger) * 观看：[Privacy-preserving Approaches to Transparency Logs](https://www.youtube.com/watch?v=UrLdEYVASak) ## 框架和最佳实践参考 * [in-toto | A framework to secure the integrity of software supply chains](https://in-toto.io/) * [VXDF (Validated Exploitable Data Flow): Open security standard for documenting confirmed vulnerabilities with structured evidence of exploitability](https://vxdf.org/)，使用 JSON Schema 包含 33 种证据类型，并与 SARIF、SPDX、CWE 和 CVSS 互操作 * [Supply chain Levels for Software Artifacts](https://slsa.dev/) 或 SLSA (salsa) 是一个安全框架，一份标准和控制清单，用于防止篡改、提高完整性并保护您项目、业务或企业中的包和基础设施。 * 很好的读物：[SLSA | CloudSecDocs](https://cloudsecdocs.com/devops/pipelines/supply_chain/slsa/) * 另一篇 L50 读物：[Building trust in our software supply chains with SLSA](https://blog.chainguard.dev/building-trust-in-our-software-supply-chains-with-slsa/) * 阅读：[SLSA for Success: Using SLSA to help achieve NIST’s SSDF](https://slsa.dev/blog/2022/06/slsa-ssdf) 和 [All about that Base(line): How Cybersecurity Frameworks are Evolving with Foundational Guidance](https://slsa.dev/blog/2022/07/slsa-foundational-framework) * 此外，由 [Red Hat](https://www.redhat.com/en/blog/SLSA-framework-measuring-supply-chain-security-maturity) 整理的 [framework mapping](https://docs.google.com/spreadsheets/d/1P_xxMlyF5iPV51CqIk8_EhI57aR6wf1Gkrg8sRHBMMQ/edit?usp=sharing) * 由 FOSSA 提供的 [A Practical Guide to the SLSA Framework](https://fossa.com/blog/practical-guide-slsa-framework/) * 阅读：[Securing Gitpod's Software Supply Chain with SLSA](https://www.gitpod.io/blog/securing-the-software-supply-chain-at-gitpod-with-slsa) * 阅读：[A First Step to Attaining SLSA Level 3 on GitHub](https://blogs.vmware.com/opensource/2022/08/02/a-first-step-to-attaining-slsa-level-3-on-github/) * [SLSA Verification Summary Attestation (VSA) Specification](https://slsa.dev/spec/v1.2/verification_summary) - 用于验证特定 SLSA 级别制品的技术规范，包含依赖项验证和策略决策的详细信息 * 阅读：[SLSA E2E with AMPEL](https://slsa.dev/blog/2025/10/slsa-e2e-with-ampel)，使用 AMPEL 策略验证和 VSA 收据的实用端到端 SLSA 实施演练 * 以及跨 GitHub 的 [pattern search across GitHub](https://cs.github.com/?scopeName=All+repos&scope=&q=%22uses%3A+slsa-framework%2Fslsa-github-generator%2F.github%2Fworkflows%2F%22+path%3A**.yml+NOT+org%3Aslsa-framework+NOT+org%3Aasraa+NOT+org%3Alaurentsimon+NOT+org%3Aazeemshaikh38+NOT+org%3Asethmlarson+NOT+org%3Alukehinds) 以获取灵感（感谢 [@infernosec](https://twitter.com/infernosec/status/1559937819128127488)） * [Container Hardening Priorities (CHPs)](https://github.com/chps-dev) - 用于评估容器镜像安全的补充框架，包含极简主义、来源、配置和漏洞的标准。阅读：[Evaluating Container Security with Container Hardening Priorities](https://www.chainguard.dev/unchained/evaluating-container-security-with-container-hardening-priorities-some-chps-for-your-slsa) * [Open Source Project Security Baseline](https://baseline.openssf.org/) - OpenSSF 的开源项目分层安全实践框架，与国际网络安全标准（CRA、NIST SSDF）保持一致，为开发者提供可操作的指导以增强安全态势 * [OWASP Application Security Verification Standard](https://owasp.org/www-project-application-security-verification-standard/)，特别是 _V14 - Configuration_ * [OWASP/Software-Component-Verification-Standard: Software Component Verification Standard (SCVS)](https://github.com/OWASP/Software-Component-Verification-Standard) * 另见：[OWASP SCVS BOM Maturity Model](https://scvs.owasp.org/bom-maturity-model/)，一个用于评估物料清单能力和支持组织策略的正式分类法 * [CycloneDX/transparency-exchange-api: OWASP Transparency Exchange API (TEA) standard for exchanging SBOM and vulnerability information, standardized in ECMA TC54](https://github.com/CycloneDX/transparency-exchange-api) * [CREST launches OWASP Verification Standard (OVS)](https://www.crest-approved.org/crest-launches-owasp-verification-standard-ovs/) * SAFECODE 的 [Fundamental Practices for Secure Software Development, Third Edition](https://safecode.org/uncategorized/fundamental-practices-secure-software-development/)，特别是 _Manage Security Risk Inherent in the Use of Third-party Components_ * [SSF | The Secure Software Factory](https://thesecuresoftwarefactory.github.io/ssf/) 和 [mlieberman85/supply-chain-examples](https://github.com/mlieberman85/supply-chain-examples) * 相关：[A MAP for Kubernetes supply chain security](https://www.cncf.io/blog/2022/04/12/a-map-for-kubernetes-supply-chain-security/) * [Software Supply Chain Risk Management | BSIMM](https://www.bsimm.com/about/bsimm-for-vendors.html) * [microsoft/scim: Supply Chain Integrity Model](https://github.com/microsoft/SCIM) * 另见：[Supply Chain Integrity, Transparency, and Trust (scitt)](https://datatracker.ietf.org/group/scitt/about/) 和 [What Is SCITT](

标签：DevSecOps, DNS 解析, Docker镜像, GPT, Python库, SBOM, SLSA, 上游代理, 人工智能安全, 代码签名, 依赖智能, 可视化界面, 合规性, 子域名突变, 安全资源列表, 开源软件安全, 文档安全, 日志审计, 最佳实践, 来源追溯, 构建安全, 漏洞管理, 硬件无关, 网络安全, 请求拦截, 跌倒检测, 身份验证与签名, 软件供应链安全, 软件制品, 软件开发工具包, 软件物料清单, 远程方法调用, 逆向工具, 隐私保护