53 projects
Harbor
Harbor is an open source container image registry that secures images with role-based access control, scans images for vulnerabilities, and signs images as trusted.
9,059
2,107
$41M
Dependabot
Dependabot is an automated dependency update tool that helps keep software projects secure and up-to-date by monitoring dependencies, creating pull requests for version updates, and handling security vulnerabilities across multiple programming languages and package managers.
6,165
2,593
$59M
FINOS (The Fintech Open Source Foundation)
FINOS’ mission is to promote open innovation in financial services
3,773
812
$1.4M
OSS-Fuzz
OSS-Fuzz is a continuous fuzzing infrastructure that helps identify security vulnerabilities in open source software through automated testing. It provides tools, infrastructure, and processes to make fuzzing an integral part of the development workflow for open source projects.
2,909
820
$6.8M
Dependency-Track
Dependency-Track is an intelligent Component Analysis Platform that allows organizations to identify and reduce risk in their software supply chain. It continuously monitors component usage across all versions of every application in an organization's portfolio to proactively identify risk from the use of vulnerable or out-of-date components.
2,157
368
$24M
Sigstore
sigstore empowers software maintainers to easily sign software artifacts and store those artifacts into a production grade public transparency log.
2,061
633
$18M
SOPS
SOPS (Secrets OPerationS) is an editor in the form of a command-line tool and SDK designed to help manage encrypted files in a variety of structured (YAML, JSON, ENV, INI) and BINARY formats using a one of the supported Key Management Systems (KMS), PGP, or age.
1,675
738
$953K
Gitleaks
Gitleaks is a security scanning tool that detects and prevents hardcoded secrets, credentials, and sensitive information in git repositories. It uses pattern matching and entropy analysis to identify potential data leaks in commit history and source code.
1,489
381
$829K
Open Source Security Foundation (OpenSSF)
The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community, targeted initiatives, and best practices, including addressing vulnerability disclosures, security tooling and more.
1,361
495
$661M

Syft
Syft is a CLI tool and library for generating Software Bill of Materials (SBOM) from container images and filesystems. It provides deep inspection of container images and file systems to generate comprehensive SBOMs that help track software components, dependencies, and potential vulnerabilities.
1,167
330
$27M
Bank-Vaults
Bank-Vaults is a set of tools covering many aspects of secret management in the Cloud Native ecosystem.
1,049
336
$2.4M

Grype
Grype is a vulnerability scanner for container images and filesystems that identifies known vulnerabilities in packages and dependencies across multiple programming languages and package managers.
938
261
$3.3M
in-toto
A framework to secure the integrity of software supply chains. It does so by verifying that each task in the chain is carried out as planned, by authorized personnel only, and that the product is not tampered with in transit.
835
246
$27M
Trivy Action
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
590
192
$63K
The Update Framework (TUF)
A framework for securing software update systems. The Update Framework (TUF) helps developers maintain the security of software update systems, providing protection even against attackers that compromise the repository or signing keys. TUF provides a flexible framework and specification that developers can adopt into any software update system.
528
186
$3.5M
KubeArmor
KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operation) of containers and nodes at the system level.
524
165
$6.2M
Repository Service for TUF
Repository Service for TUF (RSTUF) is a system for securing content downloads from tampering between the repository and the client (for example, by an on-path attacker).
400
186
$1.2M
OWASP Dependency-Check
OWASP Dependency-Check is a Software Composition Analysis (SCA) tool that detects publicly disclosed vulnerabilities in project dependencies. It scans application dependencies and identifies known security vulnerabilities by checking them against the National Vulnerability Database (NVD) and other data sources.
377
53
$6.8M
Ortelius
Ortelius is a microservice management platform that versions and tracks microservices, their consuming applications, ownership, blast radius and where they have been deployed with all critical deployment metadata.
294
88
$45M
CycloneDX Bill of Materials Specification
The CycloneDX Bill of Materials (BOM) Specification is an open standard for creating comprehensive software bills of materials (SBOM) that detail components, dependencies, and metadata in software applications. It provides a standardized format for describing and sharing software inventory information to improve supply chain transparency and security.
255
109
$3.9M
Keylime
Keylime is a CNCF hosted project that provides a highly scalable remote boot attestation and runtime integrity measurement solution.
249
62
$9.5M
Teller
Teller is an open-source universal secret manager for developers.
227
86
$184K
Veraison
Veraison is an open-source project focused on remote attestation and verification of software supply chain artifacts. It provides a framework for verifying evidence about system components, enabling trust decisions based on attestation results from various sources.
200
53
$18M
Copacetic
Copacetic (copa) is a tool for patching security vulnerabilities in containers.
194
54
$1.3M
Open Component Model
The Open Component Model (OCM) is a specification and toolset for managing software components and their dependencies across different technology stacks and platforms. It provides a standardized way to describe, version, and distribute software components, enabling better dependency management and supply chain security in cloud-native environments.
177
35
$12M
SLSA
Supply-chain Levels for Software Artifacts ("SLSA", pronounced "salsa") is a security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity.
176
64
$42M
Protobom
protobom is a protocol buffers representation of SBOM data able to ingest documents in modern SPDX and CycloneDX versions without loss. It has an accompanying Go library generated from the protocol buffers definiton that also implements ingesters for those formats.
68
26
$22M
Chainloop
Chainloop is an open source software supply chain control plane that helps organizations secure and manage their software supply chain. It provides a central platform for managing artifacts, attestations, and control policies across the software development lifecycle.
58
27
$39M
CBOMkit
CBOMkit is a software tool for generating and managing CycloneDX Software Bill of Materials (SBOM) files, helping organizations track and document software components and dependencies.
55
13
$6M
Grant
Anchore is a container security company that provides tools and solutions for analyzing, scanning, and securing container images and cloud-native applications. Their technology helps organizations implement security policies, detect vulnerabilities, and ensure compliance in containerized environments.
45
9
$656K
Open Policy Registry (OPCR)
The Open Policy Registry (OPCR) project contains a CLI (policy) for building, tagging, pushing, and pulling OPA policies as OCIv2 images. The policy CLI defaults to pushing and pulling from opcr.io, a free hosted registry that is optimized around listing and handling policy images. With that said, the policy CLI works with any OCIv2-compatible registry, such as GitHub Container Registry, Google Artifact Registry, AWS Container Registry, etc. The ecosystem benefits of using the policy CLI are that policies can now be built into immutable images, signed using cosign, and pushed and pulled from container registries - in other words, the benefits of the OCIv2 ecosystem are now conferred to OPA policies. The policy CLI workflow is modeled after the docker CLI - with the ability to build images locally (""policy build""), tag them (""policy tag""), list them (""policy images""), pull them (""policy pull""), and push them (""policy push""). This brings the familiar workflow to the OPA policies.
41
17
$275K
SBOM for Mainframe Applications Working Group
A working group focused on developing Software Bill of Materials (SBOM) standards and practices specifically for mainframe applications, aiming to improve software supply chain security and transparency in the mainframe ecosystem
6
3
$4.3K
Cargo Deny
❌ Cargo plugin for linting your dependencies 🦀
CycloneDX Bill of Materials (BOM) Generator
Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. GPT: https://chatgpt.com/g/g-673bfeb4037481919be8a2cd1bf868d2-cdxgen
CycloneDX Maven Plugin
Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects
CycloneDX Python Library
Python implementation of OWASP CycloneDX
GitHub Dependency Review Action
A GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs
OSV-DB
Open source vulnerability DB and triage service.
Retire.js
scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.
RustSec Advisory Database
Security advisory database for Rust crates published through crates.io
ScanCode Toolkit
:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
Snyk Broker
A broker system between a public service and a private service
The project name is "Reproducible Central."
Reproducible Central: rebuild instructions for artifacts published to (Maven) Central Repository
cyclonedx-python-project
CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments