53 projects
Harbor
Harbor is an open source container image registry that secures images with role-based access control, scans images for vulnerabilities, and signs images as trusted.
Contributors
9,059
Organizations
2,107
Software value
$41M
Dependabot
Dependabot is an automated dependency update tool that helps keep software projects secure and up-to-date by monitoring dependencies, creating pull requests for version updates, and handling security vulnerabilities across multiple programming languages and package managers.
Contributors
6,165
Organizations
2,593
Software value
$59M
FINOS (The Fintech Open Source Foundation)
FINOS’ mission is to promote open innovation in financial services
Contributors
3,773
Organizations
812
Software value
$1.4M
OSS-Fuzz
OSS-Fuzz is a continuous fuzzing infrastructure that helps identify security vulnerabilities in open source software through automated testing. It provides tools, infrastructure, and processes to make fuzzing an integral part of the development workflow for open source projects.
Contributors
2,909
Organizations
820
Software value
$6.8M
Dependency-Track
Dependency-Track is an intelligent Component Analysis Platform that allows organizations to identify and reduce risk in their software supply chain. It continuously monitors component usage across all versions of every application in an organization's portfolio to proactively identify risk from the use of vulnerable or out-of-date components.
Contributors
2,157
Organizations
368
Software value
$24M
Sigstore
sigstore empowers software maintainers to easily sign software artifacts and store those artifacts into a production grade public transparency log.
Contributors
2,061
Organizations
633
Software value
$18M
SOPS
SOPS (Secrets OPerationS) is an editor in the form of a command-line tool and SDK designed to help manage encrypted files in a variety of structured (YAML, JSON, ENV, INI) and BINARY formats using a one of the supported Key Management Systems (KMS), PGP, or age.
Contributors
1,675
Organizations
738
Software value
$953K
Gitleaks
Gitleaks is a security scanning tool that detects and prevents hardcoded secrets, credentials, and sensitive information in git repositories. It uses pattern matching and entropy analysis to identify potential data leaks in commit history and source code.
Contributors
1,489
Organizations
381
Software value
$829K
Open Source Security Foundation (OpenSSF)
The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community, targeted initiatives, and best practices, including addressing vulnerability disclosures, security tooling and more.
Contributors
1,361
Organizations
495
Software value
$661M
Syft
Syft is a CLI tool and library for generating Software Bill of Materials (SBOM) from container images and filesystems. It provides deep inspection of container images and file systems to generate comprehensive SBOMs that help track software components, dependencies, and potential vulnerabilities.
Contributors
1,167
Organizations
330
Software value
$27M
Bank-Vaults
Bank-Vaults is a set of tools covering many aspects of secret management in the Cloud Native ecosystem.
Contributors
1,049
Organizations
336
Software value
$2.4M
Grype
Grype is a vulnerability scanner for container images and filesystems that identifies known vulnerabilities in packages and dependencies across multiple programming languages and package managers.
Contributors
938
Organizations
261
Software value
$3.3M
in-toto
A framework to secure the integrity of software supply chains. It does so by verifying that each task in the chain is carried out as planned, by authorized personnel only, and that the product is not tampered with in transit.
Contributors
835
Organizations
246
Software value
$27M
Trivy Action
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Contributors
590
Organizations
192
Software value
$63K
The Update Framework (TUF)
A framework for securing software update systems. The Update Framework (TUF) helps developers maintain the security of software update systems, providing protection even against attackers that compromise the repository or signing keys. TUF provides a flexible framework and specification that developers can adopt into any software update system.
Contributors
528
Organizations
186
Software value
$3.5M
KubeArmor
KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operation) of containers and nodes at the system level.
Contributors
524
Organizations
165
Software value
$6.2M
Repository Service for TUF
Repository Service for TUF (RSTUF) is a system for securing content downloads from tampering between the repository and the client (for example, by an on-path attacker).
Contributors
400
Organizations
186
Software value
$1.2M
OWASP Dependency-Check
OWASP Dependency-Check is a Software Composition Analysis (SCA) tool that detects publicly disclosed vulnerabilities in project dependencies. It scans application dependencies and identifies known security vulnerabilities by checking them against the National Vulnerability Database (NVD) and other data sources.
Contributors
377
Organizations
53
Software value
$6.8M
Ortelius
Ortelius is a microservice management platform that versions and tracks microservices, their consuming applications, ownership, blast radius and where they have been deployed with all critical deployment metadata.
Contributors
294
Organizations
88
Software value
$45M
CycloneDX Bill of Materials Specification
The CycloneDX Bill of Materials (BOM) Specification is an open standard for creating comprehensive software bills of materials (SBOM) that detail components, dependencies, and metadata in software applications. It provides a standardized format for describing and sharing software inventory information to improve supply chain transparency and security.
Contributors
255
Organizations
109
Software value
$3.9M
Keylime
Keylime is a CNCF hosted project that provides a highly scalable remote boot attestation and runtime integrity measurement solution.
Contributors
249
Organizations
62
Software value
$9.5M
Teller
Teller is an open-source universal secret manager for developers.
Contributors
227
Organizations
86
Software value
$184K
Veraison
Veraison is an open-source project focused on remote attestation and verification of software supply chain artifacts. It provides a framework for verifying evidence about system components, enabling trust decisions based on attestation results from various sources.
Contributors
200
Organizations
53
Software value
$18M
Copacetic
Copacetic (copa) is a tool for patching security vulnerabilities in containers.
Contributors
194
Organizations
54
Software value
$1.3M
Open Component Model
The Open Component Model (OCM) is a specification and toolset for managing software components and their dependencies across different technology stacks and platforms. It provides a standardized way to describe, version, and distribute software components, enabling better dependency management and supply chain security in cloud-native environments.
Contributors
177
Organizations
35
Software value
$12M
SLSA
Supply-chain Levels for Software Artifacts ("SLSA", pronounced "salsa") is a security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity.
Contributors
176
Organizations
64
Software value
$42M
Protobom
protobom is a protocol buffers representation of SBOM data able to ingest documents in modern SPDX and CycloneDX versions without loss. It has an accompanying Go library generated from the protocol buffers definiton that also implements ingesters for those formats.
Contributors
68
Organizations
26
Software value
$22M
Chainloop
Chainloop is an open source software supply chain control plane that helps organizations secure and manage their software supply chain. It provides a central platform for managing artifacts, attestations, and control policies across the software development lifecycle.
Contributors
58
Organizations
27
Software value
$39M
CBOMkit
CBOMkit is a software tool for generating and managing CycloneDX Software Bill of Materials (SBOM) files, helping organizations track and document software components and dependencies.
Contributors
55
Organizations
13
Software value
$6M
Grant
Anchore is a container security company that provides tools and solutions for analyzing, scanning, and securing container images and cloud-native applications. Their technology helps organizations implement security policies, detect vulnerabilities, and ensure compliance in containerized environments.
Contributors
45
Organizations
9
Software value
$656K
Open Policy Registry (OPCR)
The Open Policy Registry (OPCR) project contains a CLI (policy) for building, tagging, pushing, and pulling OPA policies as OCIv2 images. The policy CLI defaults to pushing and pulling from opcr.io, a free hosted registry that is optimized around listing and handling policy images. With that said, the policy CLI works with any OCIv2-compatible registry, such as GitHub Container Registry, Google Artifact Registry, AWS Container Registry, etc. The ecosystem benefits of using the policy CLI are that policies can now be built into immutable images, signed using cosign, and pushed and pulled from container registries - in other words, the benefits of the OCIv2 ecosystem are now conferred to OPA policies. The policy CLI workflow is modeled after the docker CLI - with the ability to build images locally (""policy build""), tag them (""policy tag""), list them (""policy images""), pull them (""policy pull""), and push them (""policy push""). This brings the familiar workflow to the OPA policies.
Contributors
41
Organizations
17
Software value
$275K
SBOM for Mainframe Applications Working Group
A working group focused on developing Software Bill of Materials (SBOM) standards and practices specifically for mainframe applications, aiming to improve software supply chain security and transparency in the mainframe ecosystem
Contributors
6
Organizations
3
Software value
$4.3K
Cargo Deny
❌ Cargo plugin for linting your dependencies 🦀
This project hasn't been onboarded to LFX Insights.
CycloneDX Bill of Materials (BOM) Generator
Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. GPT: https://chatgpt.com/g/g-673bfeb4037481919be8a2cd1bf868d2-cdxgen
This project hasn't been onboarded to LFX Insights.
CycloneDX Maven Plugin
Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects
This project hasn't been onboarded to LFX Insights.
CycloneDX Python Library
Python implementation of OWASP CycloneDX
This project hasn't been onboarded to LFX Insights.
GitHub Dependency Review Action
A GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs
This project hasn't been onboarded to LFX Insights.
OSV-DB
Open source vulnerability DB and triage service.
This project hasn't been onboarded to LFX Insights.
Retire.js
scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.
This project hasn't been onboarded to LFX Insights.
RustSec Advisory Database
Security advisory database for Rust crates published through crates.io
This project hasn't been onboarded to LFX Insights.
ScanCode Toolkit
:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
This project hasn't been onboarded to LFX Insights.
Snyk Broker
A broker system between a public service and a private service
This project hasn't been onboarded to LFX Insights.
The project name is "Reproducible Central."
Reproducible Central: rebuild instructions for artifacts published to (Maven) Central Repository
This project hasn't been onboarded to LFX Insights.
cyclonedx-python-project
CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments
This project hasn't been onboarded to LFX Insights.