(d)ocker(f)ile (c)onverter: CLI to convert Dockerfiles to use Chainguard Images and APKs in FROM and RUN lines etc.

A fork of Bandit tool with patterns to identifying malicious python code.

Go tool to declaratively bump dependencies.

Panic at the distro research stuff

#supply #chain #attack #detection

krata is a Xen control plane in Rust.

PlugFest-in-a-Box is a powerful tool to reveal key areas of difference between several Software Bills of Materials (SBOMs) and applying thorough metrics to identify any and all quality issues.

Accurately separates a URL’s subdomain, domain, and public suffix, using the Public Suffix List (PSL).

A CLI used to work with the Wolfi OSS project

An SBOM query language and associated utilities

Example CLI project to demo API architecture and protobom library

A universal SBOM representation in protocol buffers

Docs and Tutorials for Chainguard

Darkfiles finds orphaned files in container images and makes them to bad deeds

Official GitHub Action for golangci-lint from its authors

sigstore maven plugin

Fast linters runner for Go

This repository contains a list of papers about software supply chain

Build OCI images from APK packages directly without Dockerfile

YOLO-level verifier

Common go library shared across sigstore services and clients

Sigstore OIDC PKI

Software Supply Chain Transparency Log

Code signing and transparency for containers and binaries

An Open Source Java tool to examine binary Java artifacts that we make available to clients and prospects. TAG_PRODUCTION, OWNER_KEN, DC_PUBLIC

Source for the monitoring website in Rekor VIP

sigstore installation walkthrough, local

Comparing the detection and prioritization performance of tools that detect vulnerable dependencies of a software application.

A place to discuss!

Learn the language basics in this 10-part course.