GUAC aggregates software security metadata into a high fidelity graph database.

SDLC evidence store and policy engine for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, and more

A Go implementation of in-toto. in-toto is a framework to protect software supply chain integrity.

Enabling Software Supply Chain Security Capabilities in ArgoCD

in-toto is a framework to secure the software supply chain.

Github Action implementation of SLSA Provenance Generation

Go implementation for CNAB content trust verification using TUF, Notary, and in-toto

Pipeline for patching CVEs in container images 💉📦

Prototype in-toto attestation verifier based on ITE-10 and ITE-11 layouts

Free DSSE Attestation Online Decoder Tool

Kettle builds and verifies attested builds, packages that include cryptographically signed SLSA provenance.

Library to create, verify, and evaluate policy for attestations on container images

Programmatically running in-toto verifications in a container

A wrapper for running in-toto commands and using dbom repositories as the storage medium for the in-toto attestations

[WIP] Python reference implementation for the CNAB security specification, with TUF, and in-toto

A paper on supply chain security in software development for Uni.

Snapshot releases of debian-dev docker images for reproducible build environments.

AI Integrity Receipts — generate, verify, and attest cryptographic receipts for commits with declared AI involvement. Release verification with SLSA-compatible VSA. Zero dependencies. Apache 2.0.

This is just a experimental project to investigate things related to secure supply chain security.

Jenkins Shared Library