Skip to content

A compilation of resources in the software supply chain security domain, with emphasis on open source

Notifications You must be signed in to change notification settings

bureado/awesome-software-supply-chain-security

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 

Repository files navigation

awesome-software-supply-chain-security

Awesome

A compilation of resources in the software supply chain security domain, with emphasis on open source.

About this list

There is no prescribed taxonomy for this domain. This list will necessarily have some overlap with disciplines and categories such as DevSecOps, SAST, SCA and more.

The supply-chain-synthesis repo offers a long-form read on why that's the case, plus helpful pointers to understand and navigate it as it evolves.

For awesome-software-supply-chain-security we take the following high-level approach: different actors in the supply chain contribute attestations to the elements represented in the chain.

In this process-centric view, attestations are emitted, augmented (e.g., during composition) and verified.

Another way to look at this was described here by Josh Bressers, and here's a narrative example in the wild from Spotify

Using this lens we can identify a large group of "subjects" (dependencies), distinct categories of "facts" (licenses or vulnerabilities) and the specific role of identity, provenance and build systems. This is the rationale behind the current headings, which are expected to evolve with the domain.

Other examples of the ongoing process to define the domain include Add Bad Design as a supply chain scenario · Issue #249 · slsa-framework/slsa and How does SLSA fit into broader supply chain security? · Issue #276 · slsa-framework/slsa. Check out this tweet from Aeva Black with Dan Lorenc for another in-a-pinch view of a couple key projects.

Dependency intelligence

This section includes: package management, library management, dependency management, vendored dependency management, by-hash searches, package, library and dependency naming, library behavior labeling, library publishing, registries and repositories, publishing gates and scans, dependency lifecycle.

Also read:

SCA and SBOM

This section includes: package/library scanners and detectors, SBOM formats, standards, authoring and validation, and a few applications. Will likely include SCA.

The most complete reference is awesomeSBOM/awesome-sbom. Another helpful repo focusing on generators is cybeats/sbomgen: List of SBOM Generation Tools.

More interesting resources:

A few open source projects are documenting, in public, how they acquire dependencies. This intentional, human-parsable, long-form examples can be illustrative:

Vulnerability information exchange

A dedicated section on VEX reads:

Also see:

Point-of-use validations

This section includes: admission and ingestion policies, pull-time verification and end-user verifications.

Also see:

Supply chain beyond libraries

And a few things to watch beyond libraries and software dependencies:

Identity, signing and provenance

This section includes: projects and discussions specifics to developer identity, OIDC, keyrings and related topics.

Frameworks and best practice references

This section includes: reference architectures and authoritative compilations of supply chain attacks and the emerging categories.

Also see:

Build techniques

This section includes: reproducible builds, hermetic builds, bootstrappable builds, special considerations for CI/CD systems, best practices building artifacts such as OCI containers, etc.

Also see:

Talks, articles, media coverage and other reading

Getting started and staying fresh

And a collection of reads and listens, ranging from insightful blog posts, explainers/all-rounders and some long-form analysis (we've tried to keep deep dive reads scoped to other sections)