🔍 ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet, the Google Summer of Code, Azure credits, nexB and other generous sponsors!

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 350 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.

OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.

A minimal specification for purl aka. a package "mostly universal" URL, join the discussion at https://gitter.im/package-url/Lobby

Panthera(P.)uncia - Official CLI utility for Osprey Vision, Subdomain Center & Exploit Observer.

This is a mirror of https://codeberg.org/fsfe/reuse-tool

🎁 wraps all package managers with a unifying CLI

blint is a Binary Linter that checks the security properties and capabilities of your executables. It can also generate a Software Bill-of-Materials (SBOM) for supported binaries.

A tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories.

The System Package Data Exchange (SPDX) specification in Markdown and HTML formats.

CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments

A suite of utilities to help with software supply chain challenges on nix targets

Macaron is an extensible supply-chain security analysis framework from Oracle Labs that supports a wide range of build systems and CI/CD services. It can be used to prevent supply chain attacks, detect malicious Python packages, or check conformance to frameworks, such as SLSA. Documentation:

Deptective automatically determines the native dependencies required to run any arbitrary program or command.

OWASP Kubernetes security and compliance tool [WIP]

Functionality and DataModels of OWASP CycloneDX for Python

Validate the SPDX SBOM against NTIA, CISA, and other minimum element requirements.

A tool to automatically detect copy+pasted and vendored code between repositories

♾️ Collection of DevSecOps Notes + Resources + Courses + Tools