Securing open-source package ecosystems by originating, validating, and augmenting build attestations.

A proof-of-concept for how the SLSA Source Track could be implemented.

Security findings remediation tooling

Source code for Mozilla.ai's Lumigator platform

PURL to CPE Relationship mapping project.

simple terminal UI for git commands

Format agnostic SBOM tooling

RPM DB bindings for go

A set of reusable GitHub actions based on the Kubernetes Release Engineering Tooling

A highly configurable build executor and observer designed to generate signed SLSA provenance attestations about build runs.

Fast linters runner for Go

Java library for generating, consuming, and operating on OpenVEX documents

A tool to create, transform and attest VEX metadata

An SBOM query language and associated utilities

Dynamic GitHub Actions from Wolfi packages

OpenVEX Specification

Go module to generate and transform VEX documents

A tool that takes two or more micro SBOMs and composes them into one distributable SBOM

GUAC aggregates software security metadata into a high fidelity graph database.

Code-signing for npm packages

A curated list of awesome actions to use on GitHub

Our objective is to enable open source maintainers, contributors and end-users to understand and make decisions on the provenance of the code they maintain, produce and use.

Keyless Git signing using Sigstore

Build OCI images from APK packages directly without Dockerfile

Interfaces and implementations for building Kubernetes releases.

Container image registry that serves images built fresh when you ask for them

Kubermatic KubeOne automate cluster operations on all your cloud, on-prem, edge, and IoT environments.