Sandwood - A JVM based Java like Probabilistic Programming Language

🚀 Release projects quickly and easily with JReleaser

🔐CNCF Security Technical Advisory Group -- secure access, policy control, privacy, auditing, explainability and more!

Publish a signed build provenance from your GitHub Actions workflow

A GitHub Action for sigstore-python

A curated list of annual cyber security reports

Language-agnostic SLSA provenance generation for Github Actions

A suite of tools to automate software compliance checks.

Recent Fuzzing Paper

Reproducible Central: rebuild instructions for artifacts published to (Maven) Central Repository

GitHub Actions Goat: Deliberately Vulnerable GitHub Actions CI/CD Environment

Sigstore OIDC PKI

Service monitoring / "init" system

The Database Toolkit for Python

Soufflé is a variant of Datalog for tool designers crafting analyses in Horn clauses. Soufflé synthesizes a native parallel C++ program from a logic specification.

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.

Enrich SBOMs with data from third party services

Python implementation of the package url spec. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ , the Google Summer of Code, nexB and other generous sponsors.

Macaron is an extensible supply-chain security analysis framework from Oracle Labs that supports a wide range of build systems and CI/CD services. It can be used to prevent supply chain attacks, de…