awesome-repositories.com
Blog
awesome-repositories.com

Descubre los mejores repositorios open-source con nuestra búsqueda potenciada por IA.

ExplorarBúsquedas curadasAlternativas open-sourceSoftware autohospedableBlogMapa del sitio
ProyectoAcerca deCómo clasificamosPrensaServidor MCP
Aviso legalPrivacidadTérminos
© 2026 Bringes Technology SRL·VAT RO45896025·hello@awesome-repositories.com
·

9 repositorios

Awesome GitHub RepositoriesSoftware Composition Analysis Tools

Security utilities that detect open source dependencies and licenses to manage supply chain risks.

Distinguishing note: Focuses on dependency management and license compliance.

Explore 9 awesome GitHub repositories matching security & cryptography · Software Composition Analysis Tools. Refine with filters or upvote what's useful.

Awesome Software Composition Analysis Tools GitHub Repositories

Encuentra los mejores repositorios con IA.Buscaremos los repositorios que mejor coincidan usando IA.
  • aquasecurity/trivyAvatar de aquasecurity

    aquasecurity/trivy

    36,462Ver en GitHub↗

    Trivy is a comprehensive security scanner designed to identify vulnerabilities and misconfigurations across container images, filesystems, and infrastructure as code files. It functions as a software composition analysis tool and an infrastructure security scanner, providing automated checks for CI/CD pipelines and cloud environments to ensure the integrity of the software supply chain. The tool distinguishes itself through a modular, plugin-based architecture that allows for the independent inspection of diverse targets. It utilizes a declarative policy engine to evaluate configurations agai

    Detects open source dependencies and licenses to manage supply chain risks.

    Gocontainersdevsecopsdocker
    Ver en GitHub↗36,462
  • anchore/grypeAvatar de anchore

    anchore/grype

    12,423Ver en GitHub↗

    Grype is a command-line security scanner designed to identify known vulnerabilities within container images, filesystems, and software manifests. It functions as a software composition analysis tool that detects security flaws in application components and open-source libraries to support supply chain security. The tool distinguishes itself by reconstructing the final state of container images through layered filesystem inspection and normalizing diverse package formats into a unified dependency graph. It maintains a local cache of security advisories synchronized from multiple upstream sourc

    Analyzes project manifests and container layers to detect security flaws in open-source libraries and application components.

    Gocontainer-imagecontainerscyclonedx
    Ver en GitHub↗12,423
  • google/osv-scannerAvatar de google

    google/osv-scanner

    10,565Ver en GitHub↗

    osv-scanner is a software composition analysis tool and vulnerability scanner that checks project dependencies and container images against the Open Source Vulnerabilities database. It functions as a dependency remediation tool and can be integrated into custom Go applications as a programmable security library. The project distinguishes itself through a remediation workflow that includes an interactive terminal user interface and automated scripting for upgrading vulnerable packages in lockfiles and manifests. It employs call-graph reachability analysis to determine if vulnerable code is act

    Identifies known security vulnerabilities and license issues in project dependencies via an advisory database.

    Goscannersecurity-auditsecurity-tools
    Ver en GitHub↗10,565
  • bridgecrewio/checkovAvatar de bridgecrewio

    bridgecrewio/checkov

    8,798Ver en GitHub↗

    Checkov is a static analysis tool and security scanner designed to identify misconfigurations in infrastructure as code, container images, and Kubernetes configurations. It functions as a cloud security posture tool, an SCA vulnerability scanner, and a secret scanning utility to prevent security breaches and version control leaks. The project distinguishes itself through deep graph analysis and variable resolution, allowing it to map relationships between interconnected resources and evaluate the final state of infrastructure attributes. It provides extensibility for defining custom security

    Scans dependency trees and package files to identify known CVEs and license violations.

    Python
    Ver en GitHub↗8,798
  • snyk/snykAvatar de snyk

    snyk/snyk

    5,586Ver en GitHub↗

    Snyk is an application security testing platform designed to identify and remediate vulnerabilities across source code, open-source dependencies, container images, and infrastructure-as-code configurations. It functions as a comprehensive security workflow automation tool, utilizing a static analysis engine and dependency graph mapping to detect security flaws and license compliance issues throughout the software development lifecycle. The platform distinguishes itself through agentic workflow orchestration and an automated remediation pipeline that generates and submits pull requests to patc

    Scans project dependency manifests to detect known security flaws, license compliance issues, and generate software bills of materials.

    TypeScript
    Ver en GitHub↗5,586
  • dependabot/dependabot-coreAvatar de dependabot

    dependabot/dependabot-core

    5,413Ver en GitHub↗

    dependabot-core is the automated dependency management engine that powers multi-ecosystem package updates and vulnerability remediation. It parses package manifests and lockfiles, polls package registries for newer versions, resolves version constraints across entire dependency trees, and generates pull requests with changelogs and structured descriptions. The system integrates vulnerability database matching to detect known security flaws and can automatically create remediation pull requests. What distinguishes this project is its handling of complex multi-ecosystem resolution across dozens

    Analyzes project dependencies for known vulnerabilities and generates software bills of materials for audit and compliance.

    Rubydependenciesdockerdotnet
    Ver en GitHub↗5,413
  • dependencytrack/dependency-trackAvatar de DependencyTrack

    DependencyTrack/dependency-track

    3,612Ver en GitHub↗

    Dependency-Track is a software composition analysis tool and vulnerability management system designed to track dependencies and supply chain risk. It functions as a platform for ingesting and analyzing CycloneDX software bills of materials to identify known vulnerabilities and license compliance issues within third-party software components. The system distinguishes itself by mirroring external vulnerability databases locally to enable fast offline analysis and using VEX documents to differentiate between technical vulnerabilities and actual contextual risks. It also integrates with identity

    Identifies known vulnerabilities and license compliance issues within third-party software components.

    Javaappsecbill-of-materialsbom
    Ver en GitHub↗3,612
  • roave/securityadvisoriesAvatar de Roave

    Roave/SecurityAdvisories

    2,871Ver en GitHub↗

    SecurityAdvisories is a software composition analysis tool and PHP security advisory database used to audit project dependencies against known security flaws and CVEs. It functions as a vulnerability scanner for PHP projects to identify and manage risky third-party libraries. The project implements a system for detecting and blocking vulnerable dependencies during the software development lifecycle. It prevents the installation of software packages with known security flaws by maintaining an exclusion list of forbidden versions. The tool integrates with the PHP package manager to intercept d

    Acts as a software composition analysis tool to detect and block vulnerable third-party libraries.

    composerinfosecphp
    Ver en GitHub↗2,871
  • aboutcode-org/scancode-toolkitAvatar de aboutcode-org

    aboutcode-org/scancode-toolkit

    2,567Ver en GitHub↗

    ScanCode Toolkit is a software composition analysis tool and scanning framework designed to identify open-source licenses and copyright statements in source code and binary files. It functions as an open-source license detector, a dependency vulnerability scanner, and a generator for standardized software bills of materials in SPDX and CycloneDX formats. The project is built as a plugin-based scanning framework, allowing the integration of custom detection logic, specialized analyzers, and modified scanning behaviors at runtime. It distinguishes itself through the ability to produce formal le

    Identifies third-party packages, dependencies, and licenses within a codebase to manage supply chain risks.

    Pythoncopyrightcopyright-scancyclonedx
    Ver en GitHub↗2,567
  1. Home
  2. Security & Cryptography
  3. Software Composition Analysis Tools