16 open-source projects similar to en/code-security, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Code Security alternative.
A standalone, zero-dependency Node.js script for supply chain security analysis of npm dependencies.
An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
Cosign is a tool for signing and verifying software artifacts, primarily those stored in OCI-compatible registries such as container images, Helm charts, SBOMs, and Tekton bundles. It supports keyless signing using ephemeral keys and short-lived certificates from the Sigstore public-good infrastructure, associating signatures with an OpenID Connect identity rather than a long-lived cryptographic key. The project provides multiple signing and verification methods, including private keys, key pairs stored in KMS providers like AWS KMS and Azure Key Vault, and hardware security keys. It can sign
Supply-chain Levels for Software Artifacts
preflight helps you verify scripts and executables to mitigate chain of supply attacks such as the recent Codecov hack.
Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. It monitors network egress, file integrity, and process activity on those runners, detecting threats in real-time.
Syft is a software bill of materials generator, container image scanner, and software dependency catalog. It analyzes container images and filesystems to produce comprehensive inventories of installed packages and dependencies in standard formats. Additionally, it serves as a software attestation tool and an SBOM format converter. The project distinguishes itself through the ability to create cryptographically signed attestations for software inventories to ensure provenance and integrity. It also provides the capability to transform software bills of materials between different industry sche
xo is a zero-configuration linting tool for JavaScript and TypeScript. It functions as a wrapper for the ESLint engine, providing a set of strict default rules and static analysis to enforce professional coding standards without requiring manual configuration files. The tool distinguishes itself by providing a zero-config runtime that automatically determines parser settings and linting rules at execution time. It includes a code style formatter to standardize indentation and syntax across all project files. The project covers automated error correction and source code formatting to eliminat