awesome-repositories.com
Blog
awesome-repositories.com

Descoperă cele mai bune repository-uri open source cu căutare AI.

ExploreazăCăutări recomandateAlternative open-sourceSoftware self-hostedBlogHartă site
ProiectDespreCum realizăm clasamentulPresăServer MCP
LegalConfidențialitateTermeni
© 2026 Bringes Technology SRL·VAT RO45896025·hello@awesome-repositories.com
·

9 repository-uri

Awesome GitHub RepositoriesSoftware Composition Analysis Tools

Security utilities that detect open source dependencies and licenses to manage supply chain risks.

Distinguishing note: Focuses on dependency management and license compliance.

Explore 9 awesome GitHub repositories matching security & cryptography · Software Composition Analysis Tools. Refine with filters or upvote what's useful.

Awesome Software Composition Analysis Tools GitHub Repositories

Găsește cele mai bune repo-uri cu AI.Vom căuta cele mai potrivite repository-uri folosind AI.
  • aquasecurity/trivyAvatar aquasecurity

    aquasecurity/trivy

    36,462Vezi pe GitHub↗

    Trivy is a comprehensive security scanner designed to identify vulnerabilities and misconfigurations across container images, filesystems, and infrastructure as code files. It functions as a software composition analysis tool and an infrastructure security scanner, providing automated checks for CI/CD pipelines and cloud environments to ensure the integrity of the software supply chain. The tool distinguishes itself through a modular, plugin-based architecture that allows for the independent inspection of diverse targets. It utilizes a declarative policy engine to evaluate configurations agai

    Detects open source dependencies and licenses to manage supply chain risks.

    Gocontainersdevsecopsdocker
    Vezi pe GitHub↗36,462
  • anchore/grypeAvatar anchore

    anchore/grype

    12,423Vezi pe GitHub↗

    Grype is a command-line security scanner designed to identify known vulnerabilities within container images, filesystems, and software manifests. It functions as a software composition analysis tool that detects security flaws in application components and open-source libraries to support supply chain security. The tool distinguishes itself by reconstructing the final state of container images through layered filesystem inspection and normalizing diverse package formats into a unified dependency graph. It maintains a local cache of security advisories synchronized from multiple upstream sourc

    Analyzes project manifests and container layers to detect security flaws in open-source libraries and application components.

    Gocontainer-imagecontainerscyclonedx
    Vezi pe GitHub↗12,423
  • google/osv-scannerAvatar google

    google/osv-scanner

    10,565Vezi pe GitHub↗

    osv-scanner is a software composition analysis tool and vulnerability scanner that checks project dependencies and container images against the Open Source Vulnerabilities database. It functions as a dependency remediation tool and can be integrated into custom Go applications as a programmable security library. The project distinguishes itself through a remediation workflow that includes an interactive terminal user interface and automated scripting for upgrading vulnerable packages in lockfiles and manifests. It employs call-graph reachability analysis to determine if vulnerable code is act

    Identifies known security vulnerabilities and license issues in project dependencies via an advisory database.

    Goscannersecurity-auditsecurity-tools
    Vezi pe GitHub↗10,565
  • bridgecrewio/checkovAvatar bridgecrewio

    bridgecrewio/checkov

    8,798Vezi pe GitHub↗

    Checkov is a static analysis tool and security scanner designed to identify misconfigurations in infrastructure as code, container images, and Kubernetes configurations. It functions as a cloud security posture tool, an SCA vulnerability scanner, and a secret scanning utility to prevent security breaches and version control leaks. The project distinguishes itself through deep graph analysis and variable resolution, allowing it to map relationships between interconnected resources and evaluate the final state of infrastructure attributes. It provides extensibility for defining custom security

    Scans dependency trees and package files to identify known CVEs and license violations.

    Python
    Vezi pe GitHub↗8,798
  • snyk/snykAvatar snyk

    snyk/snyk

    5,586Vezi pe GitHub↗

    Snyk is an application security testing platform designed to identify and remediate vulnerabilities across source code, open-source dependencies, container images, and infrastructure-as-code configurations. It functions as a comprehensive security workflow automation tool, utilizing a static analysis engine and dependency graph mapping to detect security flaws and license compliance issues throughout the software development lifecycle. The platform distinguishes itself through agentic workflow orchestration and an automated remediation pipeline that generates and submits pull requests to patc

    Scans project dependency manifests to detect known security flaws, license compliance issues, and generate software bills of materials.

    TypeScript
    Vezi pe GitHub↗5,586
  • dependabot/dependabot-coreAvatar dependabot

    dependabot/dependabot-core

    5,413Vezi pe GitHub↗

    dependabot-core is the automated dependency management engine that powers multi-ecosystem package updates and vulnerability remediation. It parses package manifests and lockfiles, polls package registries for newer versions, resolves version constraints across entire dependency trees, and generates pull requests with changelogs and structured descriptions. The system integrates vulnerability database matching to detect known security flaws and can automatically create remediation pull requests. What distinguishes this project is its handling of complex multi-ecosystem resolution across dozens

    Analyzes project dependencies for known vulnerabilities and generates software bills of materials for audit and compliance.

    Rubydependenciesdockerdotnet
    Vezi pe GitHub↗5,413
  • dependencytrack/dependency-trackAvatar DependencyTrack

    DependencyTrack/dependency-track

    3,612Vezi pe GitHub↗

    Dependency-Track is a software composition analysis tool and vulnerability management system designed to track dependencies and supply chain risk. It functions as a platform for ingesting and analyzing CycloneDX software bills of materials to identify known vulnerabilities and license compliance issues within third-party software components. The system distinguishes itself by mirroring external vulnerability databases locally to enable fast offline analysis and using VEX documents to differentiate between technical vulnerabilities and actual contextual risks. It also integrates with identity

    Identifies known vulnerabilities and license compliance issues within third-party software components.

    Javaappsecbill-of-materialsbom
    Vezi pe GitHub↗3,612
  • roave/securityadvisoriesAvatar Roave

    Roave/SecurityAdvisories

    2,871Vezi pe GitHub↗

    SecurityAdvisories is a software composition analysis tool and PHP security advisory database used to audit project dependencies against known security flaws and CVEs. It functions as a vulnerability scanner for PHP projects to identify and manage risky third-party libraries. The project implements a system for detecting and blocking vulnerable dependencies during the software development lifecycle. It prevents the installation of software packages with known security flaws by maintaining an exclusion list of forbidden versions. The tool integrates with the PHP package manager to intercept d

    Acts as a software composition analysis tool to detect and block vulnerable third-party libraries.

    composerinfosecphp
    Vezi pe GitHub↗2,871
  • aboutcode-org/scancode-toolkitAvatar aboutcode-org

    aboutcode-org/scancode-toolkit

    2,567Vezi pe GitHub↗

    ScanCode Toolkit is a software composition analysis tool and scanning framework designed to identify open-source licenses and copyright statements in source code and binary files. It functions as an open-source license detector, a dependency vulnerability scanner, and a generator for standardized software bills of materials in SPDX and CycloneDX formats. The project is built as a plugin-based scanning framework, allowing the integration of custom detection logic, specialized analyzers, and modified scanning behaviors at runtime. It distinguishes itself through the ability to produce formal le

    Identifies third-party packages, dependencies, and licenses within a codebase to manage supply chain risks.

    Pythoncopyrightcopyright-scancyclonedx
    Vezi pe GitHub↗2,567
  1. Home
  2. Security & Cryptography
  3. Software Composition Analysis Tools