Sca Collection

◆

◆

◆

◆

⚡Thunder

★★

“Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.”

◆

◆

◆

◆

🔮Psychic

★★

“:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet, the Google Summer of Code, Azure credits, nexB and other generous sponsors!”

◆

◆

◆

◆

🌸Fairy

★★

“Payments for Ruby on Rails apps”

◆

◆

◆

◆

🐉Dragon

★★

“A suite of tools to automate software compliance checks.”

◆

◆

◆

◆

🌊Water

★★

“An open source tool focused on software supply chain security. 墨菲安全专注于软件供应链安全，具备专业的软件成分分析（SCA）、漏洞检测、专业漏洞库。”

◆

◆

◆

◆

🔮Psychic

★★

“OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.”

◆

◆

◆

◆

🌊Water

★★

“OpenSCA is an open source software supply chain security solution that supports the detection of open source dependencies, vulnerabilities and license compliance with a widely noticed accuracy by the community. ”

◆

◆

◆

◆

⚡Electric

★★

“Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server”

◆

◆

◆

◆

🔮Psychic

★★

“ASH is an extensible, open source SAST, SCA, and IaC security scanner orchestration engine.”

◆

◆

◆

◆

⚡Thunder

★★

“A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC”

◆

◆

◆

◆

⚡Thunder

★

“xAST评价体系，让安全工具不再“黑盒”. The xAST evaluation benchmark makes security tools no longer a "black box".”

◆

◆

◆

◆

📦Normal

★

“ AboutCode project: tools and data to uncover things about code: the provenance, origin, license, and more (packages, security, quality, etc.) of FOSS code. Get started at https://aboutcode.readthedocs.io/ ”

◆

◆

◆

◆

🔮Psychic

★

“A source code static analysis platform for AppSec enthusiasts.”

◆

◆

◆

◆

⚡Thunder

★

“A simple Java command-line utility to mirror the CVE JSON data from NIST.”

◆

◆

◆

◆

🔮Psychic

★

“ScanCode.io is a server to script and automate software composition analysis with pipelines. This project is sponsored by the European Commission, NLnet NGI0, the Google Summer of Code, nexB and others generous sponsors!”

◆

◆

◆

◆

🔮Psychic

★

“Lockfile-first scanner for compromised npm/PyPI/Maven/Cargo/Go/RubyGems packages — OSV + curated extras feed, SLSA L3, locked-container CI”

◆

◆

◆

◆

🔮Psychic

★

“Vulnerability database and package search for sources such as Linux, OSV, NVD, GitHub and npm. Powered by sqlite, CVE 5.2, purl, and vers.”

◆

◆

◆

◆

🌊Water

★

“High-performance open-source security scanner combining SAST, SCA, Secret Detection, and IaC analysis, built for developers and CI/CD pipelines, using AI for recommendation!”