GUAC aggregates software security metadata into a high fidelity graph database.

Language-agnostic SLSA provenance generation for Github Actions

Evidence store and policy engine for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, and more

Developer-centric tool to secure your software supply chain.

Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance

A highly configurable build executor and observer designed to generate signed SLSA provenance attestations about build runs.

Example goreleaser + github actions config with keyless signing, SBOM generation, and attestations

Github Action implementation of SLSA Provenance Generation

Container image provenance spec that allows tracing CVEs detected in registry images back to a CVE's source of origin.

Stream, Mutate and Sign Images with AWS Lambda and ECR

SLSA level 3 action

Mattermost builder

Google Container Analysis data import utility, supports OSS vulnerability scanner reports, SLSA provenance and sigstore attestations.

Example project using SLSA 3 Generic Generator with GoReleaser

Library to create, verify, and evaluate policy for attestations on container images

Define a reproducible Go build.

Sample Go application project with supply chain security workflows conforms to the SLSA Build Level 3 specification

Sign and package attestations in sigstore bundles

A demonstration of how GoReleaser can help us to make software supply chain more secure by using bunch of tools such as cosign, syft, grype, slsa-provenance

A proof-of-concept SLSA provenance generator for Buildkite.