Making SBOMs readable and actionable.
We build open-source tools for software supply chain transparency and CI/CD security hardening. Everything we ship is designed to be production-ready, security-first, and easy to integrate into existing workflows.
sbom-tools — Rust CLI for semantic SBOM diff, validation, quality scoring, vulnerability enrichment, and compliance checking. Supports CycloneDX and SPDX formats. Compliance profiles for NTIA, CRA, FDA, and EO 14028.
sbom-tools-action — GitHub Action for sbom-tools with SHA-256 checksum verification, SLSA/Sigstore provenance verification (required by default), and zero expression injection surface. Hardened against supply chain attacks like the March 2026 Trivy tag hijacking.
gh-guard — Claude Code plugin for CI/CD supply chain hardening. Generates SHA-pinned workflows, Trusted Publishing, SLSA L3 provenance, and Scorecard optimization for Rust projects. Includes dangerous workflow detection and incident response guidance.