# Supply Chain ## About Software supply chain security involves securing all aspects of the process of developing and delivering software, from the initial design and coding phases, through third-party components, to the end-user's system. It's about ensuring that every link in the chain is as secure as possible to prevent unauthorized access, tampering, or other malicious activities. ## Popular products and solutions **From the** [**Static Analysis section**](/tools/static-analysis.md)**, these tools covers "Supply Chain":** * **GitHub:** * Supply chain security * Dependabot * GitHub Advanced Security (for orgs, enterprises or private repos) * **Snyk:** * Snyk Open Source (SCA) * Snyk Container * **Trivy** **In this section:** * [Socket](https://socket.dev/): Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript and Python dependencies. ## Projects * **Sigstore (**[**web**](https://www.sigstore.dev/) **):** a set of free to use and open source tools, handling digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software. * **Open Source Insights - deps.dev (**[**web**](https://deps.dev/) **):** Open Source Insights is a service developed and hosted by Google to help developers better understand the structure, construction, and security of open source software packages. ## Other tools * [LunaSec](https://github.com/lunasec-io/lunasec): dependency Security Scanner that automatically notifies you about vulnerabilities. * [JFrog Security Essentials (Xray)](https://jfrog.com/xray/): The definitive DevOps-centric SCA solution for identifying and resolving security vulnerabilities and license compliance issues in your open source dependencies. * [JFrog Advanced Security](https://jfrog.com/xray/#xray-advanced): Deep scanning for real-world-risk analysis & comprehensive Software Supply Chain Security exposure discovery. * [Fulcio](https://github.com/sigstore/fulcio): is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity, such as email address. * [Cosign](https://github.com/sigstore/cosign): signing OCI containers (and other artifacts) using Sigstore. * [Rekor](https://github.com/sigstore/rekor): provides an immutable tamper resistant ledger of metadata generated within a software projects supply chain. * [Overlay](https://github.com/os-scar/overlay): a browser extension helping developers evaluate open source packages before picking them. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.devsec.fyi/tools/supply-chain.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.