fatcousin
// industry vertical

software supply chain forensics

GitHub Actions provenance · npm Sigstore attestations · Rekor transparency logs · SLSA v1 metadata · dependency confusion · container SBOM layers · PyPI release integrity · Maven GPG signatures · Cargo yank audits · typosquat clustering.

tools
12
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this vertical.

  1. slsa build provenance metadata forensic analyzerdrop slsa v1 provenance json · parse builder id + invocation + materials · runs locally
  2. github actions artifact provenance forensic analyzerdrop github actions provenance attestation export · parse builder + materials + subject digest · runs locally
  3. dependency confusion package metadata forensic analyzerdrop registry metadata export corpus · detect internal name collisions + scope drift · runs locally
  4. software supply chain typosquat cluster detectordrop package name corpus export · cluster levenshtein neighbors + publish burst patterns · runs locally
  5. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally

also useful · secondary tools

cross-cutting tools that surface depending on the specific investigation.

  1. npm package provenance attestation forensic analyzerdrop npm sigstore provenance bundle · parse publisher + build config + tarball digest · runs locally
  2. sigstore rekor transparency log forensic analyzerdrop rekor log entry export · parse uuid + integrated time + tlog index · runs locally
  3. container image sbom layer forensic analyzerdrop syft/cyclonedx sbom + layer manifest · parse package → layer mapping + base image chain · runs locally
  4. pypi release integrity forensic analyzerdrop pypi release metadata export · parse sdist/wheel hashes + yanked + maintainer timeline · runs locally
  5. maven central artifact signature forensic analyzerdrop maven artifact + asc signature export · parse gpg key id + signature validity hints · runs locally
  6. cargo crate yanked audit forensic analyzerdrop crates.io index audit export · parse yank reason + version timeline + owner changes · runs locally
  7. evidence manifest generatordrop evidence files · compute md5 sha1 sha256 · chain of custody manifest · case number · analyst · export pdf and csv · runs locally

want deeper supply chain coverage?

this vertical is intentionally sparse — deep-moat coverage grows over time. tracked in the forensics rollout.

ready