Artifacts

Dependencies

• Differential Alert Analysis (DAA) - Identify silent vulnerability fixes
• VFCFinder - Find vulnerability fixing commits (VFCs) aka “patch links” for security advisories
• MalwareBench - Benchmark Dataset for Software Supply Chain Security

Secure Build

• ARGUS - Dataflow analysis for GitHub Actions
• Cosseter - Least privilege permissions for GitHub Actions
• UntrustIDE - Vulnerability analysis for VS Code extensions

Humans

• Code Secret Management
• Ethical Frameworks and Computer Security Trolley Problems

Frameworks

• The Proactive Software Supply Chain Risk Management Framework