Open Source Compliance
Supply Chain Risk Reference
Search supply chain risk types, attack patterns, and mitigation tooling. Covers dependency confusion, typosquatting, maintainer account takeover, Sigstore, and SLSA.
No data is transmitted โ everything runs locallyTool
About this tool
Supply Chain Risk Reference
The Supply Chain Risk Reference covers software supply chain attack types, MITRE ATT&CK mappings, Sigstore signing tooling, and SLSA mitigation guidance.
โข Look up the dependency confusion attack pattern before auditing private package names
โข Find the correct Sigstore tooling for signing a container image in CI/CD
โข Reference MITRE ATT&CK T1195 sub-techniques for a threat model
โข Identify which supply chain risks are addressed by SLSA Level 2 vs Level 3
Next step
npm License Auditor โ Audit npm package licenses for compliance risk before adding dependencies.
Open npm License Auditor โ
FAQ
What does this tool tell you?
The Supply Chain Risk Reference covers software supply chain attack types, MITRE ATT&CK mappings, Sigstore signing tooling, and SLSA mitigation guidance.
What affects the result most?
Supply chain attack taxonomy: dependency confusion, typosquatting, maintainer account takeover, malicious PR merge. MITRE ATT&CK for supply chain: T1195 (Supply Chain Compromise) sub-techniques reference. Dependency confusion attack surface: private package names that could be shadowed on public registries.
How should I use the result?
Use this tool to orient quickly to the concepts, field names, or values you are about to look up in a full specification or vendor documentation. It summarizes the common cases; the authoritative source remains whichever standard or vendor doc defines the values themselves.
Related tools