A vulnerability scanner for container images and filesystems
Pure-Rust Android decompiler and security-audit suite. DEX → Java, Hermes → JavaScript. Cross-layer taint across the React Native bridge. CycloneDX SBOM + OpenVEX. CLI and MCP. Bytecode is not a security layer.
Deterministic, reachability-aware software composition analysis (SCA) engine — lockfile-first resolution, function- & cross-package reachability, patch-diff symbol mining, EPSS/KEV, SARIF + OpenVEX. Zero runtime dependencies.
SBOM diff with supply-chain risk signals — flags new CVEs, typosquats, and young maintainers on changed deps. Built after axios (Mar 2026), Shai-Hulud, and xz.
CA9 is a local evidence engine for Python AppSec triage. It sits after scanners and before engineers waste time, proving which findings matter.
Ultra-fast open-source code security scanner. Finds vulnerabilities across 8 languages (Rust, Go, Python, JS, TS, Java, C, C++) using SAST + taint analysis + LLM verification — fewer false positives, faster audits. Outputs Sigstore-signed SARIF, SBOM, and OpenVEX bundles for supply-chain compliance.
VEX document crawler and aggregator
VEX statements for SUSE Observability product images. Consumable by Trivy via --vex repo.
APK / AAB / XAPK parser and security analysis library. Signing v1–v4 + ROCA / Fermat / Wiener / batch-GCD. CycloneDX SBOM with .rodata byte anchors. OpenVEX. YARA-X. Pure Rust.
FDA-ready SBOM, vulnerability scan, and VEX triage pipeline for medical-device software (§524B)
Add a description, image, and links to the openvex topic page so that developers can more easily learn about it.
To associate your repository with the openvex topic, visit your repo's landing page and select "manage topics."