Secure your code while it is in repository.
Xeol generates CycloneDX SBOMs from your images then ingests them into our dashboard.
The ingested SBOMs are shown as graphs of your entire software supply chain.
Searchable. Search through your supply chain to identify risks.
Vulnerabilities. See the critical vulnerabilities in your software supply chain.
Maintainability. See poorly maintained or tested components based on OSSF scores.
End-of-Life. See components that are no longer supported by their publishers.
Licensing. Ensure there are no commercial licenses within your supply chain.
Data Source. We use our proprietary EOL database and OSV's vulnerability databases.
Secure your code while it is being built.
Ensure that all the images deployed to your product environment are signed by trusted sources.
Verify that every script, every machine that touched your code during build comes from a trusted source.
Notary v2. We currently support using Notary v2 to sign and verify container images.
Sigstore (coming). Sigstore standard to sign and check components.
SLSA (coming). Supply-chains Level for Software Artifacts for build provenance.
SCVS (coming). Software Component Verification Standard to verify components.
Double check that your build process itself has not been tampered with by comparing your source code to the build output binary
Apache 2.0. Get started for free or audit our CLI tool as you see fit. Contribute to it as well!
CI/CD Agnostic. Integrates into CircleCI, Jenkins, GitHub, Azure DO, GitLab, etc.
Agentless. Your security team can start using Xeol without unlocking engineering resources.