As a team, We're working on a project to turn standard supply chain scanning into actual Risk Intelligence.
The Core Idea: We are building a platform that ingests GitHub repos, runs the standard stack (Syft/Trivy/Grype), but then adds an AI/ML layer to:
Verify SLSA Provenance: Automate the checking of unpinned actions and build integrity.
Detect Anomalies: Using IsolationForest to flag weird dependency changes that simple scanners might miss .
Provide Explainable Scoring: Using SHAP so the security lead knows why a repo was marked as "High Risk."
Our specific focus is Critical Infrastructure (Energy/Telecom), where a "blind" update can be catastrophic.
**
**
Top comments (0)