今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

Introducing Synapse: a deterministic-first, open-source SCA and evidence platform

Huỳnh Lê Nhất Nghĩa 2026年07月07日 02:48 4 次阅读 来源:Dev.to

We just open-sourced Synapse , a governed control plane for software composition analysis, recon, evidence, and reporting. It is built for people who have to scan a dependency tree, prove what they found, and hand over a report that holds up. Site: https://synapse.kkloudtarus.net/ Code: https://github.com/KKloudTarus/synapse-ce (Apache-2.0) Why we built it The usual workflow is fragmented. One tool for the SBOM, another for vulnerabilities, a spreadsheet for licenses, a folder of screenshots for evidence, and a report you assemble by hand. Nothing is reproducible, and when a client asks "how do you know this is real," the answer lives in someone's memory. Adding an LLM that writes your findings only makes that worse. We wanted the opposite: fast, but provable. What it is Synapse runs the assessment lifecycle behind one control plane, in Go, clean architecture. A few ideas hold it together: Deterministic-first. Scanning, matching, license classification, and reporting are pure, reproducible Go. There is no model in the report path. Scope-gated execution. Every engagement carries a scope and an authorization window, enforced server-side before any tool runs. Tools run via argument arrays, never a shell string. Tamper-evident evidence. Every artifact is hash-chained and append-only. A broken chain blocks the report. Bounded automation. The optional AI layer only ever proposes. A distinct verifier or a human confirms. The agent can never confirm its own claim. What it does today: SBOM across 15+ ecosystems, multi-source vulnerability detection with risk-based prioritization (KEV, then EPSS, then CVSS), license compliance, reachability, and deterministic reports in CycloneDX, SPDX, SARIF, and OpenVEX. Try it git clone https://github.com/KKloudTarus/synapse-ce.git cd synapse-ce docker compose -f deploy/docker-compose.full.yml up --build # open http://localhost:5173 Or gate CI on real risk: ./bin/synapse-cli scan . --fail-on high . We are looking for contributors Synapse i

本文内容来源于互联网,版权归原作者所有
查看原文