SCABLE is an open-source solution that systematically and automatically analyzes software components, providing comprehensive support for open-source security and license management.

More About SCABLE • View Demo • Download Brochure • Report Bug

• [1] About the Project
  • Why SCABLE?
  • Features
  • Technologies
• [2] Getting Started
  • Prerequisites
  • Installation
• [3] API Reference
• [4] Usage Screenshots
• [5] SCABLE's VISION
• [6] Contact
• [7] License

• Typosquatting detection
• License compliance
• Real-time CI/CD integration

• 🛠️ Automated SBOM Generation
  Generate SBOMs in CycloneDX, SPDX, and SWID formats.

• 🛡️ Identification of Real Threats
  Identify real security threats among vulnerabilities detected in SBOMs using advanced analysis.

• 🔍 Open-Source License Analysis
  Ensure compliance by analyzing open-source licenses in your software.

• 🕵️ Detection of Typosquatting & Malicious Packages
  Detect typosquatting attempts and analyze dependency reputation.

• 📊 Dashboard Reporting
  Visualize SBOM analysis results in a user-friendly dashboard.

• ⚙️ Seamless CI/CD Integration
  Integrate into CI/CD pipelines for automated security and compliance checks.

• CDXGEN: CycloneDX SBOM generation (Apache-2.0 License).
• OSV-DEV: Vulnerability lookup based on OSV and NVD databases (Apache-2.0 License).
• CodeQL: Taint Analysis for identifying vulnerable components (MIT License).
• OSORI DB: Open-source license information (ODC-By 1.0 License).
• React Tailwind Admin Template: Reporting dashboard (MIT License).

• Python (current support): SCABLE provides comprehensive analysis for Python-based projects.
• Future Expansion: Support for additional programming languages is actively under development to meet diverse project needs.

• 8282: Initial setup and SBOM generation/analysis requests.
• 5173: Dashboard for viewing analysis results.
• 8080: Used for Jenkins integration (optional).

git clone https://github.com/2024-scable/scable
docker compose up -d

apt update && apt install -y curl
curl -s https://raw.githubusercontent.com/2024-scable/scable/main/setup.sh | bash

Generates SBOM (Software Bill of Materials) in three standard formats: CycloneDX, SWID, and SPDX.

Tracks "Reachable Components" affected by user input and visualizes the analysis results on the web page.

⚠️ Important Note:
SCABLE currently provides robust analysis for Python-based projects and is actively evolving to include support for additional programming languages in the near future.
This will enable broader compatibility and adaptability for various development environments.

GET http://127.0.0.1:8282/sbom

curl "http://127.0.0.1:8282/sbom?repo_url=https://github.com/example/python-example&lan=python"

curl "http://127.0.0.1:8282/sbom?repo_url=https://<USERNAME>:<TOKEN>@github.com/<OWNER>/<REPO>&lan=python"

curl "http://127.0.0.1:8282/sbom?repo_url=/home/test/python-example&lan=python"

[*] SCABLE ANALYZE START
[+] CREATE SBOM COMPLETE
[+] REACHABLE ANALYZE COMPLETE
[+] PACKAGE ANALYZE COMPLETE
[+] FINISHING WORK COMPLETE

{
  "date": "2024-12-03",
  "start_time": "20-24-26",
  "repository": "python-example",
  "language": "python",
  "reporting_url": "http://localhost:5173/2024-12-03_20-24-26_python-example"
}

Evaluates the potential risk of a package by analyzing its age, days since the last modification, number of release versions, download count, GitHub stars, and typosquatting suspicion.

Assigns a score and risk level to identify potentially malicious packages.

GET http://127.0.0.1:8282/package-check

curl "http://scable.kr:8282/package-check?package_name=requests"
curl "http://scable.kr:8282/package-check?package_name=numppy"

#Example 1. Trusted Package
{
  "message": "Matches TOP 8000 PyPI packages",
  "package_name": "requests",
  "risk_level": "Green",
  "score": 0
}
#Example 2: Typosquatting Suspected
{
  "message": "Typosquatting suspected",
  "package_name": "numppy",
  "platform": "pypi",
  "reasons": {
    "Downloads < 300": "+20 points",
    "GitHub stars < 30": "+10 points",
    "Last modified > 2 years": "+10 points",
    "Versions count < 5": "+10 points"
  },
  "risk_level": "Red",
  "score": 50,
  "similar_packages": [
    [
      "numpy",
      90.9090909090909
    ]
  ],
  "status": "Warning",
  "version": null
}

✔️ Enhancing Transparency Across the Supply Chain

SCABLE enables organizations to clearly understand the components of their software supply chain through SBOM generation and license analysis. By adhering to global standards, SCABLE ensures trust and transparency.

✔️ Efficient and Practical Vulnerability Management

With CodeQL-based analysis and typosquatting detection, SCABLE identifies critical risks in the supply chain, allowing organizations to focus on resolving real security challenges.

✔️ Accessible and Scalable Solution

As an open-source and free security platform, SCABLE provides an easy-to-use solution for managing software supply chain security, ensuring accessibility for organizations of all sizes.

• 📧 [email protected]

SCABLE is an open-source project where everyone is welcome to contribute and collaborate. We look forward to hearing from you to improve and expand the project together.

Feel free to reach out for:

• Questions about SCABLE
• Suggestions for new features
• Reporting issues or bugs
• Collaboration opportunities

Let’s build a more secure software supply chain together!

This project is licensed under the Apache License 2.0. SCABLE integrates open-source technologies, including CDXGEN (Apache-2.0), OSV-DEV (Apache-2.0), CodeQL (MIT), OSORI DB (ODC-By 1.0), and React Tailwind Admin Template (MIT). For details, refer to the respective project licenses.

License information can be found in the LICENSE file.