This repository contains Bazel modules for injecting and collecting supply-chain metadata into builds.
- Documentation
- Modules
- Contact:
- Slack
- There is a working group which meets weekly on Thursdays at 2:30pm CET / 8:30am EST. Meet link.
- If you would like to participate, reach out on the slack channel for an invitation.
- Meeting notes
- Mailing list: bazel-supply-chain-security@bazel.build
This project is the successor to rules_license.
The intended use cases are:
- declaring metadata about packages, such as
- the licenses the package is available under
- the canonical package name and version
- copyright information
- ... and more TBD in the future
- gathering license declarations into artifacts to ship with code
- applying organization specific compliance constriants against the set of packages used by a target.
- producing SBOMs for built artifacts.
WARNING: The code here is still in active initial development and will churn a lot.
In flux.
The immediate concern is feature parity with rules_license and providing a smooth migration path.
These is for learning about the problem space, and our approach to solutions. Concrete specifications will always appear in checked in code rather than documents.