Active development has moved to https://github.com/bazel-contrib/supply-chain. Please look there for current status. If you wish to contribute, please consider doing your work there. |
This repository contains a set of rules and tools for
- declaring metadata about packages, such as
- the licenses the package is available under
- the canonical package name and version
- copyright information
- ... and more TBD in the future
- gathering license declarations into artifacts to ship with code
- applying organization specific compliance constraints against the set of packages used by a target.
- producing SBOMs for built artifacts.
These is for learning about the problem space, and our approach to solutions. Concrete specifications will always appear in checked in code rather than documents.