AI provenance across your entire dependency tree. Fourteen ecosystems. SBOM integration. Private registry support.
License: Code License: Spec npm
You know your vulnerabilities thanks to Snyk and Dependabot. You know your licenses thanks to FOSSA. But you do not know what percentage of your software supply chain was written with AI assistance.
Supply Chain Attestation answers that across fourteen package ecosystems, integrates with CycloneDX and SPDX, and supports private registries for enterprise deployment.
```bash npx @korext/supply-check scan ```
| Ecosystem | Manifest | Lockfile |
|---|---|---|
| npm | package.json | package-lock.json, yarn.lock |
| PyPI | pyproject.toml, requirements.txt, setup.py | poetry.lock, Pipfile.lock |
| Cargo | Cargo.toml | Cargo.lock |
| Go Modules | go.mod | go.sum |
| RubyGems | Gemfile | Gemfile.lock |
| Maven | pom.xml, build.gradle | pom.xml resolution |
| NuGet | .csproj, packages.config | .csproj PackageReference |
| Composer | composer.json | composer.lock |
| Swift PM | Package.swift | Package.resolved |
| CocoaPods | Podfile | Podfile.lock |
| Pub | pubspec.yaml | pubspec.lock |
| Hex | mix.exs | mix.lock |
| CPAN | cpanfile, META.json | cpanfile.snapshot |
| Conda | environment.yml | conda-lock.yml |
``` Supply Chain Attestation
Ecosystem: npm Dependencies: 847 total, 823 scanned
AI Coverage: 127 dependencies (15.4%) Weighted AI Percentage: 28.3%
Governance Distribution: ATTESTED: 12 dependencies SCANNED: 89 dependencies UNGOVERNED: 722 dependencies NO_ATTESTATION: 24 dependencies
High Risk Dependencies: 3 some-small-lib@2.0.0: 89% AI, ungoverned another-lib@1.2.3: 65% AI, ungoverned one-more@0.9.0: 72% AI, no attestation ```
- Package: Dependency's published artifact includes `.ai-attestation.yaml`
- Registry: Data hosted at `oss.korext.com/registry/` (automated scans + maintainer submissions)
- Repository: Dependency's source repo has `.ai-attestation.yaml`
Priority: Package > Registry > Repository
| Command | Description |
|---|---|
| `scan` | Scan dependency tree |
| `report` | Print detailed report |
| `registry` | Query registry |
| `publish` | Publish attestation (maintainers) |
| `check` | Policy gate for CI |
| `sbom` | Export CycloneDX or SPDX |
```bash npx @korext/supply-check sbom --format cyclonedx > sbom.json npx @korext/supply-check sbom --format spdx > sbom.spdx.json ```
AI data embedded via standard extension mechanisms:
- CycloneDX 1.6: `properties` array with `korext:` namespace
- SPDX 2.3: `annotations` with `korext:` properties
Compatible with any SBOM consumer.
```yaml
- uses: korext/supply-chain-attestation/action@v1 with: max-ai-percentage: 40 max-high-risk: 5 block-ungoverned-ai: true require-attested-for: "payment" sbom-output: cyclonedx ```
Run your own registry for internal packages or mirror the public registry.
Four storage backends: Cloud Storage, S3, Azure Blob, local filesystem.
Authentication: OAuth, SAML, or API tokens.
Deployment: Docker, Kubernetes, or Docker Compose manifests included.
See PRIVATE-REGISTRY.md.
```bash npx @korext/ai-attestation init npx @korext/supply-check publish ```
Add the badge:
```markdown AI Attestation ```
- SBOM tools (CycloneDX, SPDX): adds AI data via standard extensions
- Vulnerability scanners (Snyk, Dependabot): different concern
- License checkers (FOSSA): different concern
- Build provenance (Sigstore, SLSA): different concern
See SPEC.md. CC0 1.0 (public domain).
See PRIOR_ART.md.
Korext builds AI code governance tools.