Know your supply chain's AI
AI provenance across every dependency in your project. Eight ecosystems. CycloneDX and SPDX integration. Private registry support.
npx @korext/supply-check scanThe gap in supply chain tooling
You know your vulnerabilities thanks to Snyk and Dependabot. You know your licenses thanks to FOSSA. But you do not know what percentage of your software supply chain was written with AI assistance.
ecosystems supported at launch
SBOM formats (CycloneDX 1.6, SPDX 2.3)
existing tools that track AI across dependencies
Scan
One command scans your lockfile, enumerates every dependency, and queries the attestation registry for AI provenance data.
Report
Get a full breakdown: weighted AI percentage, governance tiers, high risk dependencies, and tool distribution across your supply chain.
Enforce
Set policies in CI. Block ungoverned AI dependencies. Require attestation for critical packages. Export CycloneDX or SPDX.
One command, full visibility
Supply Chain Attestation scans your dependency tree and produces a complete YAML report showing how much of your supply chain is AI generated, which tools were used, and which dependencies are high risk.
Supply Chain Attestation
Ecosystem: npm
Dependencies: 847 total, 823 scanned
AI Coverage: 127 dependencies (15.4%)
Weighted AI Percentage: 28.3%
Governance Distribution:
ATTESTED: 12 dependencies
SCANNED: 89 dependencies
UNGOVERNED: 722 dependencies
NO_ATTESTATION: 24 dependencies
High Risk Dependencies: 3
some-small-lib@2.0.0: 89% AI, ungoverned
another-lib@1.2.3: 65% AI, ungoverned
one-more@0.9.0: 72% AI, no attestation
Report: .supply-chain-attestation.yamlEight Ecosystems at Launch
Every major package manager. All ready in v1.0.
package-lock.json, yarn.lock
poetry.lock, Pipfile.lock, requirements.txt
Cargo.lock, Cargo.toml
go.sum, go.mod
Gemfile.lock
pom.xml, build.gradle
.csproj, packages.config
composer.lock, composer.json
SBOM Integration
Export your supply chain as CycloneDX 1.6 or SPDX 2.3 with AI properties embedded via standard extension mechanisms. Compatible with any SBOM consumer.
supply-check sbom --format cyclonedxCI/CD Policy Gate
GitHub Action enforces your policy. Set maximum AI percentage, block ungoverned dependencies, require attestation for critical packages.
uses: korext/supply-chain-attestation/action@v1Private Registry for Enterprises
Host your own registry for internal packages. Mirror the public registry for full coverage. Four storage backends. Docker, Kubernetes, and Docker Compose manifests included.
Read the Specification
The full specification is CC0 1.0 (public domain). Open standard, no restrictions.
View SPEC.md