A repository that aggregates release information from security and vulnerability-scanning tools, generates per-tool summary pages and comparison pages as HTML, and publishes them as feeds.
Updated weekly via GitHub Actions. Subscribe to the generated feeds with any RSS reader.
🌐 Live site: https://tmyymmt.github.io/sca-tools-feed/
This repository covers SCA (Software Composition Analysis) tools — also known as SBOM-based vulnerability management tools.
These tools scan the components that make up a system (OS packages, libraries, container images, etc.) to generate an SBOM (Software Bill of Materials), then match that SBOM against continuously updated CVE and other vulnerability databases to detect known vulnerabilities.
The following categories are out of scope:
- SAST (Static Application Security Testing): Tools that detect vulnerabilities by analyzing source code patterns (e.g., SonarQube, Semgrep). See also: https://github.com/tmyymmt/sast-tools-feed/
- DAST (Dynamic Application Security Testing): Tools that detect vulnerabilities by sending requests to a running system (e.g., OWASP ZAP). See also: https://github.com/tmyymmt/dast-tools-feed/
- SBOM generation/management only: Tools that do not perform CVE matching (e.g., microsoft/sbom-tool)
- Update feed files and render HTML pages (from Markdown sources) using one of the following methods:
- Run weekly via GitHub Actions (every Friday at UTC 22:00)
- Create an Issue, have Copilot create a PR, complete review, and merge to main
| Tool | Type | License |
|---|---|---|
| Trivy | OSS | Apache-2.0 |
| Grype | OSS | Apache-2.0 |
| Syft | OSS | Apache-2.0 |
| OSV-Scanner | OSS | Apache-2.0 |
| Dependency-Check | OSS | Apache-2.0 |
| Clair | OSS | Apache-2.0 |
| Vuls | OSS | GPL-3.0 |
| FutureVuls | Commercial | Proprietary |
| Yamory | Commercial | Proprietary |
| Format | URL |
|---|---|
| RSS 2.0 | https://tmyymmt.github.io/sca-tools-feed/feeds/all.rss |
| Atom 1.0 | https://tmyymmt.github.io/sca-tools-feed/feeds/all.atom |
| JSON Feed 1.1 | https://tmyymmt.github.io/sca-tools-feed/feeds/all.json |
Replace {tool_id} with: trivy, grype, syft, osv-scanner, dependency-check, clair, vuls, futurevuls, yamory
| Format | URL |
|---|---|
| RSS 2.0 | https://tmyymmt.github.io/sca-tools-feed/feeds/{tool_id}.rss |
| Atom 1.0 | https://tmyymmt.github.io/sca-tools-feed/feeds/{tool_id}.atom |
| JSON Feed 1.1 | https://tmyymmt.github.io/sca-tools-feed/feeds/{tool_id}.json |
- Comparison: English / Japanese
- Per-tool summaries:
https://tmyymmt.github.io/sca-tools-feed/{tool_id}.html
Releases are categorized for easy filtering:
| Category | Description |
|---|---|
feature |
Feature additions and changes |
bugfix |
Bug fixes |
security |
Security fixes and hotfixes |
pricing |
Pricing changes |
announcement |
Announcements, events, awards |
other |
Other |
.
├── scripts/ # Python scripts
│ ├── main.py # Entry point
│ ├── models.py # Data models
│ ├── categorize.py # Release categorization
│ ├── storage.py # JSON storage
│ ├── feed_generator.py # RSS/Atom/JSON Feed generation
│ ├── markdown_generator.py # HTML page generation
│ └── collectors/ # Data collectors per source
│ ├── github.py # GitHub Releases/API collector
│ ├── futurevuls.py # FutureVuls collector
│ └── yamory.py # Yamory collector
├── tools/
│ └── tools.yml # Tool configuration
├── data/ # Persisted release data (JSON)
├── public/ # Generated output (gitignored, deployed to GitHub Pages)
├── tests/ # Test suite
└── docs/ # Specifications
└── full-specs/ # Full specifications
├── spec.md # Full specification (English)
└── spec_ja.md # Full specification (Japanese)
- Create documentation in both Japanese and English
- English:
*.md, Japanese:*_ja.md
- English:
- Update the full specification when making functional changes
- AI-specific rules are defined in
.github/copilot-instructions.md
- Python 3.11 or higher
# Create and activate a virtual environment
python -m venv .venv
source .venv/bin/activate # Linux/macOS
# .venv\Scripts\activate # Windows
# Install dependencies
pip install -r requirements.txt
# Install development dependencies (for running tests only)
pip install -r requirements-dev.txtA GITHUB_TOKEN is required for the GitHub API.
export GITHUB_TOKEN=your_github_tokenpython -m scripts.mainThis updates HTML files under public/ and feed files under public/feeds/.
.github/workflows/update-feeds.yml runs automatically every Friday at UTC 22:00 (JST Saturday 07:00).
Go to the Actions tab in the GitHub repository → Update Feeds → Run workflow.
- Secrets:
GITHUB_TOKENis provided automatically by GitHub Actions — no additional setup needed. - Permissions:
contents: write(for data commits) andpages: write(for GitHub Pages deployment) are preconfigured. - GitHub Pages: In repository Settings → Pages, set Source to
GitHub Actions.
MIT License