Software supply chain security for Powernode: SBOM management, vulnerability scanning, container security, attestations, vendor risk, and license compliance — wired into the Powernode platform via the extension contract.
This repository is mounted into the platform as a submodule at extensions/supply-chain/. It can be developed independently — the platform consumes it via the standard extension contract.
- SBOM management — generate, store, and query software bill of materials for every module + container in the fleet
- Vulnerability scanning — identify CVEs across dependencies + container images, with severity scoring + exploitability context
- Container security — image signature verification, runtime policy enforcement, attestation cross-checks at attach time
- Attestations — cryptographic provenance records (SLSA, in-toto) generated at build + verified at install
- Vendor risk — third-party supplier risk scoring with configurable inputs
- License compliance — track + flag license obligations across dependencies; surface conflicts before they ship
A running Powernode platform installation. See the parent platform repo for installation instructions.
extensions/supply-chain/
├── server/ # Rails models, services, controllers, specs
├── frontend/ # React TypeScript surface
├── worker/ # Sidekiq job classes
└── docs/ # Extension documentation
MIT — see LICENSE. Code of Conduct: see CODE_OF_CONDUCT.md.
Text channels
- GitHub issues — nodealchemy/powernode-supply-chain/issues for bugs + feature requests
- X / Twitter — @nodealchemy for general updates and informal questions
- contact@nodealchemy.com — general inquiries
- support@nodealchemy.com — technical support
- sales@nodealchemy.com — commercial + enterprise-tier inquiries
- security@nodealchemy.com — security vulnerabilities; see SECURITY.md
- conduct@nodealchemy.com — Code of Conduct reports; see CODE_OF_CONDUCT.md
- Powernode platform — the parent platform that mounts this extension
- Powernode system extension — node lifecycle + module composition; consumes this extension's attestation + scan outputs at module-attach time