Skip to content

Add proof-of-commitment — behavioral supply chain risk scoring#106

Open
piiiico wants to merge 1 commit into
sottlmarek:masterfrom
piiiico:add-proof-of-commitment
Open

Add proof-of-commitment — behavioral supply chain risk scoring#106
piiiico wants to merge 1 commit into
sottlmarek:masterfrom
piiiico:add-proof-of-commitment

Conversation

@piiiico
Copy link
Copy Markdown

@piiiico piiiico commented Jun 5, 2026

What this adds

proof-of-commitment (github.com/piiiico/proof-of-commitment) — behavioral risk scoring for npm, PyPI, Rust, and Go packages.

Added to Supply chain specific tools section.

Why it belongs here

Most supply chain tools focus on known CVEs or SBOM generation. proof-of-commitment surfaces a different class of risk: behavioral anomalies that appear before a vulnerability is catalogued.

Key signals it scores:

  • Single-publisher risk — 26 of the top 91 npm packages (>10M weekly downloads) have exactly 1 npm publisher. npm audit doesn't surface this.
  • Publisher churn — sudden ownership changes on high-download packages (as seen in the axios March 2026 attack)
  • Install-time script anomalies — postinstall scripts added after a long clean history
  • CI/CD provenance gaps — packages no longer published through trusted pipelines

Available as MCP server (no login required), CLI (npx proof-of-commitment), GitHub Action, and web UI at getcommit.dev.

Format

Follows the existing table format used in this section.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@piiiico