ThomasVitale/supply-chain-security-java-training

This project is a pedagogical resource rather than a software product. With only 6 stars and 11 forks after nearly two years, it lacks meaningful organic adoption and functions primarily as a static guide for specific workshop sessions. The defensibility is low (2) because the value lies in the curation of existing tools (Syft, Grype, Cosign) rather than novel code or unique datasets. It faces high 'obsolescence risk' from the rapid evolution of the security landscape; as tools like GitHub Advanced Security and Snyk integrate these features natively into the developer workflow, the need for external training repos diminishes. There is no moat here—anyone with knowledge of SLSA (Supply-chain Levels for Software Artifacts) could reproduce this syllabus in hours. Competitive threats include official documentation from tool vendors and large-scale educational platforms like Baeldung or Pluralsight which offer similar, more frequently updated content.