bureado/awesome-software-supply-chain-security

This is a curated list ('awesome' format) rather than a tool, library, or novel framework. It aggregates existing resources in software supply chain security—a well-established domain with tooling from major vendors (Google, GitHub, CISA, Sigstore, etc.). The project has moderate adoption (354 stars) and a 4-year lifespan, indicating it serves as a useful reference for practitioners, but it lacks defensible differentiation: curated lists are trivially forked, remixed, or superseded by more focused tools or platform-native documentation. Velocity is 0, suggesting stalled maintenance—a key vulnerability for reference material that requires periodic updates as the supply chain security landscape evolves. Frontier labs have no incentive to compete with this; if anything, they'll consume and link to it. The defensibility floor is higher than a dead repo (hence 4 vs. 1-2), but the lack of implementation, novel methodology, or unique aggregation logic keeps it firmly in the 'working but commoditized reference' tier. Real defensibility would come from tooling that enforces these practices, not from listing them.