i've been setting up supply chain security for my project kftray. mainly the release workflow ( https://github.com/hcavarsan/kftray/blob/main/.github/workfl... ) is generating CycloneDX SBOMs with Syft, scanning for vulns with Grype, signing everything with Cosign, and using OpenVEX to suppress false positives
i wanted a simple way to expose a overview about all this without spinning up Dependency-Track or similar.
so i built this (public) page that reads directly from GitHub release assets and shows components, vulnerabilities by severity, and also aggregates OpenSSF Scorecard and best practices into a summary card. (https://sbom.kftray.app) basically a simple react/ bun code
source code isn't public yet… if there's interest i'd be happy to open source it…
would love feedback on the approach.