Skip to content

Add proof-of-commitment — behavioral supply chain risk scoring#106

Open
piiiico wants to merge 1 commit into
sottlmarek:masterfrom
piiiico:add-proof-of-commitment
Open

Add proof-of-commitment — behavioral supply chain risk scoring#106
piiiico wants to merge 1 commit into
sottlmarek:masterfrom
piiiico:add-proof-of-commitment

Conversation

@piiiico

@piiiico piiiico commented Jun 5, 2026

Copy link
Copy Markdown

What this adds

proof-of-commitment (github.com/piiiico/proof-of-commitment) — behavioral risk scoring for npm, PyPI, Rust, and Go packages.

Added to Supply chain specific tools section.

Why it belongs here

Most supply chain tools focus on known CVEs or SBOM generation. proof-of-commitment surfaces a different class of risk: behavioral anomalies that appear before a vulnerability is catalogued.

Key signals it scores:

  • Single-publisher risk — 26 of the top 91 npm packages (>10M weekly downloads) have exactly 1 npm publisher. npm audit doesn't surface this.
  • Publisher churn — sudden ownership changes on high-download packages (as seen in the axios March 2026 attack)
  • Install-time script anomalies — postinstall scripts added after a long clean history
  • CI/CD provenance gaps — packages no longer published through trusted pipelines

Available as MCP server (no login required), CLI (npx proof-of-commitment), GitHub Action, and web UI at getcommit.dev.

Format

Follows the existing table format used in this section.

@sottlmarek

Copy link
Copy Markdown
Owner

Do you have any open source repo to share?

@piiiico

piiiico commented Jun 29, 2026

Copy link
Copy Markdown
Author

Yeah, that's the repo the PR points to: https://github.com/piiiico/proof-of-commitment (MIT).

What it does: scores npm / PyPI / Cargo / Go packages on behavioral risk instead of CVEs — sole-publisher concentration, publisher churn, install scripts, provenance. The concentration risk npm audit never surfaces. You can check it in 5 seconds, no install:

npx proof-of-commitment axios zod chalk

It flags axios, zod and chalk as CRITICAL — each has a single npm publisher behind 100M+ weekly downloads (axios's publish token was actually stolen in March 2026). There's also a GitHub Action (action.yml) to gate PRs and an MCP server for agent tooling.

Glad to reword the listing line if you'd phrase it differently for the supply-chain section.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants