Secure Open Source Supply Chains
Through Reproducible Builds

OSS Rebuild validates software package integrity by rebuilding artifacts from source and comparing results, detecting potential supply chain attacks and building trust in open source.

Get Started Documentation
License Go Report Card Go Reference
# Get attestations for a package
$ go install github.com/google/oss-rebuild/cmd/oss-rebuild@latest
$ oss-rebuild get pypi absl-py 2.0.0
# View the Dockerfile
$ oss-rebuild get pypi absl-py 2.0.0 --output=dockerfile
# Run a rebuild locally
$ oss-rebuild get pypi absl-py 2.0.0 --output=dockerfile | docker run $(docker buildx build -q -)

Key Features

🔍

Supply Chain Verification

Detect discrepancies between published artifacts and source code, helping identify potential compromises before they impact your systems.

🛡️

Cryptographic Attestations

Generate and verify cryptographically signed attestations that provide evidence of build reproducibility.

🔄

Automated Rebuilding

Continuously rebuild popular packages to ensure they remain free from tampering throughout their lifecycle.

📊

Ecosystem Analytics

Gain insights into ecosystem health, package reproducibility rates, and common build issues.

🌐

Cross-Ecosystem Support

Uniform approach across multiple package ecosystems including NPM, PyPI, and Crates.io.

🧩

Integration-Ready

Designed to integrate with CI/CD pipelines and policy enforcement systems.

Supported Ecosystems

How It Works

Source Analysis

Analysis of package metadata to identify source repositories, versions, and build parameters.

Containerized Rebuild

Secure, isolated rebuilding of packages from source in reproducible environments.

Artifact Comparison

Normalization and comparison of rebuilt artifacts against originals to detect differences.

Attestation

Generation of cryptographically signed attestations for successful rebuilds.

Ready to Secure Your Supply Chain?

Start validating your dependencies today with OSS Rebuild.

Get Started