{"id":73333,"title":"🌌 Xeol - Modern platform for software supply chain security","tagline":"Cut through the noise, identify and remediate risks, then enforce security policies","body":"![uploaded image](/media/?type=post\u0026id=73333\u0026key=user_uploads/1279127/210f8a5b-d0c2-4f78-a504-dea9eb6669ca)\n\n### TLDR\n\n\u003e Fortune 500 companies use Xeol to connect all their software dependencies into a contextual graph to ask questions like “am I affected by vulnerability X?” and enforce policies like “ensure all my docker images were signed by me?”\n\n![uploaded image](/media/?type=post\u0026id=73333\u0026key=user_uploads/1279127/040b5865-0ba9-42f6-a893-bbf3f0eb3222)\n\nWe first met 6 years ago as early engineers at **Ada** leading backend, cloud infrastructure, and security. Right before founding Xeol:\n\n* **Benji** was a Sr DevOps Engineer at **Datadog** leading its service catalog project with a near decade career in DevOps\n* **ShiHan** was the Director of Engineering helping build 2 startups from early stage to 🦄\n\nWe have been in the startup world for many years and are now on our own journey to help AppSec engineers quickly identify, remediate, and enforce security risks.\n\n### Problem. A New Attack Vector\n\nAsk anyone on the street to plug in a random USB drive and they will scoff. They know it’s unsafe! But developers do this every day when they use open-source packages as part of their software supply chain. The typical npm package has **86 dependencies** and with supply chain attacks up **600%** over the past year alone, this attack vector is widening.\n\nWhat’s not working?\n\n* **Too much noise:** tools that show all possible CVEs without contextual runtime information make prioritization near impossible leading to alert fatigue\n* **Attacks are more common:** generative AI enables malicious actors to easily launch attacks\n* **Huge attack surface:** many actors involved including OSS maintainers and their code, CI/CD systems, container orchestrators, and in-house developers\n\n### Solution. Complete Ontological Visibility\n\n![uploaded image](/media/?type=post\u0026id=73333\u0026key=user_uploads/1279127/a7017029-25ff-45a2-b114-6386d949057d)\n\nXeol is an **agentless** solution that scans your software artifacts at **build** and **runtime** then creates a **contextual graph** of your software supply chain. This contextual graph allows AppSec engineers to:\n\n**answer** questions like\n\n* Where am I using package X?\n* Which software are end-of-life?\n* Which packages are missing SLSA attestations?\n* Which software artifacts are produced from repo X?\n\n**enforce** policies like\n\n* Ensure all Docker images were built by my org from our CI pipeline\n* Prevent software X, which is end-of-life, from being packaged in our Docker images\n* Ensure sure all packages meet a minimum [OSSF](https://openssf.org/) score\n* Prevent any dependencies using a GPL license\n\n### Our Ask\n\n**See** Xeol’s graph capabilities in action [here](https://dashboard.xeol.io/demo)\n\n**Try** our open-source CLI [tool](https://github.com/xeol-io/xeol) to scan for end-of-life software\n\n**Follow** us on [LinkedIn](https://www.linkedin.com/company/xeol), [GitHub](https://github.com/xeol-io), or [Twitter](https://twitter.com/xeol_io) to get the latest updates","slug":"J4n-xeol-modern-platform-for-software-supply-chain-security","created_at":"2023-07-24T02:01:24.497Z","updated_at":"2026-05-25T01:59:26.660Z","total_vote_count":45,"url":"https://www.ycombinator.com/launches/J4n-xeol-modern-platform-for-software-supply-chain-security","share_image_url":"//bookface-static.ycombinator.com/assets/ycdc/yc-og-image-c440a0ad1dacfb86eeeb343717479cc54d256614449b4ef719977a0a451f8bc8.png","company":{"id":28778,"name":"Xeol","slug":"xeol","url":"https://www.xeol.io/","logo":"https://bookface-images.s3.amazonaws.com/small_logos/3d8557d5066f2f1e94f1be8ddc427697b79cc8d1.png","batch":"Summer 2023","industry":"B2B","tags":["Artificial Intelligence","Security","Cybersecurity"],"search_path":"https://bookface.ycombinator.com/company/28778"}}