The Trivy repo was wiped/emptied as part of an attack, and users had to manually verify binary integrity and check cosign signatures. Teams have no automated way to know when upstream artifacts they depend on have been tampered with.
A service that continuously monitors the integrity of binaries, container images, and release artifacts for your declared dependencies. Snapshots signatures, checksums, and repo state — alerts instantly when something changes unexpectedly (repo emptied, unsigned binary pushed, signature mismatch). Integrates with Cosign, Sigstore, SLSA provenance.
The pain is real but episodic. When incidents like the Trivy repo wipe or xz-utils backdoor happen, everyone panics. But between incidents, supply chain integrity is rarely top-of-mind for most teams — it's a 'fire insurance' problem. Security teams care deeply, but engineering teams view it as overhead. The 66 upvotes with 9 comments suggest moderate engagement — people agree it's a problem but aren't desperately searching for solutions daily.
The broader supply chain security market is large ($2B+), but the specific niche of 'artifact integrity monitoring' is narrow. Your ICP (security-conscious mid-to-large companies) is well-defined but not massive. Estimated TAM for this specific tool: ~$200-500M if you expand scope. The $49-199/mo price point means you need thousands of paying teams to build a meaningful business. Most large enterprises will want this bundled into their existing security platform, not as a standalone tool.
This is the weakest link. Security teams have budgets, but $49-199/mo for monitoring feels like it should be a feature of existing tools (Snyk, Chainguard, etc.), not a standalone product. Many teams will cobble together cosign verify + cron jobs + Slack webhooks for free. Enterprise buyers ($10k+/year) exist but have long sales cycles and want comprehensive platforms, not point solutions. The Reddit thread shows awareness but no 'shut up and take my money' energy.
A solo dev can absolutely build an MVP in 4-8 weeks. Core loop: periodically fetch release artifacts/container manifests, compute checksums, verify Cosign signatures, diff against stored snapshots, alert on changes. The Sigstore/Cosign ecosystem has good tooling. Container registry APIs are well-documented. Main complexity: supporting diverse artifact sources (GitHub Releases, Docker Hub, Quay, OCI registries, language-specific registries). Scaling to thousands of monitored artifacts requires some infrastructure but nothing exotic.
This is the strongest signal. No existing tool does exactly this — continuous integrity monitoring of arbitrary upstream artifacts with signature/checksum drift detection. Socket.dev and Phylum focus on package code analysis. Snyk focuses on CVEs. Chainguard focuses on their own images and admission control. Nobody is monitoring 'did the Trivy repo just get wiped?' or 'did this binary's signature change unexpectedly?' The gap is clear and defensible in the short term.
Textbook subscription model. Continuous monitoring is inherently recurring — you can't just check once. As teams add more dependencies, they monitor more artifacts (natural expansion revenue). Usage grows with the customer's infrastructure. Very low churn risk once integrated into security workflows because removing monitoring is a visible risk. Net revenue retention could be strong.
- +Clear, defensible gap — nobody does continuous artifact integrity monitoring today
- +Narrative tailwind from high-profile supply chain attacks (xz-utils, Trivy, SolarWinds) and regulatory pressure (SBOM mandates, EU CRA)
- +Technically feasible MVP with existing open-source tooling (Cosign, Sigstore, SLSA)
- +Strong recurring/subscription dynamics — monitoring can't be a one-time purchase
- +Wedge into larger supply chain security platform play over time
- !Feature, not product risk: Snyk, Chainguard, Wiz, or Datadog could add this as a feature in weeks, instantly commoditizing you
- !Willingness-to-pay ceiling: $49-199/mo may be too low for enterprise sales effort but too high for self-serve adoption when DIY alternatives exist
- !Episodic demand: Interest spikes after incidents but dies down — hard to sustain urgency for sales pipeline
- !Long enterprise sales cycles: Your ICP (mid-to-large security teams) takes 3-6 months to buy, which kills runway for a bootstrapped founder
- !Open-source risk: Someone could build an open-source version of this (cron + cosign verify + alerting) that's 'good enough' for most teams
Detects supply chain attacks in open-source dependencies by analyzing package behavior changes, typosquatting, and malicious code patterns across npm, PyPI, and Go ecosystems.
Vulnerability scanning for container images and open-source dependencies with CI/CD integration and continuous monitoring.
Provides hardened container base images
Automated software supply chain risk analysis that detects malicious packages, author changes, and suspicious behaviors in open-source dependencies.
Google's deps.dev provides dependency metadata and OpenSSF Scorecard scores open-source projects on security practices including signing, branch protection, and CI security.
A CLI tool + hosted dashboard that takes a YAML config file listing your monitored artifacts (container images, GitHub releases, binary URLs). Every 5 minutes, it fetches manifests, verifies Cosign signatures, computes checksums, and diffs against stored snapshots. Alerts via Slack/PagerDuty/webhook when: (1) a signature is missing or changed, (2) a checksum doesn't match, (3) a GitHub repo/release is emptied or deleted, (4) SLSA provenance is absent or invalid. Start with GitHub Releases + Docker Hub/GHCR only. Ship a GitHub Action for CI-time verification as the free tier hook.
Free open-source CLI for local verification (builds community + credibility) -> Hosted SaaS at $49/mo for continuous monitoring + alerting (self-serve, targets small security-conscious teams) -> $199/mo for teams with SBOM integration and compliance reporting -> Enterprise tier at $500-2000/mo with SSO, audit logs, SLA, and on-prem agent option -> Long-term: pivot to broader supply chain security platform or get acquired by Snyk/Wiz/Datadog
8-12 weeks to first dollar. Weeks 1-4: build MVP (CLI + basic hosted monitoring for GitHub Releases + Docker images). Weeks 5-6: launch on Hacker News, Reddit r/devops and r/netsec, DevSecOps Slack communities. Weeks 7-12: convert early adopters to paid. Caveat: enterprise revenue ($10k+ deals) will take 6-12 months. First revenue will likely be $49/mo self-serve plans from small security-focused teams.
- “Verify the integrity of your Trivy binaries if installed at the end of February”
- “verify Cosign signatures”
- “trivy repo was empty”
- “Keep Checkov or Grype as a fallback”