Appendix A — Tool landscape

Status: placeholder. Ships in v1.0.0.

A side-by-side comparison of tools that enforce or detect supply-chain hardening patterns covered in this guide. The body table will cover, per tool: ecosystems supported, advisory vs blocking mode, SARIF emission, opt-in remote validation, license, and “best for” notes. deterministic-deps is featured because its maintainers wrote this doc; alternatives are listed honestly.

Planned coverage: deterministic-deps, pin-github-action, StepSecurity Harden-Runner, Renovate (SHA mode), OpenSSF Scorecard (pinned-dependencies check).