---
myst:
html_meta:
"description lang=en": "How to become a contributor to the pydata-sphinx-theme."
---
# References
## Other best practices
* [digital-defense.io](https://digital-defense.io): personal security checklist.
* [Secure Supply Chain Consumption Framework (S2C2F) Requirements](https://github.com/ossf/s2c2f/blob/main/specification/framework.md)
* [Guide to coordinated vulnerability disclosure for open source software projects](https://github.com/ossf/oss-vulnerability-guide)
* [Security insights specification](https://github.com/ossf/security-insights-spec/blob/main/specification.md): report information about project security in a machine-processable way
* [Concise Guide for Developing More Secure Software](https://best.openssf.org/Concise-Guide-for-Developing-More-Secure-Software)
* [Concise Guide for Evaluating Open Source Software](https://best.openssf.org/Concise-Guide-for-Evaluating-Open-Source-Software)
* [Source Code Management Platform Configuration Best Practices](https://best.openssf.org/SCM-BestPractices/)
* [FLOSS Best Practices Criteria](https://www.bestpractices.dev/en/criteria)
* [Source Code Management Platform Configuration Best Practices](https://best.openssf.org/SCM-BestPractices/)
* [Secure Supply Chain Consumption Framework (S2C2F) Simplified Requirements](https://github.com/ossf/s2c2f/blob/main/specification/framework.md)
## Tools
* [sbom-scorecard](https://github.com/eBay/sbom-scorecard): Generate a score for your sbom to understand if it will actually be useful
* [libyear](https://libyear.com): A simple measure of software dependency freshness
* [bomber](https://github.com/devops-kung-fu/bomber): Scans Software Bill of Materials (SBOMs) for security vulnerabilities
* [dependency-track](https://dependencytrack.org): Continuous SBOM Analysis Platform
* [syft](https://github.com/anchore/syft): CLI tool and library for generating a Software Bill of Materials from container images and filesystems
* [grype](https://github.com/anchore/grype): A vulnerability scanner for container images and filesystems
* [dependency-check](https://github.com/jeremylong/DependencyCheck): OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
* [unblob](https://github.com/onekey-sec/unblob): Extract files from any kind of container formats
* [hinge](https://github.com/devops-kung-fu/hinge): Creates and updates your Dependabot config
* [tacos framework](https://github.com/tacosframework): framework for attesting to the secure software development practices of open source packages
* [trivy](https://github.com/aquasecurity/trivy): Trivy is a comprehensive and versatile security scanner. Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
* [clair](https://github.com/quay/clair): Vulnerability Static Analysis for Containers
* [kube-bench](https://github.com/aquasecurity/kube-bench): tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark
## Index
* [Open Source Security Index](https://opensourcesecurityindex.io): The Most Popular & Fastest Growing Open Source Security Projects on GitHub
## IT
* [Fleet](https://fleetdm.com): Device management