References#
Other best practices#
digital-defense.io: personal security checklist.
Secure Supply Chain Consumption Framework (S2C2F) Requirements
Guide to coordinated vulnerability disclosure for open source software projects
Security insights specification: report information about project security in a machine-processable way
Source Code Management Platform Configuration Best Practices
Source Code Management Platform Configuration Best Practices
Secure Supply Chain Consumption Framework (S2C2F) Simplified Requirements
Tools#
sbom-scorecard: Generate a score for your sbom to understand if it will actually be useful
libyear: A simple measure of software dependency freshness
bomber: Scans Software Bill of Materials (SBOMs) for security vulnerabilities
dependency-track: Continuous SBOM Analysis Platform
syft: CLI tool and library for generating a Software Bill of Materials from container images and filesystems
grype: A vulnerability scanner for container images and filesystems
dependency-check: OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
unblob: Extract files from any kind of container formats
hinge: Creates and updates your Dependabot config
tacos framework: framework for attesting to the secure software development practices of open source packages
trivy: Trivy is a comprehensive and versatile security scanner. Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
clair: Vulnerability Static Analysis for Containers
kube-bench: tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark
Index#
Open Source Security Index: The Most Popular & Fastest Growing Open Source Security Projects on GitHub
IT#
Fleet: Device management