References#

Other best practices#

sbom-scorecard: Generate a score for your sbom to understand if it will actually be useful
libyear: A simple measure of software dependency freshness
bomber: Scans Software Bill of Materials (SBOMs) for security vulnerabilities
dependency-track: Continuous SBOM Analysis Platform
syft: CLI tool and library for generating a Software Bill of Materials from container images and filesystems
grype: A vulnerability scanner for container images and filesystems
dependency-check: OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
unblob: Extract files from any kind of container formats
hinge: Creates and updates your Dependabot config
tacos framework: framework for attesting to the secure software development practices of open source packages
trivy: Trivy is a comprehensive and versatile security scanner. Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
clair: Vulnerability Static Analysis for Containers
kube-bench: tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark
purl-spec: A purl or package URL is an attempt to standardize existing approaches to reliably identify and locate software packages. It also contains a specification of vers, a mostly universal version range specifier.

Open Source Security Index: The Most Popular & Fastest Growing Open Source Security Projects on GitHub