# Supported compliance standards
### CIS Software Supply Chain Security benchmark
The [CIS Software Supply Chain Security benchmark](https://workbench.cisecurity.org/files/3972/download/5064) provides prescriptive guidance for establishing a secure configuration posture for Software Development Platforms and Pipelines.
CIS Benchmarks are best practices for the secure configuration of a target system. In this case, the target system is the software supply chain.
{% hint style="info" %}
Visit [CIS Software Supply Chain Security benchmark](https://detectorsdev.xygeni.io/xydocs/compliance/cis_sscs.html) for further details on checkpoints evaluated by Xygeni.
{% endhint %}
### OWASP Software Component Verification Standard
The *Software Component Verification Standard* (SCVS) is a community-driven effort to establish a framework for identifying activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain.
{% hint style="info" %}
Visit [OWASP Software Component Verification Standard](https://detectorsdev.xygeni.io/xydocs/compliance/owasp_scvs.html) for further details on checkpoints evaluated by Xygeni.
{% endhint %}
### OpenSSF FLOSS
The [OpenSSF FLOSS Best Practices](https://bestpractices.coreinfrastructure.org/en/criteria) is a set of recommendations from the Open Source Security Foundation (OpenSSF) [Best Practices Working Group](https://github.com/ossf/wg-best-practices-os-developers) to help open source developers create and maintain more secure software.
The best practices criteria are divided into three levels, for an incremental adoption:
* **Passing** focuses on best practices that well-run FLOSS projects typically already follow. Getting the passing badge is an achievement; at any one time only about 10% of projects pursuing a badge achieve the passing level.
* **Silver** is a more stringent set of criteria than passing but is expected to be achievable by small and single-organization projects.
* **Gold** is even more stringent than silver and includes criteria that are not achievable by small or single-organization projects.
{% hint style="info" %}
Visit [OpenSSF FLOSS Best Practices Badge](https://detectorsdev.xygeni.io/xydocs/compliance/openssf_flossbp.html) for further details on checkpoints evaluated by Xygeni.
{% endhint %}
### OpenSSF Scorecard
[OpenSSF Scorecards](https://github.com/ossf/scorecard) is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.
{% hint style="info" %}
Visit [OpenSSF Scorecards](https://detectorsdev.xygeni.io/xydocs/compliance/openssf_scorecard.html) for further details on checkpoints evaluated by Xygeni.
{% endhint %}
### ESF Securing the Software Supply Chain DEV
The [ESF Securing the Software Supply Chain - Recommended Practices for Developers](https://www.cisa.gov/uscert/sites/default/files/publications/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF) is a set of guidelines aimed at improving the security of software development by reducing the risk of supply chain attacks.
The set of recommended principles are framed in 5 top-level sections:
* Secure product criteria and management
* Develop Secure Code
* Verify Third-Party Components
* Harden the Build Environment
* Deliver Code
By following these guidelines, software developers can reduce the risk of supply chain attacks and ensure the security and integrity of their software.
{% hint style="info" %}
Visit [ESF Securing the Software Supply Chain. Recommended Practices for Developers](https://detectorsdev.xygeni.io/xydocs/compliance/esf_s3c_dev.html) for further details on checkpoints evaluated by Xygeni.
{% endhint %}