# Supported compliance standards

### CIS Software Supply Chain Security benchmark <a href="#cis_software_supply_chain_security_benchmark" id="cis_software_supply_chain_security_benchmark"></a>

The [CIS Software Supply Chain Security benchmark](https://workbench.cisecurity.org/files/3972/download/5064) provides prescriptive guidance for establishing a secure configuration posture for Software Development Platforms and Pipelines.

CIS Benchmarks are best practices for the secure configuration of a target system. In this case, the target system is the software supply chain.

{% hint style="info" %}
Visit [CIS Software Supply Chain Security benchmark](https://detectorsdev.xygeni.io/xydocs/compliance/cis_sscs.html) for further details on checkpoints evaluated by Xygeni.
{% endhint %}

### OWASP Software Component Verification Standard <a href="#owasp_software_component_verification_standard" id="owasp_software_component_verification_standard"></a>

The *Software Component Verification Standard* (SCVS) is a community-driven effort to establish a framework for identifying activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain.

{% hint style="info" %}
Visit [OWASP Software Component Verification Standard](https://detectorsdev.xygeni.io/xydocs/compliance/owasp_scvs.html) for further details on checkpoints evaluated by Xygeni.
{% endhint %}

### OpenSSF FLOSS

The [OpenSSF FLOSS Best Practices](https://bestpractices.coreinfrastructure.org/en/criteria) is a set of recommendations from the Open Source Security Foundation (OpenSSF) [Best Practices Working Group](https://github.com/ossf/wg-best-practices-os-developers) to help open source developers create and maintain more secure software.

The best practices criteria are divided into three levels, for an incremental adoption:

* **Passing** focuses on best practices that well-run FLOSS projects typically already follow. Getting the passing badge is an achievement; at any one time only about 10% of projects pursuing a badge achieve the passing level.
* **Silver** is a more stringent set of criteria than passing but is expected to be achievable by small and single-organization projects.
* **Gold** is even more stringent than silver and includes criteria that are not achievable by small or single-organization projects.

{% hint style="info" %}
Visit [OpenSSF FLOSS Best Practices Badge](https://detectorsdev.xygeni.io/xydocs/compliance/openssf_flossbp.html) for further details on checkpoints evaluated by Xygeni.
{% endhint %}

### OpenSSF Scorecard <a href="#openssf_scorecard" id="openssf_scorecard"></a>

[OpenSSF Scorecards](https://github.com/ossf/scorecard) is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.

{% hint style="info" %}
Visit [OpenSSF Scorecards](https://detectorsdev.xygeni.io/xydocs/compliance/openssf_scorecard.html) for further details on checkpoints evaluated by Xygeni.
{% endhint %}

### ESF Securing the Software Supply Chain DEV

The [ESF Securing the Software Supply Chain - Recommended Practices for Developers](https://www.cisa.gov/uscert/sites/default/files/publications/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF) is a set of guidelines aimed at improving the security of software development by reducing the risk of supply chain attacks.

The set of recommended principles are framed in 5 top-level sections:

* Secure product criteria and management
* Develop Secure Code
* Verify Third-Party Components
* Harden the Build Environment
* Deliver Code

By following these guidelines, software developers can reduce the risk of supply chain attacks and ensure the security and integrity of their software.

{% hint style="info" %}
Visit [ESF Securing the Software Supply Chain. Recommended Practices for Developers](https://detectorsdev.xygeni.io/xydocs/compliance/esf_s3c_dev.html) for further details on checkpoints evaluated by Xygeni.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.xygeni.io/xygeni-products/compliance/compliance-scanner/supported-compliance-standards.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.