Supported compliance standards

CIS Software Supply Chain Security benchmark

The CIS Software Supply Chain Security benchmark provides prescriptive guidance for establishing a secure configuration posture for Software Development Platforms and Pipelines.

CIS Benchmarks are best practices for the secure configuration of a target system. In this case, the target system is the software supply chain.

Visit CIS Software Supply Chain Security benchmark for further details on checkpoints evaluated by Xygeni.

OWASP Software Component Verification Standard

The Software Component Verification Standard (SCVS) is a community-driven effort to establish a framework for identifying activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain.

Visit OWASP Software Component Verification Standard for further details on checkpoints evaluated by Xygeni.

OpenSSF FLOSS

The OpenSSF FLOSS Best Practices is a set of recommendations from the Open Source Security Foundation (OpenSSF) Best Practices Working Group to help open source developers create and maintain more secure software.

The best practices criteria are divided into three levels, for an incremental adoption:

  • Passing focuses on best practices that well-run FLOSS projects typically already follow. Getting the passing badge is an achievement; at any one time only about 10% of projects pursuing a badge achieve the passing level.

  • Silver is a more stringent set of criteria than passing but is expected to be achievable by small and single-organization projects.

  • Gold is even more stringent than silver and includes criteria that are not achievable by small or single-organization projects.

Visit OpenSSF FLOSS Best Practices Badge for further details on checkpoints evaluated by Xygeni.

OpenSSF Scorecard

OpenSSF Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.

Visit OpenSSF Scorecards for further details on checkpoints evaluated by Xygeni.

ESF Securing the Software Supply Chain DEV

The ESF Securing the Software Supply Chain - Recommended Practices for Developers is a set of guidelines aimed at improving the security of software development by reducing the risk of supply chain attacks.

The set of recommend principles are framed in 5 top-level sections:

  • Secure product criteria and management

  • Develop Secure Code

  • Verify Third-Party Components

  • Harden the Build Environment

  • Deliver Code

By following these guidelines, software developers can reduce the risk of supply chain attacks and ensure the security and integrity of their software.

Visit ESF Securing the Software Supply Chain. Recommended Practices for Developers for further details on checkpoints evaluated by Xygeni.

PreviousCompliance ScannerNextBuild Security

Last updated