Security Handbook

This repository contains the source for the Eclipse Foundation Security Handbook.

Best Practices for Securing Developers Environment

• Compiled in secure-developer.md

Other best practices

• digital-defense.io: personal security checklist.
• Secure Supply Chain Consumption Framework (S2C2F) Requirements
• Guide to coordinated vulnerability disclosure for open source software projects
• Security insights specification: report information about project security in a machine-processable way
• Concise Guide for Developing More Secure Software
• Concise Guide for Evaluating Open Source Software
• Source Code Management Platform Configuration Best Practices
• FLOSS Best Practices Criteria
• Source Code Management Platform Configuration Best Practices
• Secure Supply Chain Consumption Framework (S2C2F) Simplified Requirements

Tools

• sbom-scorecard: Generate a score for your sbom to understand if it will actually be useful
• libyear: A simple measure of software dependency freshness
• bomber: Scans Software Bill of Materials (SBOMs) for security vulnerabilities
• dependency-track: Continuous SBOM Analysis Platform
• syft: CLI tool and library for generating a Software Bill of Materials from container images and filesystems
• grype: A vulnerability scanner for container images and filesystems
• dependency-check: OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
• unblob: Extract files from any kind of container formats
• hinge: Creates and updates your Dependabot config
• tacos framework: framework for attesting to the secure software development practices of open source packages
• trivy: Trivy is a comprehensive and versatile security scanner. Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
• clair: Vulnerability Static Analysis for Containers
• kube-bench: tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark

Index

• Open Source Security Index: The Most Popular & Fastest Growing Open Source Security Projects on GitHub

IT

• Fleet: Device management