Foundry Python Core employs several automated tools to continuously monitor and improve security:

a. GitHub Dependabot: Detects vulnerabilities in dependencies (including transitive) and creates security update PRs. Dependabot alerts published. b. Renovate: Automates version updates for direct dependencies and maintains lock file freshness to keep transitive dependencies current. Dependency Dashboard published. c. pip-audit: Pre commit to GitHub scans Python dependencies for known vulnerabilities using data from the Python Advisory Database. vulnerabilities.json published per release. d. trivy: Pre commit to GitHub scans Python dependencies for known vulnerabilities using data from GitHub Advisory Database and OSV.dev. sbom.spdx published per release.

a. pip-licenses: Inspects and matches the licenses of all dependencies with allow list to ensure compliance with licensing requirements and avoid using components with problematic licenses. licenses.csv, licenses.json and licenses_grouped.json published per release. a. cyclonedx-py: Generates Software Bill of Materials (SBOM) in CycloneDX format, listing all components and dependencies used in the project. sbom.json published per release. d. trivy: Generates Software Bill of Materials (SBOM) in SPDX format, listing all components and dependencies used in the project. sbom.spdx published per release.

a. SonarQube: Performs comprehensive static code analysis to detect code quality issues, security vulnerabilities, and bugs. Security hotspots published.

a. GitHub Secret scanning: Automatically scans for secrets in the codebase and alerts if any are found. Secret scanning alerts published. b. Yelp/detect-secrets: Pre-commit hook and automated scanning to prevent accidental inclusion of secrets or sensitive information in commits. Pre-Commit hook published.

We follow these security best practices:

1. Regular dependency updates
2. Comprehensive test coverage
3. Code review process for changes by external contributors
4. Automated CI/CD pipelines including security checks
5. Adherence to Python security best practices

We promote security awareness among contributors and users:

1. We indicate security as a priority in our code style guide, to be followed by human and agentic contributors as mandatory
2. We publish our security posture in SECURITY.md (this document), encouraging users to report vulnerabilities.

For questions about security compliance or for more details about our security practices, please contact [email protected].