Continuing the discussion from Open source users: It’s time for extreme vetting - learn and follow Red Hat lead:
and this You are putting yourself and your data at risk
The above lists these best practices with links to FOSS OpenSCAP tool sets:
#1 Establish a vetting process
#2 Scan existing projects to detect FOSS vulnerabilities.
#3 Create or augment a repository of security-approved software.
#4 Research and remediate.
and these helpful tips too
Making Strong Security Easier With FOSS Scanners or: Building Secure Bridges