|
| 1 | +--- |
| 2 | +sidebar_position: 2 |
| 3 | +title: Checks |
| 4 | +slug: /visionBoard/Checks |
| 5 | +--- |
| 6 | + |
| 7 | + |
| 8 | +VisionBoard empowers organizations to streamline their security and compliance processes with a comprehensive collection of automated checks. These checks are designed to evaluate the health and security posture of your projects, ensuring alignment with industry standards. |
| 9 | + |
| 10 | +While you can use checks individually, most users prefer to group them into [Checklists](/docs/visionBoard/checklists) tailored to specific standards or policies, such as OpenJS compliance frameworks. Checklists allow you to customize check priorities, adjust severity levels, and subscribe to specific compliance requirements for your projects. |
| 11 | + |
| 12 | +Explore the full list of available checks below: |
| 13 | + |
| 14 | +<!-- LIST:START --> |
| 15 | +- **[owaspTop10Training](/docs/checks/owaspTop10Training)**: Training on OWASP Top 10 or equivalent |
| 16 | +- **[npmOrgMFA](/docs/checks/npmOrgMFA)**: Enforce MFA in npm organization(s) |
| 17 | +- **[orgToolingMFA](/docs/checks/orgToolingMFA)**: Enforce MFA in all the tools |
| 18 | +- **[MFAImpersonationDefense](/docs/checks/MFAImpersonationDefense)**: Use MFA against impersonation |
| 19 | +- **[noSensitiveInfoInRepositories](/docs/checks/noSensitiveInfoInRepositories)**: Check sensitive information |
| 20 | +- **[injectedSecretsAtRuntime](/docs/checks/injectedSecretsAtRuntime)**: Ensure that the secrets are injected at runtime |
| 21 | +- **[scanCommitsForSensitiveInfo](/docs/checks/scanCommitsForSensitiveInfo)**: Ensure that all the commits are scanned |
| 22 | +- **[preventLandingSensitiveCommits](/docs/checks/preventLandingSensitiveCommits)**: Block new commits with secrets or credentials |
| 23 | +- **[SSHKeysRequired](/docs/checks/SSHKeysRequired)**: Use SSH keys with passphrases for repository access |
| 24 | +- **[npmPublicationMFA](/docs/checks/npmPublicationMFA)**: Publish to npm using MFA-Enabled accounts |
| 25 | +- **[githubWebhookSecrets](/docs/checks/githubWebhookSecrets)**: Secure GitHub Webhooks with secrets |
| 26 | +- **[requireCodeOwnersReviewForLargeTeams](/docs/checks/requireCodeOwnersReviewForLargeTeams)**: Require code owners review |
| 27 | +- **[restrictedOrgPermissions](/docs/checks/restrictedOrgPermissions)**: Restrict default GitHub Org member permissions |
| 28 | +- **[adminRepoCreationOnly](/docs/checks/adminRepoCreationOnly)**: Allow only admins to create public repositories |
| 29 | +- **[preventBranchProtectionBypass](/docs/checks/preventBranchProtectionBypass)**: Prevent admins from bypassing branch protection |
| 30 | +- **[defineFunctionalRoles](/docs/checks/defineFunctionalRoles)**: Define roles aligned to functional responsibilities |
| 31 | +- **[githubWriteAccessRoles](/docs/checks/githubWriteAccessRoles)**: Define teams/individuals with write access to repositories |
| 32 | +- **[twoOrMoreOwnersForAccess](/docs/checks/twoOrMoreOwnersForAccess)**: Configure two or more owners for access continuity |
| 33 | +- **[patchCriticalVulns30Days](/docs/checks/patchCriticalVulns30Days)**: Patch actively exploited critical vulnerabilities within 30 Days |
| 34 | +- **[patchNonCriticalVulns90Days](/docs/checks/patchNonCriticalVulns90Days)**: Patch non-critical vulnerabilities within 90 days |
| 35 | +- **[automateVulnDetection](/docs/checks/automateVulnDetection)**: Automate dependency vulnerability identification |
| 36 | +- **[staticCodeAnalysis](/docs/checks/staticCodeAnalysis)**: Use automated static code analysis tools |
| 37 | +- **[resolveLinterWarnings](/docs/checks/resolveLinterWarnings)**: Address compiler and linter warnings before merging |
| 38 | +- **[staticAppSecTesting](/docs/checks/staticAppSecTesting)**: Use static application security testing for all commits |
| 39 | +- **[commitStatusChecks](/docs/checks/commitStatusChecks)**: Require commit status checks to pass before merging |
| 40 | +- **[securityMdMeetsOpenJSCVD](/docs/checks/securityMdMeetsOpenJSCVD)**: Ensure Security.md meets OpenJS CVD guidelines |
| 41 | +- **[useCVDToolForVulns](/docs/checks/useCVDToolForVulns)**: Use CVD tools to manage vulnerability reports |
| 42 | +- **[vulnResponse14Days](/docs/checks/vulnResponse14Days)**: Respond to external vulnerability reports in under 14 days |
| 43 | +- **[incidentResponsePlan](/docs/checks/incidentResponsePlan)**: Define clear communication and incident response plans |
| 44 | +- **[assignCVEForKnownVulns](/docs/checks/assignCVEForKnownVulns)**: Assign CVEs to all known security vulnerabilities |
| 45 | +- **[includeCVEInReleaseNotes](/docs/checks/includeCVEInReleaseNotes)**: Include CVE IDs in release notes for security fixes |
| 46 | +- **[regressionTestsForVulns](/docs/checks/regressionTestsForVulns)**: Create regression tests for bugs and security vulnerabilities |
| 47 | +- **[defaultTokenPermissionsReadOnly](/docs/checks/defaultTokenPermissionsReadOnly)**: Set default GitHub workflow token permissions to read-only |
| 48 | +- **[blockWorkflowPRApproval](/docs/checks/blockWorkflowPRApproval)**: Prevent workflows from creating or approving PRs |
| 49 | +- **[noForcePushDefaultBranch](/docs/checks/noForcePushDefaultBranch)**: Disable force push on default branch |
| 50 | +- **[preventDeletionDefaultBranch](/docs/checks/preventDeletionDefaultBranch)**: Prevent deletion of default branch |
| 51 | +- **[upToDateDefaultBranchBeforeMerge](/docs/checks/upToDateDefaultBranchBeforeMerge)**: Require default branch updates before merging |
| 52 | +- **[restrictOrgSecrets](/docs/checks/restrictOrgSecrets)**: Restrict GitHub organization secrets to specific repositories |
| 53 | +- **[verifiedActionsOnly](/docs/checks/verifiedActionsOnly)**: Limit GitHub Actions to verified or trusted actions |
| 54 | +- **[noSelfHostedRunners](/docs/checks/noSelfHostedRunners)**: Disable self-hosted runners in GitHub organization |
| 55 | +- **[noArbitraryCodeInPipeline](/docs/checks/noArbitraryCodeInPipeline)**: Restrict build pipeline code execution to build scripts |
| 56 | +- **[limitWorkflowWritePermissions](/docs/checks/limitWorkflowWritePermissions)**: Limit workflow write permissions to job level |
| 57 | +- **[preventScriptInjection](/docs/checks/preventScriptInjection)**: Avoid script injection from untrusted variables |
| 58 | +- **[consistentBuildProcessDocs](/docs/checks/consistentBuildProcessDocs)**: Document consistent and automated build processes |
| 59 | +- **[upgradePathDocs](/docs/checks/upgradePathDocs)**: Support older versions or provide upgrade paths |
| 60 | +- **[softwareArchitectureDocs](/docs/checks/softwareArchitectureDocs)**: Document software architecture |
| 61 | +- **[ciAndCdPipelineAsCode](/docs/checks/ciAndCdPipelineAsCode)**: Automate CI/CD steps in code-based pipelines |
| 62 | +- **[pinActionsToSHA](/docs/checks/pinActionsToSHA)**: Pin actions with secrets to full-length commit SHAs |
| 63 | +- **[automateDependencyManagement](/docs/checks/automateDependencyManagement)**: Automate monitoring of outdated dependencies |
| 64 | +- **[machineReadableDependencies](/docs/checks/machineReadableDependencies)**: Provide machine-readable dependency lists |
| 65 | +- **[identifyModifiedDependencies](/docs/checks/identifyModifiedDependencies)**: Uniquely identify modified dependencies |
| 66 | +- **[annualDependencyRefresh](/docs/checks/annualDependencyRefresh)**: Refresh dependencies with annual releases |
| 67 | +- **[useHwKeyGithubAccess](/docs/checks/useHwKeyGithubAccess)**: Use AAL2/3 passkeys for GitHub access |
| 68 | +- **[useHwKeyGithubNonInteractive](/docs/checks/useHwKeyGithubNonInteractive)**: Use AAL2/3 passkeys for non-interactive GitHub access |
| 69 | +- **[useHwKeyOtherContexts](/docs/checks/useHwKeyOtherContexts)**: Use AAL2/3 passkeys in all other contexts |
| 70 | +- **[forkWorkflowApproval](/docs/checks/forkWorkflowApproval)**: Require approval for forked workflow changes |
| 71 | +- **[workflowSecurityScanner](/docs/checks/workflowSecurityScanner)**: Use workflow security scanners |
| 72 | +- **[runnerSecurityScanner](/docs/checks/runnerSecurityScanner)**: Use GitHub runner security scanners |
| 73 | +- **[activeAdminsSixMonths](/docs/checks/activeAdminsSixMonths)**: Require active admins in GitHub organization (activity in 6 months) |
| 74 | +- **[activeWritersSixMonths](/docs/checks/activeWritersSixMonths)**: Require active members with write access (activity in 6 months) |
| 75 | +- **[PRsBeforeMerge](/docs/checks/PRsBeforeMerge)**: Require pull requests before merging |
| 76 | +- **[commitSignoffForWeb](/docs/checks/commitSignoffForWeb)**: Enforce commit sign-off for web based commits |
| 77 | +- **[requireSignedCommits](/docs/checks/requireSignedCommits)**: Require signed commits |
| 78 | +- **[includePackageLock](/docs/checks/includePackageLock)**: Include package-lock.json in releases |
| 79 | +- **[requireTwoPartyReview](/docs/checks/requireTwoPartyReview)**: Require two-party review |
| 80 | +- **[requirePRApprovalForMainline](/docs/checks/requirePRApprovalForMainline)**: Require approved PRs for mainline commits |
| 81 | +- **[limitOrgOwners](/docs/checks/limitOrgOwners)**: Limit GitHub org owners to fewer than three |
| 82 | +- **[limitRepoAdmins](/docs/checks/limitRepoAdmins)**: Limit GitHub repo admins to fewer than three |
| 83 | +- **[patchExploitableHighVulns14Days](/docs/checks/patchExploitableHighVulns14Days)**: Patch critical/high vulnerabilities in 14 Days |
| 84 | +- **[patchExploitableNoncCriticalVulns60Days](/docs/checks/patchExploitableNoncCriticalVulns60Days)**: Patch non-critical vulnerabilities in 60 Days |
| 85 | +- **[githubOrgMFA](/docs/checks/githubOrgMFA)**: Enforce MFA in GitHub organization(s) |
| 86 | +- **[softwareDesignTraining](/docs/checks/softwareDesignTraining)**: Training on secure software design |
| 87 | +<!-- LIST:END --> |
0 commit comments