|
| 1 | +## OpenJS-SCGv1.0-incubating Checklist |
| 2 | +- **Author**: OpenJS Foundation |
| 3 | +- **Title**: Security Compliance Guide v1.0 - Incubating |
| 4 | +- **Description**: This checklist is for projects that are in the incubating phase and have multiple maintainers. |
| 5 | + |
| 6 | + |
| 7 | +| Priority | Check | details | Info | |
| 8 | +| --- | --- | --- | --- | |
| 9 | +| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) | |
| 10 | +| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) | |
| 11 | +| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) | |
| 12 | +| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) | |
| 13 | +| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) | |
| 14 | +| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) | |
| 15 | +| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) | |
| 16 | +| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) | |
| 17 | +| P2 | scanCommitsForSensitiveInfo | Ensure that all the commits are scanned | [Doc](/docs/checks/scanCommitsForSensitiveInfo) | |
| 18 | +| P2 | preventLandingSensitiveCommits | Block new commits with secrets or credentials | [Doc](/docs/checks/preventLandingSensitiveCommits) | |
| 19 | +| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) | |
| 20 | +| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) | |
| 21 | +| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) | |
| 22 | +| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) | |
| 23 | +| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) | |
| 24 | +| P4 | preventBranchProtectionBypass | Prevent admins from bypassing branch protection | [Doc](/docs/checks/preventBranchProtectionBypass) | |
| 25 | +| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) | |
| 26 | +| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) | |
| 27 | +| P4 | twoOrMoreOwnersForAccess | Configure two or more owners for access continuity | [Doc](/docs/checks/twoOrMoreOwnersForAccess) | |
| 28 | +| P5 | patchCriticalVulns30Days | Patch actively exploited critical vulnerabilities within 30 Days | [Doc](/docs/checks/patchCriticalVulns30Days) | |
| 29 | +| P5 | patchNonCriticalVulns90Days | Patch non-critical vulnerabilities within 90 days | [Doc](/docs/checks/patchNonCriticalVulns90Days) | |
| 30 | +| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) | |
| 31 | +| P6 | staticCodeAnalysis | Use automated static code analysis tools | [Doc](/docs/checks/staticCodeAnalysis) | |
| 32 | +| P6 | resolveLinterWarnings | Address compiler and linter warnings before merging | [Doc](/docs/checks/resolveLinterWarnings) | |
| 33 | +| P6 | staticAppSecTesting | Use static application security testing for all commits | [Doc](/docs/checks/staticAppSecTesting) | |
| 34 | +| P6 | commitStatusChecks | Require commit status checks to pass before merging | [Doc](/docs/checks/commitStatusChecks) | |
| 35 | +| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) | |
| 36 | +| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) | |
| 37 | +| P7 | vulnResponse14Days | Respond to external vulnerability reports in under 14 days | [Doc](/docs/checks/vulnResponse14Days) | |
| 38 | +| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) | |
| 39 | +| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) | |
| 40 | +| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) | |
| 41 | +| P8 | regressionTestsForVulns | Create regression tests for bugs and security vulnerabilities | [Doc](/docs/checks/regressionTestsForVulns) | |
| 42 | +| P9 | defaultTokenPermissionsReadOnly | Set default GitHub workflow token permissions to read-only | [Doc](/docs/checks/defaultTokenPermissionsReadOnly) | |
| 43 | +| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) | |
| 44 | +| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) | |
| 45 | +| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) | |
| 46 | +| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) | |
| 47 | +| P10 | restrictOrgSecrets | Restrict GitHub organization secrets to specific repositories | [Doc](/docs/checks/restrictOrgSecrets) | |
| 48 | +| P10 | verifiedActionsOnly | Limit GitHub Actions to verified or trusted actions | [Doc](/docs/checks/verifiedActionsOnly) | |
| 49 | +| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) | |
| 50 | +| P11 | noArbitraryCodeInPipeline | Restrict build pipeline code execution to build scripts | [Doc](/docs/checks/noArbitraryCodeInPipeline) | |
| 51 | +| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) | |
| 52 | +| P11 | preventScriptInjection | Avoid script injection from untrusted variables | [Doc](/docs/checks/preventScriptInjection) | |
| 53 | +| P12 | consistentBuildProcessDocs | Document consistent and automated build processes | [Doc](/docs/checks/consistentBuildProcessDocs) | |
| 54 | +| P12 | upgradePathDocs | Support older versions or provide upgrade paths | [Doc](/docs/checks/upgradePathDocs) | |
| 55 | +| P12 | softwareArchitectureDocs | Document software architecture | [Doc](/docs/checks/softwareArchitectureDocs) | |
| 56 | +| P12 | ciAndCdPipelineAsCode | Automate CI/CD steps in code-based pipelines | [Doc](/docs/checks/ciAndCdPipelineAsCode) | |
| 57 | +| P13 | pinActionsToSHA | Pin actions with secrets to full-length commit SHAs | [Doc](/docs/checks/pinActionsToSHA) | |
| 58 | +| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) | |
| 59 | +| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) | |
| 60 | +| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) | |
| 61 | +| P14 | annualDependencyRefresh | Refresh dependencies with annual releases | [Doc](/docs/checks/annualDependencyRefresh) | |
| 62 | +| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) | |
| 63 | +| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) | |
| 64 | +| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) | |
| 65 | +| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) | |
| 66 | +| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) | |
| 67 | +| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) | |
| 68 | +| R3 | activeAdminsSixMonths | Require active admins in GitHub organization (activity in 6 months) | [Doc](/docs/checks/activeAdminsSixMonths) | |
| 69 | +| R3 | activeWritersSixMonths | Require active members with write access (activity in 6 months) | [Doc](/docs/checks/activeWritersSixMonths) | |
| 70 | +| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) | |
| 71 | +| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) | |
| 72 | +| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) | |
| 73 | +| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) | |
| 74 | +| R6 | requireCodeOwnersReviewForLargeTeams | Require code owners review | [Doc](/docs/checks/requireCodeOwnersReviewForLargeTeams) | |
| 75 | +| R6 | requireTwoPartyReview | Require two-party review | [Doc](/docs/checks/requireTwoPartyReview) | |
| 76 | +| R6 | requirePRApprovalForMainline | Require approved PRs for mainline commits | [Doc](/docs/checks/requirePRApprovalForMainline) | |
| 77 | +| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) | |
| 78 | +| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) | |
| 79 | +| R8 | patchExploitableHighVulns14Days | Patch critical/high vulnerabilities in 14 Days | [Doc](/docs/checks/patchExploitableHighVulns14Days) | |
| 80 | +| R8 | patchExploitableNoncCriticalVulns60Days | Patch non-critical vulnerabilities in 60 Days | [Doc](/docs/checks/patchExploitableNoncCriticalVulns60Days) | |
| 81 | + |
0 commit comments