diff --git a/docs/checks/MFAImpersonationDefense.mdx b/docs/checks/MFAImpersonationDefense.mdx index bcc3c3e9..56213769 100644 --- a/docs/checks/MFAImpersonationDefense.mdx +++ b/docs/checks/MFAImpersonationDefense.mdx @@ -5,6 +5,14 @@ title: Use MFA against impersonation slug: /checks/MFAImpersonationDefense --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P1 - Mitre: [CWE-290](https://cwe.mitre.org/data/definitions/290.html) - Sources: [OpenSSF Best Practices Badge Gold Level [secure_2FA]](https://www.bestpractices.dev/en/criteria/2#2.secure_2FA) - How To: [Github Docs](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/PRsBeforeMerge.mdx b/docs/checks/PRsBeforeMerge.mdx index aa6aaea4..d45d27b4 100644 --- a/docs/checks/PRsBeforeMerge.mdx +++ b/docs/checks/PRsBeforeMerge.mdx @@ -5,6 +5,14 @@ title: Require Pull Requests Before Merging slug: /checks/PRsBeforeMerge --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,12 +27,10 @@ Require Pull Requests before Merging ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R4 - Mitre: [CWE-778](https://cwe.mitre.org/data/definitions/778.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/SSHKeysRequired.mdx b/docs/checks/SSHKeysRequired.mdx index 503c2576..3c07d92b 100644 --- a/docs/checks/SSHKeysRequired.mdx +++ b/docs/checks/SSHKeysRequired.mdx @@ -5,6 +5,14 @@ title: Use SSH Keys with Passphrases for Repository Access slug: /checks/SSHKeysRequired --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Use SSH keys for developer access to source code repositories and use a passphra ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P3 - Mitre: [CWE-309](https://cwe.mitre.org/data/definitions/309.html) - Sources: [CNCF SSCP v1.0 #192](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#use-ssh-keys-to-provide-developers-access-to-source-code-repositories) - How To: [Github Docs](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/about-ssh) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/activeAdminsSixMonths.mdx b/docs/checks/activeAdminsSixMonths.mdx index 4387be62..18defce4 100644 --- a/docs/checks/activeAdminsSixMonths.mdx +++ b/docs/checks/activeAdminsSixMonths.mdx @@ -5,6 +5,14 @@ title: Require Active Admins in GitHub Org (Activity in 6 Months) slug: /checks/activeAdminsSixMonths --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,11 +27,9 @@ Github Organization Admins Should Have Activity In The Last 6 Months ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R3 - Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/member/stale_admin_found.html) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/activeWritersSixMonths.mdx b/docs/checks/activeWritersSixMonths.mdx index 4a952800..6f3c2c41 100644 --- a/docs/checks/activeWritersSixMonths.mdx +++ b/docs/checks/activeWritersSixMonths.mdx @@ -5,6 +5,14 @@ title: Require Active Members with Write Access (Activity in 6 Months) slug: /checks/activeWritersSixMonths --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,11 +27,9 @@ Github Organization Members with Write Permissions Should Have Activity In The L ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R3 - Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/member/stale_member_found.html) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/adminRepoCreationOnly.mdx b/docs/checks/adminRepoCreationOnly.mdx index b17caf02..0d107cac 100644 --- a/docs/checks/adminRepoCreationOnly.mdx +++ b/docs/checks/adminRepoCreationOnly.mdx @@ -5,6 +5,14 @@ title: Allow Only Admins to Create Public Repositories slug: /checks/adminRepoCreationOnly --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Only Admins Should Be Able To Create Public Repositories ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P4 - Mitre: [CAPEC-122](https://capec.mitre.org/data/definitions/122.html) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/organization/non_admins_can_create_public_repositories.html) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/annualDependencyRefresh.mdx b/docs/checks/annualDependencyRefresh.mdx index 290fd887..aefff537 100644 --- a/docs/checks/annualDependencyRefresh.mdx +++ b/docs/checks/annualDependencyRefresh.mdx @@ -5,6 +5,14 @@ title: Refresh Dependencies with Annual Releases slug: /checks/annualDependencyRefresh --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,10 +27,8 @@ A new release to refresh dependencies occurs at least annually ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P14 - Sources: [OpenSSF Best Practices Badge Passing Level [maintained]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.maintained) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/assignCVEForKnownVulns.mdx b/docs/checks/assignCVEForKnownVulns.mdx index 8f1b815d..fae24a52 100644 --- a/docs/checks/assignCVEForKnownVulns.mdx +++ b/docs/checks/assignCVEForKnownVulns.mdx @@ -5,6 +5,14 @@ title: Assign CVEs to All Known Security Vulnerabilities slug: /checks/assignCVEForKnownVulns --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,10 +27,8 @@ All Known Security Vulnerabilities are Issued a CVE ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P7 - Sources: [OpenSSF Best Practices Badge Passing Level [release_notes_vulns]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/automateDependencyManagement.mdx b/docs/checks/automateDependencyManagement.mdx index 6983c7fa..0500d317 100644 --- a/docs/checks/automateDependencyManagement.mdx +++ b/docs/checks/automateDependencyManagement.mdx @@ -5,6 +5,14 @@ title: Automate Monitoring of Outdated Dependencies slug: /checks/automateDependencyManagement --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,11 +27,9 @@ Automated Process is Used to Monitor for and Maintain a List of Out of Date Depe ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P14 - Sources: [OWASP SCVS L1 5.7](https://scvs.owasp.org/scvs/v5-component-analysis/) - How To: [Socket.Dev](https://socket.dev/) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/automateVulnDetection.mdx b/docs/checks/automateVulnDetection.mdx index 62300d8d..61bf552f 100644 --- a/docs/checks/automateVulnDetection.mdx +++ b/docs/checks/automateVulnDetection.mdx @@ -5,6 +5,14 @@ title: Automate Dependency Vulnerability Identification slug: /checks/automateVulnDetection --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ An automated process to identify dependencies with publicly disclosed vulnerabil ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P6 - Mitre: [CWE-1395](https://cwe.mitre.org/data/definitions/1395.html) - Sources: [OWASP SCVS L1 5.4](https://scvs.owasp.org/scvs/v5-component-analysis/) - How To: [Github Docs](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/blockWorkflowPRApproval.mdx b/docs/checks/blockWorkflowPRApproval.mdx index 23bdf630..29a2b1e5 100644 --- a/docs/checks/blockWorkflowPRApproval.mdx +++ b/docs/checks/blockWorkflowPRApproval.mdx @@ -5,6 +5,14 @@ title: Prevent Workflows from Creating or Approving PRs slug: /checks/blockWorkflowPRApproval --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Workflows are not Allowed To Create or Approve Pull Requests ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P9 - Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) - How To: [Github Docs](https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/ciAndCdPipelineAsCode.mdx b/docs/checks/ciAndCdPipelineAsCode.mdx index a2dcaa58..2642f930 100644 --- a/docs/checks/ciAndCdPipelineAsCode.mdx +++ b/docs/checks/ciAndCdPipelineAsCode.mdx @@ -5,6 +5,14 @@ title: Automate CI/CD Steps in Code-Based Pipelines slug: /checks/ciAndCdPipelineAsCode --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: deferrable @@ -19,11 +27,9 @@ CI/CD steps should all be automated through a pipeline defined as code ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P12 - Sources: [CNCF SSCP 1.0 #158](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#build-and-related-continuous-integrationcontinuous-delivery-steps-should-all-be-automated-through-a-pipeline-defined-as-code) - How To: [Github Docs](https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/commitSignoffForWeb.mdx b/docs/checks/commitSignoffForWeb.mdx index 412108fb..4228ef8a 100644 --- a/docs/checks/commitSignoffForWeb.mdx +++ b/docs/checks/commitSignoffForWeb.mdx @@ -5,6 +5,14 @@ title: Enforce Commit Signoff for Web-Based Commits slug: /checks/commitSignoffForWeb --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,11 +27,9 @@ Github Org Requires Commit Signoff for Web-Based Commits ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R4 - Sources: [CNCF SSCP 1.0 #325](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-organization-settings/managing-the-commit-signoff-policy-for-your-organization#managing-compulsory-commit-signoffs-for-your-organization) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/commitStatusChecks.mdx b/docs/checks/commitStatusChecks.mdx index d688f005..cc24c13c 100644 --- a/docs/checks/commitStatusChecks.mdx +++ b/docs/checks/commitStatusChecks.mdx @@ -5,6 +5,14 @@ title: Require Commit Status Checks to Pass Before Merging slug: /checks/commitStatusChecks --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ All Required Commit Status Checks must pass before Merging ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P6 - Mitre: [CWE-358](https://cwe.mitre.org/data/definitions/358.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/consistentBuildProcessDocs.mdx b/docs/checks/consistentBuildProcessDocs.mdx index fce9f740..e0cfa030 100644 --- a/docs/checks/consistentBuildProcessDocs.mdx +++ b/docs/checks/consistentBuildProcessDocs.mdx @@ -5,6 +5,14 @@ title: Document Consistent and Automated Build Processes slug: /checks/consistentBuildProcessDocs --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,10 +27,8 @@ Consistent and Automated Build Process is Documented and Used ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P12 - Mitre: [CWE-1068](https://cwe.mitre.org/data/definitions/1068.html) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/defaultTokenPermissionsReadOnly.mdx b/docs/checks/defaultTokenPermissionsReadOnly.mdx index be1f6059..2eb7b2a3 100644 --- a/docs/checks/defaultTokenPermissionsReadOnly.mdx +++ b/docs/checks/defaultTokenPermissionsReadOnly.mdx @@ -5,6 +5,14 @@ title: Set Default GitHub Workflow Token Permissions to Read Only slug: /checks/defaultTokenPermissionsReadOnly --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,10 +27,8 @@ Github Org Default Workflow Token Permissions are Set to Read Only ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P9 - Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/defineFunctionalRoles.mdx b/docs/checks/defineFunctionalRoles.mdx index 9558c4e6..3d590278 100644 --- a/docs/checks/defineFunctionalRoles.mdx +++ b/docs/checks/defineFunctionalRoles.mdx @@ -5,6 +5,14 @@ title: Define Roles Aligned to Functional Responsibilities slug: /checks/defineFunctionalRoles --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Define roles aligned to functional responsibilities ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P4 - Mitre: [CAPEC-122](https://capec.mitre.org/data/definitions/122.html) - Sources: [CNCF SSCP v1.0 #188](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-roles-aligned-to-functional-responsibilities) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/forkWorkflowApproval.mdx b/docs/checks/forkWorkflowApproval.mdx index c58e6609..9d9d1e9b 100644 --- a/docs/checks/forkWorkflowApproval.mdx +++ b/docs/checks/forkWorkflowApproval.mdx @@ -5,6 +5,14 @@ title: Require Approval for Forked Workflow Changes slug: /checks/forkWorkflowApproval --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,11 +27,9 @@ Limit changes from forks to workflows by requiring approval for all outside coll ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R2 - Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) - Sources: [Github Docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/githubOrgMFA.mdx b/docs/checks/githubOrgMFA.mdx index 7d436491..e5ebffba 100644 --- a/docs/checks/githubOrgMFA.mdx +++ b/docs/checks/githubOrgMFA.mdx @@ -5,6 +5,10 @@ title: Enforce MFA in GitHub Organization(s) slug: /checks/githubOrgMFA --- + + + + ## Use Case - Incubating: expected @@ -23,13 +27,11 @@ We use the field `two_factor_requirement_enabled` from the GitHub Organization A ## Details -- Implementation Status: completed - Implementation Details: It is computed ([details](https://github.com/OpenPathfinder/visionBoard/issues/43)). - C-SCRM: true - Priority Group: P1 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [OpenSSF SCM Best PracticesOpenSSF Best Practices Badge Gold Level [require_2FA]](https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html) - How To: [Github Docs](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/githubWebhookSecrets.mdx b/docs/checks/githubWebhookSecrets.mdx index 95aa7af3..74fd54df 100644 --- a/docs/checks/githubWebhookSecrets.mdx +++ b/docs/checks/githubWebhookSecrets.mdx @@ -5,6 +5,14 @@ title: Secure GitHub Webhooks with Secrets slug: /checks/githubWebhookSecrets --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Github Webhooks Use Secrets ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P3 - Mitre: [CWE-306](https://cwe.mitre.org/data/definitions/306) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#webhooks) - How To: [Github Docs](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/githubWriteAccessRoles.mdx b/docs/checks/githubWriteAccessRoles.mdx index d9f74c62..0ab07f03 100644 --- a/docs/checks/githubWriteAccessRoles.mdx +++ b/docs/checks/githubWriteAccessRoles.mdx @@ -5,6 +5,14 @@ title: Define Teams/Individuals with Write Access to Repositories slug: /checks/githubWriteAccessRoles --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Define Individuals/Teams who Write Access to a Github Repo ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P4 - Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) - Sources: [CNCF SSCP v1.0 #185](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-individualsteams-that-are-responsible-for-code-in-a-repository-and-associated-coding-conventions) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/identifyModifiedDependencies.mdx b/docs/checks/identifyModifiedDependencies.mdx index 3067b00f..da5c7db3 100644 --- a/docs/checks/identifyModifiedDependencies.mdx +++ b/docs/checks/identifyModifiedDependencies.mdx @@ -5,6 +5,14 @@ title: Uniquely Identify Modified Dependencies slug: /checks/identifyModifiedDependencies --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,10 +27,8 @@ Modified dependencies are uniquely identified and distinct from origin dependenc ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P14 - Sources: [OWASP SCVS L2 6.5](https://scvs.owasp.org/scvs/v6-pedigree-and-provenance/) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/incidentResponsePlan.mdx b/docs/checks/incidentResponsePlan.mdx index ab30a93a..114da5f4 100644 --- a/docs/checks/incidentResponsePlan.mdx +++ b/docs/checks/incidentResponsePlan.mdx @@ -5,6 +5,14 @@ title: Define Clear Communication and Incident Response Plans slug: /checks/incidentResponsePlan --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,10 +27,8 @@ Establish a Clear Communication and Incident Response Plan ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: P7 - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/#operations) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/includeCVEInReleaseNotes.mdx b/docs/checks/includeCVEInReleaseNotes.mdx index 9b321370..98e80a9b 100644 --- a/docs/checks/includeCVEInReleaseNotes.mdx +++ b/docs/checks/includeCVEInReleaseNotes.mdx @@ -5,6 +5,14 @@ title: Include CVE IDs in Release Notes for Security Fixes slug: /checks/includeCVEInReleaseNotes --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,10 +27,8 @@ Release Notes must Include the CVE ID of Patched Security Vulnerabilities ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: P7 - Sources: [OpenSSF Best Practices Badge Passing Level [release_notes_vulns]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/includePackageLock.mdx b/docs/checks/includePackageLock.mdx index 3e72ad1c..6af1e87c 100644 --- a/docs/checks/includePackageLock.mdx +++ b/docs/checks/includePackageLock.mdx @@ -5,6 +5,14 @@ title: Include package-lock.json in Releases (Freestanding Apps) slug: /checks/includePackageLock --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,11 +27,9 @@ slug: /checks/includePackageLock ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R5 - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#sbom) - How To: [npm Docs](https://docs.npmjs.com/cli/v10/commands/npm-sbom) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/injectedSecretsAtRuntime.mdx b/docs/checks/injectedSecretsAtRuntime.mdx index e6da61f2..810cde94 100644 --- a/docs/checks/injectedSecretsAtRuntime.mdx +++ b/docs/checks/injectedSecretsAtRuntime.mdx @@ -5,6 +5,14 @@ title: Ensure that the secrets are injected at runtime slug: /checks/injectedSecretsAtRuntime --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Secrets are injected at runtime, such as environment variables or as a file (eg: ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P2 - Mitre: [CWE-538](https://cwe.mitre.org/data/definitions/538.html) - Sources: [CNCF CNSWP 2.0 #195](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#secrets-encryption) - How To: [Github Docs](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/limitOrgOwners.mdx b/docs/checks/limitOrgOwners.mdx index 34fa9f06..c0d0f4c3 100644 --- a/docs/checks/limitOrgOwners.mdx +++ b/docs/checks/limitOrgOwners.mdx @@ -5,6 +5,14 @@ title: Limit GitHub Org Owners to Fewer Than Three slug: /checks/limitOrgOwners --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,11 +27,9 @@ Limit Number of Github Org Owners (ideally Fewer Than Three) ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R7 - Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/member/organization_has_too_many_admins.html) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/limitRepoAdmins.mdx b/docs/checks/limitRepoAdmins.mdx index 65b2ec88..b30a8a81 100644 --- a/docs/checks/limitRepoAdmins.mdx +++ b/docs/checks/limitRepoAdmins.mdx @@ -5,6 +5,14 @@ title: Limit GitHub Repo Admins to Fewer Than Three slug: /checks/limitRepoAdmins --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,11 +27,9 @@ Limit Number of Github Repository Admins (ideally Fewer Than Three) ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R7 - Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/repository/repository_has_too_many_admins.html) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/limitWorkflowWritePermissions.mdx b/docs/checks/limitWorkflowWritePermissions.mdx index 0577c546..577c842f 100644 --- a/docs/checks/limitWorkflowWritePermissions.mdx +++ b/docs/checks/limitWorkflowWritePermissions.mdx @@ -5,6 +5,14 @@ title: Limit Workflow Write Permissions to Job-Level slug: /checks/limitWorkflowWritePermissions --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Only Allow Workflows Write Permissions at the Job-Level ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P11 - Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) - How To: [Github Docs](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/machineReadableDependencies.mdx b/docs/checks/machineReadableDependencies.mdx index 1bf0cc60..91268fc5 100644 --- a/docs/checks/machineReadableDependencies.mdx +++ b/docs/checks/machineReadableDependencies.mdx @@ -5,6 +5,14 @@ title: Provide Machine-Readable Dependency Lists slug: /checks/machineReadableDependencies --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,11 +27,9 @@ slug: /checks/machineReadableDependencies ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P14 - Sources: [OWASP SCVS L1 1.3](https://scvs.owasp.org/scvs/v1-inventory/#verification-requirements) - How To: [Github Docs](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-is-the-dependency-graph) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/noArbitraryCodeInPipeline.mdx b/docs/checks/noArbitraryCodeInPipeline.mdx index 284f2dd4..b92d4c16 100644 --- a/docs/checks/noArbitraryCodeInPipeline.mdx +++ b/docs/checks/noArbitraryCodeInPipeline.mdx @@ -5,6 +5,14 @@ title: Restrict Build Pipeline Code Execution to Build Scripts slug: /checks/noArbitraryCodeInPipeline --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,11 +27,9 @@ Build Pipeline Cannot Execute Arbitrary Code from Outside of a Build Script ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P11 - Mitre: [CWE-94](https://cwe.mitre.org/data/definitions/94.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/noForcePushDefaultBranch.mdx b/docs/checks/noForcePushDefaultBranch.mdx index 2d6446d1..08f6961d 100644 --- a/docs/checks/noForcePushDefaultBranch.mdx +++ b/docs/checks/noForcePushDefaultBranch.mdx @@ -5,6 +5,14 @@ title: Disable Force Push on Default Branch slug: /checks/noForcePushDefaultBranch --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,11 +27,9 @@ Prevent Force Push on Default Branch ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P9 - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/noSelfHostedRunners.mdx b/docs/checks/noSelfHostedRunners.mdx index e2e06bbd..c65ffcc0 100644 --- a/docs/checks/noSelfHostedRunners.mdx +++ b/docs/checks/noSelfHostedRunners.mdx @@ -5,6 +5,14 @@ title: Disable Self-Hosted Runners in GitHub Org slug: /checks/noSelfHostedRunners --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Disable use of Self-Hosted Runners in Github Org ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P10 - Mitre: [CAPEC-439](https://capec.mitre.org/data/definitions/439.html) - Sources: [Github Action Hardening Docs](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#limiting-the-use-of-self-hosted-runners) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/noSensitiveInfoInRepositories.mdx b/docs/checks/noSensitiveInfoInRepositories.mdx index ad9fd775..6d5498c1 100644 --- a/docs/checks/noSensitiveInfoInRepositories.mdx +++ b/docs/checks/noSensitiveInfoInRepositories.mdx @@ -5,6 +5,14 @@ title: Check sensitive information slug: /checks/noSensitiveInfoInRepositories --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ No Secrets and Credentials in Source Code ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P2 - Mitre: [CWE-540](https://cwe.mitre.org/data/definitions/540.html) - Sources: [OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]](https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials) - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/npmOrgMFA.mdx b/docs/checks/npmOrgMFA.mdx index 4da0d3da..383b3769 100644 --- a/docs/checks/npmOrgMFA.mdx +++ b/docs/checks/npmOrgMFA.mdx @@ -5,6 +5,14 @@ title: Enforce MFA in npm Organization(s) slug: /checks/npmOrgMFA --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Multi Factor Authentication (MFA) Enforced Across the npm Organization ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P1 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [OpenSSF npm Best Practices](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md) - How To: [npm Docs](https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/npmPublicationMFA.mdx b/docs/checks/npmPublicationMFA.mdx index 9a7b0adf..4b5bf8cd 100644 --- a/docs/checks/npmPublicationMFA.mdx +++ b/docs/checks/npmPublicationMFA.mdx @@ -5,6 +5,14 @@ title: Publish to npm Using MFA-Enabled Accounts slug: /checks/npmPublicationMFA --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,11 +27,9 @@ Publish to npm using an MFA-enabled account rather than single factor legacy or ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P3 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [npm Docs](https://docs.npmjs.com/creating-and-viewing-access-tokens) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/orgToolingMFA.mdx b/docs/checks/orgToolingMFA.mdx index c9618d7c..521a15d2 100644 --- a/docs/checks/orgToolingMFA.mdx +++ b/docs/checks/orgToolingMFA.mdx @@ -5,6 +5,14 @@ title: Enforce MFA in all the tools slug: /checks/orgToolingMFA --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,11 +27,9 @@ Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Fea ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: P1 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [CNCF CNSWP v1.0](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/owaspTop10Training.mdx b/docs/checks/owaspTop10Training.mdx index 2c9c6c99..b107d663 100644 --- a/docs/checks/owaspTop10Training.mdx +++ b/docs/checks/owaspTop10Training.mdx @@ -5,6 +5,14 @@ title: Training on OWASP Top 10 or Equivalent slug: /checks/owaspTop10Training --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,11 +27,9 @@ At least One Primary Maintainer has taken TBD Training on OWASP Top 10 or Equiva ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: P0 - Mitre: [M1013](https://attack.mitre.org/mitigations/M1013/) - Sources: [OpenSSF Best Practices Badge Passing Level [know_common_errors]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_common_errors) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/patchCriticalVulns30Days.mdx b/docs/checks/patchCriticalVulns30Days.mdx index fe518554..89684cae 100644 --- a/docs/checks/patchCriticalVulns30Days.mdx +++ b/docs/checks/patchCriticalVulns30Days.mdx @@ -5,6 +5,14 @@ title: Patch Actively Exploited Critical Vulnerabilities within 30 Days slug: /checks/patchCriticalVulns30Days --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,10 +27,8 @@ Actively Exploited Critical Vulnerabilities Patched within 30 Days ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: P5 - Sources: [OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]](https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/patchExploitableHighVulns14Days.mdx b/docs/checks/patchExploitableHighVulns14Days.mdx index 7f05fa6c..67ff1b19 100644 --- a/docs/checks/patchExploitableHighVulns14Days.mdx +++ b/docs/checks/patchExploitableHighVulns14Days.mdx @@ -5,6 +5,14 @@ title: Patch Critical/High Vulnerabilities in 14 Days slug: /checks/patchExploitableHighVulns14Days --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,10 +27,8 @@ Actively Exploited Critical and High Vulnerabilities Patched within 14 Days ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: R8 - Sources: [OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]](https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/patchExploitableNoncCriticalVulns60Days.mdx b/docs/checks/patchExploitableNoncCriticalVulns60Days.mdx index 3701473b..5f44a7b3 100644 --- a/docs/checks/patchExploitableNoncCriticalVulns60Days.mdx +++ b/docs/checks/patchExploitableNoncCriticalVulns60Days.mdx @@ -5,6 +5,14 @@ title: Patch Non-Critical Vulnerabilities in 60 Days slug: /checks/patchExploitableNoncCriticalVulns60Days --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,10 +27,8 @@ Non-Critical Expoitable Vulnerabilities Patched within 60 Days ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: R8 - Sources: [OpenSSF Best Practices Badge Silver Level [vulnerabilities_fixed_60_days]](https://www.bestpractices.dev/en/criteria#0.vulnerabilities_fixed_60_days) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/patchNonCriticalVulns90Days.mdx b/docs/checks/patchNonCriticalVulns90Days.mdx index 63d81335..b2148f62 100644 --- a/docs/checks/patchNonCriticalVulns90Days.mdx +++ b/docs/checks/patchNonCriticalVulns90Days.mdx @@ -5,6 +5,14 @@ title: Patch Non-Critical Vulnerabilities within 90 Days slug: /checks/patchNonCriticalVulns90Days --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,10 +27,8 @@ Non-Critical Exploitable Vulnerabilities Patched within 90 Days ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: P5 - Sources: [Google Project Zero Vulnerability Disclosure Policy](https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/pinActionsToSHA.mdx b/docs/checks/pinActionsToSHA.mdx index 542d04e4..a06d22e4 100644 --- a/docs/checks/pinActionsToSHA.mdx +++ b/docs/checks/pinActionsToSHA.mdx @@ -5,6 +5,14 @@ title: Pin Actions with Secrets to Full-Length Commit SHAs slug: /checks/pinActionsToSHA --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: deferrable @@ -19,11 +27,9 @@ Pin Actions with Access to Secrets to a Full Length Commit SHA ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P13 - Mitre: [CWE-1357](https://cwe.mitre.org/data/definitions/1357.html) - Sources: [Github Docs](https://securitylab.github.com/research/github-actions-building-blocks/) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/preventBranchProtectionBypass.mdx b/docs/checks/preventBranchProtectionBypass.mdx index e4c39ea0..922781d0 100644 --- a/docs/checks/preventBranchProtectionBypass.mdx +++ b/docs/checks/preventBranchProtectionBypass.mdx @@ -5,6 +5,14 @@ title: Prevent Admins from Bypassing Branch Protection slug: /checks/preventBranchProtectionBypass --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ slug: /checks/preventBranchProtectionBypass ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P4 - Mitre: [CAPEC-122](https://capec.mitre.org/data/definitions/122.html) - Sources: [Github Supply Chain Security Best Practices](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/preventDeletionDefaultBranch.mdx b/docs/checks/preventDeletionDefaultBranch.mdx index d0268dad..8b5c7f13 100644 --- a/docs/checks/preventDeletionDefaultBranch.mdx +++ b/docs/checks/preventDeletionDefaultBranch.mdx @@ -5,6 +5,14 @@ title: Prevent Deletion of Default Branch slug: /checks/preventDeletionDefaultBranch --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Prevent Default Branch Deletion ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P9 - Mitre: [CWE-267](https://cwe.mitre.org/data/definitions/267.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/preventLandingSensitiveCommits.mdx b/docs/checks/preventLandingSensitiveCommits.mdx index 283a8baa..e777a68b 100644 --- a/docs/checks/preventLandingSensitiveCommits.mdx +++ b/docs/checks/preventLandingSensitiveCommits.mdx @@ -5,6 +5,14 @@ title: Block New Commits with Secrets or Credentials slug: /checks/preventLandingSensitiveCommits --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ New Commits Containing Secrets or Credentials are Blocked from Merging ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P2 - Mitre: [CWE-358](https://cwe.mitre.org/data/definitions/358.html) - Sources: [OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]](https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials) - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/preventScriptInjection.mdx b/docs/checks/preventScriptInjection.mdx index 5e89fad1..49a33691 100644 --- a/docs/checks/preventScriptInjection.mdx +++ b/docs/checks/preventScriptInjection.mdx @@ -5,6 +5,14 @@ title: Avoid Script Injection from Untrusted Variables slug: /checks/preventScriptInjection --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Avoid Script Injection from Untrusted Context Variables ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P11 - Mitre: [CWE-454](https://cwe.mitre.org/data/definitions/454.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) - How To: [Github Docs](https://securitylab.github.com/research/github-actions-untrusted-input/) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/regressionTestsForVulns.mdx b/docs/checks/regressionTestsForVulns.mdx index 2701cf39..09fd800b 100644 --- a/docs/checks/regressionTestsForVulns.mdx +++ b/docs/checks/regressionTestsForVulns.mdx @@ -5,6 +5,14 @@ title: Create Regression Tests for Bugs and Security Vulnerabilities slug: /checks/regressionTestsForVulns --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: deferrable @@ -19,10 +27,8 @@ Regression Tests for => 50% of Bugs and 100% of Security Vulns ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: P8 - Sources: [OpenSSF Best Practices Badge Silver Level [regression_tests_added50]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.regression_tests_added50) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/requireCodeOwnersReviewForLargeTeams.mdx b/docs/checks/requireCodeOwnersReviewForLargeTeams.mdx index f6b8b1e0..244f824a 100644 --- a/docs/checks/requireCodeOwnersReviewForLargeTeams.mdx +++ b/docs/checks/requireCodeOwnersReviewForLargeTeams.mdx @@ -5,6 +5,14 @@ title: Require Code Owners Review (Four+ Maintainers) slug: /checks/requireCodeOwnersReviewForLargeTeams --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,12 +27,10 @@ slug: /checks/requireCodeOwnersReviewForLargeTeams ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R6 - Mitre: [CAPEC-670](https://capec.mitre.org/data/definitions/670.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review) - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/requirePRApprovalForMainline.mdx b/docs/checks/requirePRApprovalForMainline.mdx index 1f0756e3..03b920db 100644 --- a/docs/checks/requirePRApprovalForMainline.mdx +++ b/docs/checks/requirePRApprovalForMainline.mdx @@ -5,6 +5,14 @@ title: Require Approved PRs for Mainline Commits (Two+ Maintainers) slug: /checks/requirePRApprovalForMainline --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,12 +27,10 @@ slug: /checks/requirePRApprovalForMainline ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R6 - Mitre: [CAPEC-670](https://capec.mitre.org/data/definitions/670.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/requireSignedCommits.mdx b/docs/checks/requireSignedCommits.mdx index 6edc44b5..e4b7ab86 100644 --- a/docs/checks/requireSignedCommits.mdx +++ b/docs/checks/requireSignedCommits.mdx @@ -5,6 +5,14 @@ title: Require Signed Commits slug: /checks/requireSignedCommits --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,11 +27,9 @@ Require Signed Commits ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R4 - Sources: [CNCF SSCP 1.0 #325](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-signed-commits) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/requireTwoPartyReview.mdx b/docs/checks/requireTwoPartyReview.mdx index 99528c27..49b35086 100644 --- a/docs/checks/requireTwoPartyReview.mdx +++ b/docs/checks/requireTwoPartyReview.mdx @@ -5,6 +5,14 @@ title: Require Two-Party Review (Two+ Maintainers) slug: /checks/requireTwoPartyReview --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,12 +27,10 @@ slug: /checks/requireTwoPartyReview ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R6 - Mitre: [CAPEC-670](https://capec.mitre.org/data/definitions/670.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/resolveLinterWarnings.mdx b/docs/checks/resolveLinterWarnings.mdx index 1d194521..215a28d4 100644 --- a/docs/checks/resolveLinterWarnings.mdx +++ b/docs/checks/resolveLinterWarnings.mdx @@ -5,6 +5,14 @@ title: Address Compiler/Linter Warnings Before Merging slug: /checks/resolveLinterWarnings --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Compilers/Linter Warnings Addressed in order to Merge ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: P6 - Mitre: [CWE-1127](https://cwe.mitre.org/data/definitions/1127.html) - Sources: [OpenSSF Best Practices Badge Silver Level [warnings_strict]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.warnings_strict) - How To: [ESLint Docs](https://eslint.org/docs/latest/use/getting-started#installation-and-usage) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/restrictOrgSecrets.mdx b/docs/checks/restrictOrgSecrets.mdx index decaac56..f742d202 100644 --- a/docs/checks/restrictOrgSecrets.mdx +++ b/docs/checks/restrictOrgSecrets.mdx @@ -5,6 +5,14 @@ title: Restrict GitHub Org Secrets to Specific Repositories slug: /checks/restrictOrgSecrets --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ GitHub Organization Secrets are Restricted to Selected Repositories ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P10 - Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/actions/all_repositories_can_run_github_actions.html) - How To: [Github Docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/restrictedOrgPermissions.mdx b/docs/checks/restrictedOrgPermissions.mdx index c54bda34..832765b0 100644 --- a/docs/checks/restrictedOrgPermissions.mdx +++ b/docs/checks/restrictedOrgPermissions.mdx @@ -5,6 +5,14 @@ title: Restrict Default GitHub Org Member Permissions slug: /checks/restrictedOrgPermissions --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Default Github Org Member Permissions Should Be Restricted ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P4 - Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/organization/default_repository_permission_is_not_none.html) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/runnerSecurityScanner.mdx b/docs/checks/runnerSecurityScanner.mdx index 03ace746..762b45c1 100644 --- a/docs/checks/runnerSecurityScanner.mdx +++ b/docs/checks/runnerSecurityScanner.mdx @@ -5,6 +5,14 @@ title: Use GitHub Runner Security Scanners slug: /checks/runnerSecurityScanner --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,12 +27,10 @@ Use a Github Runner Security Scanner ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R2 - Mitre: [M1047](https://attack.mitre.org/mitigations/M1047/) - Sources: [Github Action Hardening Docs](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners) - How To: [Step Security harden-runner](https://github.com/step-security/harden-runner) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/scanCommitsForSensitiveInfo.mdx b/docs/checks/scanCommitsForSensitiveInfo.mdx index ba92fd17..01d1b5e5 100644 --- a/docs/checks/scanCommitsForSensitiveInfo.mdx +++ b/docs/checks/scanCommitsForSensitiveInfo.mdx @@ -5,6 +5,14 @@ title: Ensure that all the commits are scanned slug: /checks/scanCommitsForSensitiveInfo --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ All Commits are Scanned for Secrets and Credentials ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P2 - Mitre: [CWE-540](https://cwe.mitre.org/data/definitions/540.html) - Sources: [CNCF SSCP v1.0 #184](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#user-content-fnref-21-4e56305414bd02da4843ec1d7d856144) - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/securityMdMeetsOpenJSCVD.mdx b/docs/checks/securityMdMeetsOpenJSCVD.mdx index 8cd10303..8c3b4c69 100644 --- a/docs/checks/securityMdMeetsOpenJSCVD.mdx +++ b/docs/checks/securityMdMeetsOpenJSCVD.mdx @@ -5,6 +5,14 @@ title: Ensure Security.md Meets OpenJS CVD Guidelines slug: /checks/securityMdMeetsOpenJSCVD --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,10 +27,8 @@ Security.md Meets OpenJS CVD Guidelines ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: P7 - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/softwareArchitectureDocs.mdx b/docs/checks/softwareArchitectureDocs.mdx index 59f988cd..11ff9c8f 100644 --- a/docs/checks/softwareArchitectureDocs.mdx +++ b/docs/checks/softwareArchitectureDocs.mdx @@ -5,6 +5,14 @@ title: Document Software Architecture slug: /checks/softwareArchitectureDocs --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: deferrable @@ -19,11 +27,9 @@ slug: /checks/softwareArchitectureDocs ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: P12 - Mitre: [CWE-1053](https://cwe.mitre.org/data/definitions/1053.html) - Sources: [OpenSSF Best Practices Badge Silver Level [documentation_architecture]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.documentation_architecture) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/softwareDesignTraining.mdx b/docs/checks/softwareDesignTraining.mdx index cf008ddc..cf05927f 100644 --- a/docs/checks/softwareDesignTraining.mdx +++ b/docs/checks/softwareDesignTraining.mdx @@ -5,6 +5,10 @@ title: Training on Secure Software Design slug: /checks/softwareDesignTraining --- + + + + ## Use Case - Incubating: expected @@ -23,12 +27,10 @@ It is considered `passed` if there is a record for the organization in the `soft ## Details -- Implementation Status: completed - Implementation Details: It is manual ([details](https://github.com/OpenPathfinder/visionBoard/issues/52)). - C-SCRM: false - Priority Group: P0 - Mitre: [M1013](https://attack.mitre.org/mitigations/M1013/) - Sources: [OpenSSF Best Practices Badge Passing Level [know_secure_design]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_secure_design) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/staticAppSecTesting.mdx b/docs/checks/staticAppSecTesting.mdx index 47a324d7..88dceddc 100644 --- a/docs/checks/staticAppSecTesting.mdx +++ b/docs/checks/staticAppSecTesting.mdx @@ -5,6 +5,14 @@ title: Use Static Application Security Testing for All Commits slug: /checks/staticAppSecTesting --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ All Commits are Scanned by a Static Application Security Testing Tool ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: P6 - Mitre: [CWE-1076](https://cwe.mitre.org/data/definitions/1076.html) - Sources: [OWASP SCVS L1 6.6OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast) - How To: [CodeQL Docs](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/staticCodeAnalysis.mdx b/docs/checks/staticCodeAnalysis.mdx index 26d4a6a3..9940a353 100644 --- a/docs/checks/staticCodeAnalysis.mdx +++ b/docs/checks/staticCodeAnalysis.mdx @@ -5,6 +5,14 @@ title: Use Automated Static Code Analysis Tools slug: /checks/staticCodeAnalysis --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ Use an Automated Static Code Analysis Tool (eg: ESLInt) ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: P6 - Mitre: [CWE-1076](https://cwe.mitre.org/data/definitions/1076.html) - Sources: [OWASP SCVS L1 5.1](https://scvs.owasp.org/scvs/v5-component-analysis/) - How To: [ESLint Docs](https://eslint.org/docs/latest/use/getting-started#installation-and-usage) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/twoOrMoreOwnersForAccess.mdx b/docs/checks/twoOrMoreOwnersForAccess.mdx index 82205927..ba325a21 100644 --- a/docs/checks/twoOrMoreOwnersForAccess.mdx +++ b/docs/checks/twoOrMoreOwnersForAccess.mdx @@ -5,6 +5,14 @@ title: Configure Two or more Owners for Access Continuity slug: /checks/twoOrMoreOwnersForAccess --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: +s + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ slug: /checks/twoOrMoreOwnersForAccess ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P4 - Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) - Sources: [OpenSSF Best Practices Badge Silver Level [access_continuity]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.access_continuity) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/maintaining-ownership-continuity-for-your-organization) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/upToDateDefaultBranchBeforeMerge.mdx b/docs/checks/upToDateDefaultBranchBeforeMerge.mdx index f35eae55..b8e97ef0 100644 --- a/docs/checks/upToDateDefaultBranchBeforeMerge.mdx +++ b/docs/checks/upToDateDefaultBranchBeforeMerge.mdx @@ -5,6 +5,14 @@ title: Require Default Branch Updates Before Merging slug: /checks/upToDateDefaultBranchBeforeMerge --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,11 +27,9 @@ Default Branch must be Up to Date before Merging ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P9 - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/upgradePathDocs.mdx b/docs/checks/upgradePathDocs.mdx index eb7a578b..ea328a6b 100644 --- a/docs/checks/upgradePathDocs.mdx +++ b/docs/checks/upgradePathDocs.mdx @@ -5,6 +5,14 @@ title: Support Older Versions or Provide Upgrade Paths slug: /checks/upgradePathDocs --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,10 +27,8 @@ Commonly Used Older Versions Supported or Upgrade Path Provided/Documented ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P12 - Sources: [OpenSSF Best Practices Badge Silver Level [maintenance_or_update]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.maintenance_or_update) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/useCVDToolForVulns.mdx b/docs/checks/useCVDToolForVulns.mdx index b24030b9..f80e9958 100644 --- a/docs/checks/useCVDToolForVulns.mdx +++ b/docs/checks/useCVDToolForVulns.mdx @@ -5,6 +5,14 @@ title: Use CVD Tools to Manage Vulnerability Reports slug: /checks/useCVDToolForVulns --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,11 +27,9 @@ Project Leverages a CVD Tool to Privately Receive/Manage External Vulnerability ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: P7 - Sources: [OpenSSF Best Practices Badge Passing Level [vulnerability_report_private]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.vulnerability_report_private) - How To: [Github Docs](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/useHwKeyGithubAccess.mdx b/docs/checks/useHwKeyGithubAccess.mdx index b945cba3..a1287cd5 100644 --- a/docs/checks/useHwKeyGithubAccess.mdx +++ b/docs/checks/useHwKeyGithubAccess.mdx @@ -5,6 +5,14 @@ title: Use AAL2/3 Passkeys for GitHub Access slug: /checks/useHwKeyGithubAccess --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -18,12 +26,10 @@ slug: /checks/useHwKeyGithubAccess ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R1 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [OpenSSF Great MFA Project Security Rationale](https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md) - How To: [Github Docs](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-passkey) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/useHwKeyGithubNonInteractive.mdx b/docs/checks/useHwKeyGithubNonInteractive.mdx index 23ff09d7..19169d0e 100644 --- a/docs/checks/useHwKeyGithubNonInteractive.mdx +++ b/docs/checks/useHwKeyGithubNonInteractive.mdx @@ -5,6 +5,14 @@ title: Use AAL2/3 Passkeys for Non-Interactive GitHub Access slug: /checks/useHwKeyGithubNonInteractive --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,12 +27,10 @@ Non-Interactive Github: Use a passkey (AAL2) or hardware key (AAL3) that activat ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R1 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [OpenSSF Great MFA Project Security Rationale](https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md) - How To: [Github Docs](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/useHwKeyOtherContexts.mdx b/docs/checks/useHwKeyOtherContexts.mdx index 1a45d8c6..6c88e701 100644 --- a/docs/checks/useHwKeyOtherContexts.mdx +++ b/docs/checks/useHwKeyOtherContexts.mdx @@ -5,6 +5,14 @@ title: Use AAL2/3 Passkeys in All Other Contexts slug: /checks/useHwKeyOtherContexts --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,11 +27,9 @@ All Other Contexts: Use a passkey (AAL2) or hardware key (AAL3) that activates u ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R1 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [OpenSSF Great MFA Project Security Rationale](https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/verifiedActionsOnly.mdx b/docs/checks/verifiedActionsOnly.mdx index b34624d6..971881aa 100644 --- a/docs/checks/verifiedActionsOnly.mdx +++ b/docs/checks/verifiedActionsOnly.mdx @@ -5,6 +5,14 @@ title: Limit GitHub Actions to Verified or Trusted Actions slug: /checks/verifiedActionsOnly --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -19,12 +27,10 @@ GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: P10 - Mitre: [CWE-1357](https://cwe.mitre.org/data/definitions/1357.html) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/actions/all_github_actions_are_allowed.html) - How To: [Github Docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/vulnResponse14Days.mdx b/docs/checks/vulnResponse14Days.mdx index 349434ce..45d69711 100644 --- a/docs/checks/vulnResponse14Days.mdx +++ b/docs/checks/vulnResponse14Days.mdx @@ -5,6 +5,14 @@ title: Respond to External Vulnerability Reports in Under 14 Days slug: /checks/vulnResponse14Days --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: expected @@ -18,10 +26,8 @@ slug: /checks/vulnResponse14Days ## Details -- Implementation Status: pending - C-SCRM: false - Priority Group: P7 - Sources: [OpenSSF Best Practices Badge Passing Level [vulnerability_report_response]](https://www.bestpractices.dev/en/criteria#0.vulnerability_report_response) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/checks/workflowSecurityScanner.mdx b/docs/checks/workflowSecurityScanner.mdx index 2e9f75bd..ba5b3346 100644 --- a/docs/checks/workflowSecurityScanner.mdx +++ b/docs/checks/workflowSecurityScanner.mdx @@ -5,6 +5,14 @@ title: Use Workflow Security Scanners slug: /checks/workflowSecurityScanner --- + +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: + + ## Use Case - Incubating: recommended @@ -19,12 +27,10 @@ Use a Workflow Security Scanner ## Details -- Implementation Status: pending - C-SCRM: true - Priority Group: R2 - Mitre: [M1047](https://attack.mitre.org/mitigations/M1047/) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) - How To: [Step Security secure-repo](https://github.com/step-security/secure-repo) -- Created at 2024-12-22T05:21:43.514Z -- Updated at 2024-12-22T05:21:43.514Z + diff --git a/docs/projects/fortSphere/about.md b/docs/projects/fortSphere/about.md index 1c514dd2..a52c25c6 100644 --- a/docs/projects/fortSphere/about.md +++ b/docs/projects/fortSphere/about.md @@ -9,7 +9,7 @@ slug: /fortSphere # fortSphere -Fortify your Digital Sphere, once command at a time +Fortify your Digital Sphere, one command at a time --- diff --git a/docs/projects/fortSphere/usage.md b/docs/projects/fortSphere/usage.md index f8dbd199..07a82889 100644 --- a/docs/projects/fortSphere/usage.md +++ b/docs/projects/fortSphere/usage.md @@ -5,10 +5,11 @@ slug: /fortSphere/usage --- -🫠 If you are not familiar with the tool [checkout this demo](/docs/fortSphere#demo) - +:::tip +If you are not familiar with the tool [checkout this demo](/docs/fortSphere#demo-walkthrough) +::: ### Version Command diff --git a/scripts/populate-checks.js b/scripts/populate-checks.js index b4a2267a..c72e893b 100644 --- a/scripts/populate-checks.js +++ b/scripts/populate-checks.js @@ -3,6 +3,8 @@ const { updateOrCreateSegment } = require('@ulisesgascon/text-tags-manager') const path = require('path') const checks = require('../data/checks.json') +const bannerContentStartTag = '' +const bannerContentEndTag = '' const levelsStartTag = '' const levelsEndTag = '' const descriptionStartTag = '' @@ -44,7 +46,6 @@ const renderDetails = (check) => { const sourcesDetails = addContent('Sources', check.sources_description, check.sources_url) const howToDetails = addContent('How To', check.how_to_description, check.how_to_url) let content = '## Details\n' - content += `- Implementation Status: ${check.implementation_status}\n` if (implementationDetails) { content += `${implementationDetails}\n` } @@ -59,8 +60,6 @@ const renderDetails = (check) => { if (howToDetails) { content += `${howToDetails}\n` } - content += `- Created at ${check.created_at}\n` - content += `- Updated at ${check.updated_at}` return content } @@ -78,12 +77,25 @@ slug: /checks/${check.code_name} - Retiring: ${check.level_retiring_status} `.trim() //@TODO: Remove adhoc check for description when https://github.com/OpenPathfinder/visionBoard/issues/159 is fixed - const descriptionContent = `## Description + const bannerContent = check.implementation_status === 'completed' ? '' : ` +:::tip + +This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). + +::: +`.trim() + +const descriptionContent = ` +## Description ${!check.description.includes('<') && !check.description.startsWith('{') ? check.description : ''}`.trim() const detailsContent = renderDetails(check) let fileContent = `${metadata} +${bannerContentStartTag} +${bannerContent} +${bannerContentEndTag} + ## Use Case ${levelsStartTag} ${levelsContent} @@ -100,6 +112,12 @@ ${detailsEndTag} const updateContent = (currentContent) => { fileContent = currentContent replaceMetadata(fileContent, metadata) + fileContent = updateOrCreateSegment({ + original: fileContent, + replacementSegment: bannerContent, + startTag: bannerContentStartTag, + endTag: bannerContentEndTag + }) fileContent = updateOrCreateSegment({ original: fileContent, replacementSegment: levelsContent, diff --git a/src/pages/contribute.md b/src/pages/contribute.md new file mode 100644 index 00000000..04b0095e --- /dev/null +++ b/src/pages/contribute.md @@ -0,0 +1,5 @@ +--- +title: Contribute +--- + +# Contribute \ No newline at end of file diff --git a/src/pages/index.js b/src/pages/index.js index 4ea0846f..b81563fe 100644 --- a/src/pages/index.js +++ b/src/pages/index.js @@ -23,7 +23,7 @@ export default function Home() {
Get Started @@ -36,27 +36,27 @@ export default function Home() {

Our Projects

- + VisionBoard Logo - +

VisionBoard

Transforming Data into Actionable Insights

- + FortSphere Logo - +

FortSphere

Fortify Your Digital Sphere, One Command at a Time

@@ -73,7 +73,7 @@ export default function Home() {

Read the Docs diff --git a/src/pages/markdown-page.md b/src/pages/markdown-page.md deleted file mode 100644 index 9756c5b6..00000000 --- a/src/pages/markdown-page.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -title: Markdown page example ---- - -# Markdown page example - -You don't need React to write simple standalone pages. diff --git a/src/pages/sponsors.md b/src/pages/sponsors.md new file mode 100644 index 00000000..b0c37ad8 --- /dev/null +++ b/src/pages/sponsors.md @@ -0,0 +1,5 @@ +--- +title: Sponsors +--- + +# Sponsors \ No newline at end of file