diff --git a/data/checks.json b/data/checks.json index 45dab5a4..fa4bd5d6 100644 --- a/data/checks.json +++ b/data/checks.json @@ -1,16 +1,13 @@ [ { "id": 2, - "title": "Training on OWASP Top 10 or Equivalent", - "description": "At least One Primary Maintainer has taken TBD Training on OWASP Top 10 or Equivalent", - "section_number": "7", - "section_name": "code quality", + "title": "Training on OWASP Top 10 or equivalent", + "description": "At least one primary maintainer has taken the training on OWASP Top 10 or Equivalent", + "default_section_number": "7", + "default_section_name": "code quality", "code_name": "owaspTop10Training", - "priority_group": "P0", + "default_priority_group": "P0", "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://attack.mitre.org/mitigations/M1013/", "mitre_description": "M1013", "how_to_url": null, @@ -20,22 +17,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/owaspTop10Training", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/owaspTop10Training", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 4, - "title": "Enforce MFA in npm Organization(s)", - "description": "Multi Factor Authentication (MFA) Enforced Across the npm Organization", - "section_number": "1", - "section_name": "user authentication", + "title": "Enforce MFA in npm organization(s)", + "description": "Multi Factor Authentication (MFA) enforced across the npm organization(s)", + "default_section_number": "1", + "default_section_name": "user authentication", "code_name": "npmOrgMFA", - "priority_group": "P1", + "default_priority_group": "P1", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", "mitre_description": "CWE-308", "how_to_url": "https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization", @@ -45,22 +39,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/npmOrgMFA", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/npmOrgMFA", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 5, "title": "Enforce MFA in all the tools", - "description": "Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible", - "section_number": "1", - "section_name": "user authentication", + "description": "Multi Factor Authentication (MFA) enforced in all tools wherever technically feasible", + "default_section_number": "1", + "default_section_name": "user authentication", "code_name": "orgToolingMFA", - "priority_group": "P1", + "default_priority_group": "P1", "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", "mitre_description": "CWE-308", "how_to_url": null, @@ -70,22 +61,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/orgToolingMFA", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/orgToolingMFA", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 6, "title": "Use MFA against impersonation", - "description": "Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available ", - "section_number": "1", - "section_name": "user authentication", + "description": "Use Multi Factor Authentication (MFA) methods that defend against impersonation when available ", + "default_section_number": "1", + "default_section_name": "user authentication", "code_name": "MFAImpersonationDefense", - "priority_group": "P1", + "default_priority_group": "P1", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://cwe.mitre.org/data/definitions/290.html", "mitre_description": "CWE-290", "how_to_url": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa", @@ -95,22 +83,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/MFAImpersonationDefense", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/MFAImpersonationDefense", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 7, "title": "Check sensitive information", - "description": "No Secrets and Credentials in Source Code", - "section_number": "3", - "section_name": "service authentication", + "description": "No secrets or credentials are included in the source code", + "default_section_number": "3", + "default_section_name": "service authentication", "code_name": "noSensitiveInfoInRepositories", - "priority_group": "P2", + "default_priority_group": "P2", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://cwe.mitre.org/data/definitions/540.html", "mitre_description": "CWE-540", "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", @@ -120,22 +105,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/noSensitiveInfoInRepositories", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/noSensitiveInfoInRepositories", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 8, "title": "Ensure that the secrets are injected at runtime", "description": "Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets)", - "section_number": "3", - "section_name": "service authentication", + "default_section_number": "3", + "default_section_name": "service authentication", "code_name": "injectedSecretsAtRuntime", - "priority_group": "P2", + "default_priority_group": "P2", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://cwe.mitre.org/data/definitions/538.html", "mitre_description": "CWE-538", "how_to_url": "https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", @@ -145,22 +127,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/injectedSecretsAtRuntime", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/injectedSecretsAtRuntime", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 9, "title": "Ensure that all the commits are scanned", - "description": "All Commits are Scanned for Secrets and Credentials ", - "section_number": "7", - "section_name": "code quality", + "description": "All commits are scanned for secrets and credentials ", + "default_section_number": "7", + "default_section_name": "code quality", "code_name": "scanCommitsForSensitiveInfo", - "priority_group": "P2", + "default_priority_group": "P2", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": "https://cwe.mitre.org/data/definitions/540.html", "mitre_description": "CWE-540", "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", @@ -170,22 +149,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/scanCommitsForSensitiveInfo", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/scanCommitsForSensitiveInfo", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 10, - "title": "Block New Commits with Secrets or Credentials", - "description": "New Commits Containing Secrets or Credentials are Blocked from Merging", - "section_number": "7", - "section_name": "code quality", + "title": "Block new commits with secrets or credentials", + "description": "New commits containing secrets or credentials are blocked from merging", + "default_section_number": "7", + "default_section_name": "code quality", "code_name": "preventLandingSensitiveCommits", - "priority_group": "P2", + "default_priority_group": "P2", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": "https://cwe.mitre.org/data/definitions/358.html", "mitre_description": "CWE-358", "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", @@ -195,22 +171,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/preventLandingSensitiveCommits", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/preventLandingSensitiveCommits", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 11, - "title": "Use SSH Keys with Passphrases for Repository Access", + "title": "Use SSH keys with passphrases for repository access", "description": "Use SSH keys for developer access to source code repositories and use a passphrase", - "section_number": "1", - "section_name": "user authentication", + "default_section_number": "1", + "default_section_name": "user authentication", "code_name": "SSHKeysRequired", - "priority_group": "P3", + "default_priority_group": "P3", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://cwe.mitre.org/data/definitions/309.html", "mitre_description": "CWE-309", "how_to_url": "https://docs.github.com/en/authentication/connecting-to-github-with-ssh/about-ssh", @@ -220,22 +193,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/SSHKeysRequired", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/SSHKeysRequired", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 12, - "title": "Publish to npm Using MFA-Enabled Accounts", + "title": "Publish to npm using MFA-Enabled accounts", "description": "Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens", - "section_number": "3", - "section_name": "service authentication", + "default_section_number": "3", + "default_section_name": "service authentication", "code_name": "npmPublicationMFA", - "priority_group": "P3", + "default_priority_group": "P3", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", "mitre_description": "CWE-308", "how_to_url": null, @@ -245,22 +215,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/npmPublicationMFA", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/npmPublicationMFA", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 13, - "title": "Secure GitHub Webhooks with Secrets", - "description": "Github Webhooks Use Secrets", - "section_number": "3", - "section_name": "service authentication", + "title": "Secure GitHub Webhooks with secrets", + "description": "Ensure that Github Webhooks use secrets", + "default_section_number": "3", + "default_section_name": "service authentication", "code_name": "githubWebhookSecrets", - "priority_group": "P3", + "default_priority_group": "P3", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://cwe.mitre.org/data/definitions/306", "mitre_description": "CWE-306", "how_to_url": "https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions", @@ -270,22 +237,41 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/githubWebhookSecrets", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/githubWebhookSecrets", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" + }, + { + "id": 67, + "title": "Require code owners review", + "description": "Require code owners review", + "default_section_number": "8", + "default_section_name": "code review", + "code_name": "requireCodeOwnersReviewForLargeTeams", + "default_priority_group": "R6", + "is_c_scrm": true, + "mitre_url": "https://capec.mitre.org/data/definitions/670.html", + "mitre_description": "CAPEC-670", + "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openpathfinder.com/docs/checks/requireCodeOwnersReviewForLargeTeams", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 14, - "title": "Restrict Default GitHub Org Member Permissions", - "description": "Default Github Org Member Permissions Should Be Restricted", - "section_number": "2", - "section_name": "user account permissions", + "title": "Restrict default GitHub Org member permissions", + "description": "Default GitHub organization member permissions should be restricted", + "default_section_number": "2", + "default_section_name": "user account permissions", "code_name": "restrictedOrgPermissions", - "priority_group": "P4", + "default_priority_group": "P4", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://capec.mitre.org/data/definitions/180.html", "mitre_description": "CAPEC-180", "how_to_url": "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization", @@ -295,22 +281,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/restrictedOrgPermissions", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/restrictedOrgPermissions", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 15, - "title": "Allow Only Admins to Create Public Repositories", - "description": "Only Admins Should Be Able To Create Public Repositories", - "section_number": "2", - "section_name": "user account permissions", + "title": "Allow only admins to create public repositories", + "description": "Only admins should be able to create public repositories", + "default_section_number": "2", + "default_section_name": "user account permissions", "code_name": "adminRepoCreationOnly", - "priority_group": "P4", + "default_priority_group": "P4", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://capec.mitre.org/data/definitions/122.html", "mitre_description": "CAPEC-122", "how_to_url": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization", @@ -320,22 +303,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/adminRepoCreationOnly", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/adminRepoCreationOnly", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 16, - "title": "Prevent Admins from Bypassing Branch Protection", - "description": "[For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings", - "section_number": "2", - "section_name": "user account permissions", + "title": "Prevent admins from bypassing branch protection", + "description": "Do not allow admins to bypass branch protection settings", + "default_section_number": "2", + "default_section_name": "user account permissions", "code_name": "preventBranchProtectionBypass", - "priority_group": "P4", + "default_priority_group": "P4", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://capec.mitre.org/data/definitions/122.html", "mitre_description": "CAPEC-122", "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings", @@ -345,22 +325,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/preventBranchProtectionBypass", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/preventBranchProtectionBypass", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 17, - "title": "Define Roles Aligned to Functional Responsibilities", + "title": "Define roles aligned to functional responsibilities", "description": "Define roles aligned to functional responsibilities", - "section_number": "2", - "section_name": "user account permissions", + "default_section_number": "2", + "default_section_name": "user account permissions", "code_name": "defineFunctionalRoles", - "priority_group": "P4", + "default_priority_group": "P4", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://capec.mitre.org/data/definitions/122.html", "mitre_description": "CAPEC-122", "how_to_url": "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization", @@ -370,22 +347,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/defineFunctionalRoles", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/defineFunctionalRoles", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 18, - "title": "Define Teams/Individuals with Write Access to Repositories", - "description": "Define Individuals/Teams who Write Access to a Github Repo", - "section_number": "2", - "section_name": "user account permissions", + "title": "Define teams/individuals with write access to repositories", + "description": "Define individuals/teams who write access to a GitHub Repository", + "default_section_number": "2", + "default_section_name": "user account permissions", "code_name": "githubWriteAccessRoles", - "priority_group": "P4", + "default_priority_group": "P4", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://capec.mitre.org/data/definitions/180.html", "mitre_description": "CAPEC-180", "how_to_url": "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization", @@ -395,22 +369,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/githubWriteAccessRoles", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/githubWriteAccessRoles", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 19, - "title": "Configure Two or more Owners for Access Continuity", - "description": "[For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity", - "section_number": "2", - "section_name": "user account permissions", + "title": "Configure two or more owners for access continuity", + "description": "Have at least two owners configured for access continuity", + "default_section_number": "2", + "default_section_name": "user account permissions", "code_name": "twoOrMoreOwnersForAccess", - "priority_group": "P4", + "default_priority_group": "P4", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://attack.mitre.org/mitigations/M1026/", "mitre_description": "M1026", "how_to_url": "https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/maintaining-ownership-continuity-for-your-organization", @@ -420,22 +391,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/twoOrMoreOwnersForAccess", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/twoOrMoreOwnersForAccess", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 20, - "title": "Patch Actively Exploited Critical Vulnerabilities within 30 Days", - "description": "Actively Exploited Critical Vulnerabilities Patched within 30 Days", - "section_number": "5", - "section_name": "vulnerability management", + "title": "Patch actively exploited critical vulnerabilities within 30 Days", + "description": "Actively exploited critical vulnerabilities patched within 30 Days", + "default_section_number": "5", + "default_section_name": "vulnerability management", "code_name": "patchCriticalVulns30Days", - "priority_group": "P5", + "default_priority_group": "P5", "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": null, "mitre_description": null, "how_to_url": null, @@ -445,22 +413,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/patchCriticalVulns30Days", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/patchCriticalVulns30Days", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 21, - "title": "Patch Non-Critical Vulnerabilities within 90 Days", - "description": "Non-Critical Exploitable Vulnerabilities Patched within 90 Days", - "section_number": "5", - "section_name": "vulnerability management", + "title": "Patch non-critical vulnerabilities within 90 days", + "description": "Ensure non-critical exploitable vulnerabilities are patched within 90 days", + "default_section_number": "5", + "default_section_name": "vulnerability management", "code_name": "patchNonCriticalVulns90Days", - "priority_group": "P5", + "default_priority_group": "P5", "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": null, "mitre_description": null, "how_to_url": null, @@ -470,22 +435,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/patchNonCriticalVulns90Days", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/patchNonCriticalVulns90Days", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 22, - "title": "Automate Dependency Vulnerability Identification", - "description": "An automated process to identify dependencies with publicly disclosed vulnerabilities", - "section_number": "11", - "section_name": "dependency management", + "title": "Automate dependency vulnerability identification", + "description": "Implement an automated process to identify dependencies with publicly disclosed vulnerabilities", + "default_section_number": "11", + "default_section_name": "dependency management", "code_name": "automateVulnDetection", - "priority_group": "P6", + "default_priority_group": "P6", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://cwe.mitre.org/data/definitions/1395.html", "mitre_description": "CWE-1395", "how_to_url": "https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories", @@ -495,22 +457,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/automateVulnDetection", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/automateVulnDetection", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 23, - "title": "Use Automated Static Code Analysis Tools", - "description": "Use an Automated Static Code Analysis Tool (eg: ESLInt)", - "section_number": "7", - "section_name": "code quality", + "title": "Use automated static code analysis tools", + "description": "Implement automated static code analysis tools (e.g., ESLint)", + "default_section_number": "7", + "default_section_name": "code quality", "code_name": "staticCodeAnalysis", - "priority_group": "P6", + "default_priority_group": "P6", "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": "https://cwe.mitre.org/data/definitions/1076.html", "mitre_description": "CWE-1076", "how_to_url": "https://eslint.org/docs/latest/use/getting-started#installation-and-usage", @@ -520,22 +479,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/staticCodeAnalysis", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/staticCodeAnalysis", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 24, - "title": "Address Compiler/Linter Warnings Before Merging", - "description": "Compilers/Linter Warnings Addressed in order to Merge", - "section_number": "7", - "section_name": "code quality", + "title": "Address compiler and linter warnings before merging", + "description": "Ensure all compiler and linter warnings are resolved before merging", + "default_section_number": "7", + "default_section_name": "code quality", "code_name": "resolveLinterWarnings", - "priority_group": "P6", + "default_priority_group": "P6", "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": "https://cwe.mitre.org/data/definitions/1127.html", "mitre_description": "CWE-1127", "how_to_url": "https://eslint.org/docs/latest/use/getting-started#installation-and-usage", @@ -545,22 +501,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/resolveLinterWarnings", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/resolveLinterWarnings", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 25, - "title": "Use Static Application Security Testing for All Commits", - "description": "All Commits are Scanned by a Static Application Security Testing Tool", - "section_number": "7", - "section_name": "code quality", + "title": "Use static application security testing for all commits", + "description": "Ensure all commits are scanned by a static application security testing tool", + "default_section_number": "7", + "default_section_name": "code quality", "code_name": "staticAppSecTesting", - "priority_group": "P6", + "default_priority_group": "P6", "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": "https://cwe.mitre.org/data/definitions/1076.html", "mitre_description": "CWE-1076", "how_to_url": "https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql", @@ -570,22 +523,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/staticAppSecTesting", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/staticAppSecTesting", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 26, - "title": "Require Commit Status Checks to Pass Before Merging", - "description": "All Required Commit Status Checks must pass before Merging", - "section_number": "7", - "section_name": "code quality", + "title": "Require commit status checks to pass before merging", + "description": "Ensure all required commit status checks pass before merging", + "default_section_number": "7", + "default_section_name": "code quality", "code_name": "commitStatusChecks", - "priority_group": "P6", + "default_priority_group": "P6", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": "https://cwe.mitre.org/data/definitions/358.html", "mitre_description": "CWE-358", "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", @@ -595,22 +545,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/commitStatusChecks", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/commitStatusChecks", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 27, - "title": "Ensure Security.md Meets OpenJS CVD Guidelines", - "description": "Security.md Meets OpenJS CVD Guidelines ", - "section_number": "6", - "section_name": "coordinated vulnerability disclosure", + "title": "Ensure Security.md meets OpenJS CVD guidelines", + "description": "Verify that Security.md complies with OpenJS CVD guidelines", + "default_section_number": "6", + "default_section_name": "coordinated vulnerability disclosure", "code_name": "securityMdMeetsOpenJSCVD", - "priority_group": "P7", + "default_priority_group": "P7", "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": null, "mitre_description": null, "how_to_url": null, @@ -620,22 +567,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/securityMdMeetsOpenJSCVD", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/securityMdMeetsOpenJSCVD", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 28, - "title": "Use CVD Tools to Manage Vulnerability Reports", - "description": "Project Leverages a CVD Tool to Privately Receive/Manage External Vulnerability Reports (eg: H1/GH PVR)", - "section_number": "6", - "section_name": "coordinated vulnerability disclosure", + "title": "Use CVD tools to manage vulnerability reports", + "description": "Ensure the project utilizes a CVD tool to privately receive and manage external vulnerability reports (e.g., HackerOne, GitHub PVR)", + "default_section_number": "6", + "default_section_name": "coordinated vulnerability disclosure", "code_name": "useCVDToolForVulns", - "priority_group": "P7", + "default_priority_group": "P7", "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": null, "mitre_description": null, "how_to_url": "https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization", @@ -645,22 +589,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/useCVDToolForVulns", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/useCVDToolForVulns", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 29, - "title": "Respond to External Vulnerability Reports in Under 14 Days", - "description": "All External Vulnerability Reports Responded to <14 Days", - "section_number": "6", - "section_name": "coordinated vulnerability disclosure", + "title": "Respond to external vulnerability reports in under 14 days", + "description": "Ensure all external vulnerability reports are addressed within 14 days", + "default_section_number": "6", + "default_section_name": "coordinated vulnerability disclosure", "code_name": "vulnResponse14Days", - "priority_group": "P7", + "default_priority_group": "P7", "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": null, "mitre_description": null, "how_to_url": null, @@ -670,22 +611,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/vulnResponse14Days", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/vulnResponse14Days", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 30, - "title": "Define Clear Communication and Incident Response Plans", - "description": "Establish a Clear Communication and Incident Response Plan", - "section_number": "6", - "section_name": "coordinated vulnerability disclosure", + "title": "Define clear communication and incident response plans", + "description": "Establish clear communication and incident response plans", + "default_section_number": "6", + "default_section_name": "coordinated vulnerability disclosure", "code_name": "incidentResponsePlan", - "priority_group": "P7", + "default_priority_group": "P7", "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": null, "mitre_description": null, "how_to_url": null, @@ -695,22 +633,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/incidentResponsePlan", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/incidentResponsePlan", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 31, - "title": "Assign CVEs to All Known Security Vulnerabilities", - "description": "All Known Security Vulnerabilities are Issued a CVE", - "section_number": "6", - "section_name": "coordinated vulnerability disclosure", + "title": "Assign CVEs to all known security vulnerabilities", + "description": "Ensure all known security vulnerabilities are issued a CVE", + "default_section_number": "6", + "default_section_name": "coordinated vulnerability disclosure", "code_name": "assignCVEForKnownVulns", - "priority_group": "P7", + "default_priority_group": "P7", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": null, "mitre_description": null, "how_to_url": null, @@ -720,22 +655,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/assignCVEForKnownVulns", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/assignCVEForKnownVulns", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 32, - "title": "Include CVE IDs in Release Notes for Security Fixes", - "description": "Release Notes must Include the CVE ID of Patched Security Vulnerabilities", - "section_number": "6", - "section_name": "coordinated vulnerability disclosure", + "title": "Include CVE IDs in release notes for security fixes", + "description": "Ensure release notes include the CVE ID for patched security vulnerabilities", + "default_section_number": "6", + "default_section_name": "coordinated vulnerability disclosure", "code_name": "includeCVEInReleaseNotes", - "priority_group": "P7", + "default_priority_group": "P7", "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": null, "mitre_description": null, "how_to_url": null, @@ -745,22 +677,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/includeCVEInReleaseNotes", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/includeCVEInReleaseNotes", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 33, - "title": "Create Regression Tests for Bugs and Security Vulnerabilities", - "description": "Regression Tests for => 50% of Bugs and 100% of Security Vulns", - "section_number": "7", - "section_name": "code quality", + "title": "Create regression tests for bugs and security vulnerabilities", + "description": "Ensure regression tests cover at least 50% of bugs and 100% of security vulnerabilities", + "default_section_number": "7", + "default_section_name": "code quality", "code_name": "regressionTestsForVulns", - "priority_group": "P8", + "default_priority_group": "P8", "is_c_scrm": false, - "level_incubating_status": "deferrable", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": null, "mitre_description": null, "how_to_url": null, @@ -770,22 +699,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/regressionTestsForVulns", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/regressionTestsForVulns", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 34, - "title": "Set Default GitHub Workflow Token Permissions to Read Only", - "description": "Github Org Default Workflow Token Permissions are Set to Read Only", - "section_number": "4", - "section_name": "github workflow permissions", + "title": "Set default GitHub workflow token permissions to read-only", + "description": "Ensure GitHub organization default workflow token permissions are set to read-only", + "default_section_number": "4", + "default_section_name": "github workflow permissions", "code_name": "defaultTokenPermissionsReadOnly", - "priority_group": "P9", + "default_priority_group": "P9", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", "mitre_description": "CWE-250", "how_to_url": null, @@ -795,22 +721,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/defaultTokenPermissionsReadOnly", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/defaultTokenPermissionsReadOnly", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 35, - "title": "Prevent Workflows from Creating or Approving PRs", - "description": "Workflows are not Allowed To Create or Approve Pull Requests", - "section_number": "4", - "section_name": "github workflow permissions", + "title": "Prevent workflows from creating or approving PRs", + "description": "Ensure workflows are not allowed to create or approve pull requests", + "default_section_number": "4", + "default_section_name": "github workflow permissions", "code_name": "blockWorkflowPRApproval", - "priority_group": "P9", + "default_priority_group": "P9", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", "mitre_description": "CWE-250", "how_to_url": "https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", @@ -820,22 +743,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/blockWorkflowPRApproval", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/blockWorkflowPRApproval", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 36, - "title": "Disable Force Push on Default Branch", - "description": "Prevent Force Push on Default Branch", - "section_number": "9", - "section_name": "source control", + "title": "Disable force push on default branch", + "description": "Ensure force push is disabled on the default branch", + "default_section_number": "9", + "default_section_name": "source control", "code_name": "noForcePushDefaultBranch", - "priority_group": "P9", + "default_priority_group": "P9", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": null, "mitre_description": null, "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", @@ -845,22 +765,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/noForcePushDefaultBranch", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/noForcePushDefaultBranch", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 37, - "title": "Prevent Deletion of Default Branch", - "description": "Prevent Default Branch Deletion", - "section_number": "9", - "section_name": "source control", + "title": "Prevent deletion of default branch", + "description": "Ensure the default branch cannot be deleted", + "default_section_number": "9", + "default_section_name": "source control", "code_name": "preventDeletionDefaultBranch", - "priority_group": "P9", + "default_priority_group": "P9", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://cwe.mitre.org/data/definitions/267.html", "mitre_description": "CWE-267", "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", @@ -870,22 +787,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/preventDeletionDefaultBranch", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/preventDeletionDefaultBranch", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 38, - "title": "Require Default Branch Updates Before Merging", - "description": "Default Branch must be Up to Date before Merging", - "section_number": "9", - "section_name": "source control", + "title": "Require default branch updates before merging", + "description": "Ensure the default branch is up to date before allowing merges", + "default_section_number": "9", + "default_section_name": "source control", "code_name": "upToDateDefaultBranchBeforeMerge", - "priority_group": "P9", + "default_priority_group": "P9", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": null, "mitre_description": null, "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", @@ -895,22 +809,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/upToDateDefaultBranchBeforeMerge", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/upToDateDefaultBranchBeforeMerge", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 39, - "title": "Restrict GitHub Org Secrets to Specific Repositories", - "description": "GitHub Organization Secrets are Restricted to Selected Repositories", - "section_number": "4", - "section_name": "github workflows", + "title": "Restrict GitHub organization secrets to specific repositories", + "description": "Limit GitHub organization secrets to only be accessible by selected repositories", + "default_section_number": "4", + "default_section_name": "github workflows", "code_name": "restrictOrgSecrets", - "priority_group": "P10", + "default_priority_group": "P10", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", "mitre_description": "CWE-250", "how_to_url": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository", @@ -920,22 +831,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/restrictOrgSecrets", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/restrictOrgSecrets", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 40, - "title": "Limit GitHub Actions to Verified or Trusted Actions", - "description": "GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions", - "section_number": "4", - "section_name": "github workflows", + "title": "Limit GitHub Actions to verified or trusted actions", + "description": "Ensure GitHub Actions are limited to verified or explicitly trusted actions", + "default_section_number": "4", + "default_section_name": "github workflows", "code_name": "verifiedActionsOnly", - "priority_group": "P10", + "default_priority_group": "P10", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": "https://cwe.mitre.org/data/definitions/1357.html", "mitre_description": "CWE-1357", "how_to_url": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run", @@ -945,22 +853,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/verifiedActionsOnly", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/verifiedActionsOnly", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 41, - "title": "Disable Self-Hosted Runners in GitHub Org", - "description": "Disable use of Self-Hosted Runners in Github Org", - "section_number": "4", - "section_name": "github workflows", + "title": "Disable self-hosted runners in GitHub organization", + "description": "Ensure the use of self-hosted runners is disabled in the GitHub organization", + "default_section_number": "4", + "default_section_name": "github workflows", "code_name": "noSelfHostedRunners", - "priority_group": "P10", + "default_priority_group": "P10", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://capec.mitre.org/data/definitions/439.html", "mitre_description": "CAPEC-439", "how_to_url": "https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#limiting-the-use-of-self-hosted-runners", @@ -970,22 +875,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/noSelfHostedRunners", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/noSelfHostedRunners", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 42, - "title": "Restrict Build Pipeline Code Execution to Build Scripts", - "description": "Build Pipeline Cannot Execute Arbitrary Code from Outside of a Build Script", - "section_number": "4", - "section_name": "github workflows", + "title": "Restrict build pipeline code execution to build scripts", + "description": "Ensure the build pipeline cannot execute arbitrary code outside of a build script", + "default_section_number": "4", + "default_section_name": "github workflows", "code_name": "noArbitraryCodeInPipeline", - "priority_group": "P11", + "default_priority_group": "P11", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": "https://cwe.mitre.org/data/definitions/94.html", "mitre_description": "CWE-94", "how_to_url": null, @@ -995,22 +897,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/noArbitraryCodeInPipeline", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/noArbitraryCodeInPipeline", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 43, - "title": "Limit Workflow Write Permissions to Job-Level", - "description": "Only Allow Workflows Write Permissions at the Job-Level", - "section_number": "4", - "section_name": "github workflows", + "title": "Limit workflow write permissions to job level", + "description": "Ensure workflows are granted write permissions only at the job level", + "default_section_number": "4", + "default_section_name": "github workflows", "code_name": "limitWorkflowWritePermissions", - "priority_group": "P11", + "default_priority_group": "P11", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", "mitre_description": "CWE-250", "how_to_url": "https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions", @@ -1020,22 +919,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/limitWorkflowWritePermissions", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/limitWorkflowWritePermissions", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 44, - "title": "Avoid Script Injection from Untrusted Variables", - "description": "Avoid Script Injection from Untrusted Context Variables", - "section_number": "4", - "section_name": "github workflows", + "title": "Avoid script injection from untrusted variables", + "description": "Ensure script injection is prevented by avoiding untrusted context variables", + "default_section_number": "4", + "default_section_name": "github workflows", "code_name": "preventScriptInjection", - "priority_group": "P11", + "default_priority_group": "P11", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": "https://cwe.mitre.org/data/definitions/454.html", "mitre_description": "CWE-454", "how_to_url": "https://securitylab.github.com/research/github-actions-untrusted-input/", @@ -1045,22 +941,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/preventScriptInjection", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/preventScriptInjection", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 45, - "title": "Document Consistent and Automated Build Processes", - "description": "Consistent and Automated Build Process is Documented and Used", - "section_number": "4", - "section_name": "github workflows", + "title": "Document consistent and automated build processes", + "description": "Ensure a consistent and automated build process is documented and followed", + "default_section_number": "4", + "default_section_name": "github workflows", "code_name": "consistentBuildProcessDocs", - "priority_group": "P12", + "default_priority_group": "P12", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": "https://cwe.mitre.org/data/definitions/1068.html", "mitre_description": "CWE-1068", "how_to_url": null, @@ -1070,22 +963,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/consistentBuildProcessDocs", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/consistentBuildProcessDocs", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 46, - "title": "Support Older Versions or Provide Upgrade Paths", - "description": "Commonly Used Older Versions Supported or Upgrade Path Provided/Documented", - "section_number": "5", - "section_name": "vulnerability management", + "title": "Support older versions or provide upgrade paths", + "description": "Ensure commonly used older versions are supported or an upgrade path is documented and provided", + "default_section_number": "5", + "default_section_name": "vulnerability management", "code_name": "upgradePathDocs", - "priority_group": "P12", + "default_priority_group": "P12", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": null, "mitre_description": null, "how_to_url": null, @@ -1095,22 +985,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/upgradePathDocs", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/upgradePathDocs", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 47, - "title": "Document Software Architecture", - "description": "[For Projects with Two or more Maintainers] Document Software Architecture", - "section_number": "8", - "section_name": "code review", + "title": "Document software architecture", + "description": "Ensure the software architecture is clearly documented", + "default_section_number": "8", + "default_section_name": "code review", "code_name": "softwareArchitectureDocs", - "priority_group": "P12", + "default_priority_group": "P12", "is_c_scrm": false, - "level_incubating_status": "deferrable", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": "https://cwe.mitre.org/data/definitions/1053.html", "mitre_description": "CWE-1053", "how_to_url": null, @@ -1120,22 +1007,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/softwareArchitectureDocs", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/softwareArchitectureDocs", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 48, - "title": "Automate CI/CD Steps in Code-Based Pipelines", - "description": "CI/CD steps should all be automated through a pipeline defined as code", - "section_number": "9", - "section_name": "source control", + "title": "Automate CI/CD steps in code-based pipelines", + "description": "Ensure all CI/CD steps are automated through pipelines defined as code", + "default_section_number": "9", + "default_section_name": "source control", "code_name": "ciAndCdPipelineAsCode", - "priority_group": "P12", + "default_priority_group": "P12", "is_c_scrm": true, - "level_incubating_status": "deferrable", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": null, "mitre_description": null, "how_to_url": "https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages", @@ -1145,22 +1029,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/ciAndCdPipelineAsCode", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/ciAndCdPipelineAsCode", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 49, - "title": "Pin Actions with Secrets to Full-Length Commit SHAs", - "description": "Pin Actions with Access to Secrets to a Full Length Commit SHA", - "section_number": "4", - "section_name": "github workflows", + "title": "Pin actions with secrets to full-length commit SHAs", + "description": "Ensure actions with access to secrets are pinned to a full-length commit SHA", + "default_section_number": "4", + "default_section_name": "github workflows", "code_name": "pinActionsToSHA", - "priority_group": "P13", + "default_priority_group": "P13", "is_c_scrm": true, - "level_incubating_status": "deferrable", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": "https://cwe.mitre.org/data/definitions/1357.html", "mitre_description": "CWE-1357", "how_to_url": null, @@ -1170,22 +1051,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/pinActionsToSHA", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/pinActionsToSHA", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 50, - "title": "Automate Monitoring of Outdated Dependencies", - "description": "Automated Process is Used to Monitor for and Maintain a List of Out of Date Dependencies", - "section_number": "10", - "section_name": "dependency inventory", + "title": "Automate monitoring of outdated dependencies", + "description": "Ensure an automated process is in place to monitor and maintain a list of outdated dependencies", + "default_section_number": "10", + "default_section_name": "dependency inventory", "code_name": "automateDependencyManagement", - "priority_group": "P14", + "default_priority_group": "P14", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": null, "mitre_description": null, "how_to_url": "https://socket.dev/", @@ -1195,22 +1073,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/automateDependencyManagement", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/automateDependencyManagement", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 51, - "title": "Provide Machine-Readable Dependency Lists", - "description": "[Freestanding Applications Only] A Machine Readable List of all Direct and Transitive Dependencies is Available for the Software", - "section_number": "10", - "section_name": "dependency inventory", + "title": "Provide machine-readable dependency lists", + "description": "Ensure a machine-readable list of all direct and transitive dependencies is available for the software", + "default_section_number": "10", + "default_section_name": "dependency inventory", "code_name": "machineReadableDependencies", - "priority_group": "P14", + "default_priority_group": "P14", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": null, "mitre_description": null, "how_to_url": "https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-is-the-dependency-graph", @@ -1220,22 +1095,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/machineReadableDependencies", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/machineReadableDependencies", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 52, - "title": "Uniquely Identify Modified Dependencies", - "description": "Modified dependencies are uniquely identified and distinct from origin dependency", - "section_number": "10", - "section_name": "dependency inventory", + "title": "Uniquely identify modified dependencies", + "description": "Ensure modified dependencies are uniquely identified and clearly distinguished from the original dependency", + "default_section_number": "10", + "default_section_name": "dependency inventory", "code_name": "identifyModifiedDependencies", - "priority_group": "P14", + "default_priority_group": "P14", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": null, "mitre_description": null, "how_to_url": null, @@ -1245,22 +1117,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/identifyModifiedDependencies", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/identifyModifiedDependencies", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 53, - "title": "Refresh Dependencies with Annual Releases", - "description": "A new release to refresh dependencies occurs at least annually", - "section_number": "5", - "section_name": "vulnerability management", + "title": "Refresh dependencies with annual releases", + "description": "Ensure dependencies are refreshed through a new release at least once annually", + "default_section_number": "5", + "default_section_name": "vulnerability management", "code_name": "annualDependencyRefresh", - "priority_group": "P14", + "default_priority_group": "P14", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", "mitre_url": null, "mitre_description": null, "how_to_url": null, @@ -1270,22 +1139,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/annualDependencyRefresh", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/annualDependencyRefresh", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 54, - "title": "Use AAL2/3 Passkeys for GitHub Access", - "description": "{\"url\":\"http://github.com/\",\"description\":\"Github.com\"}", - "section_number": "1", - "section_name": "user authentication", + "title": "Use AAL2/3 passkeys for GitHub access", + "description": "Ensure GitHub access utilizes a passkey (AAL2) or hardware key (AAL3) activated by a password or biometrics", + "default_section_number": "1", + "default_section_name": "user authentication", "code_name": "useHwKeyGithubAccess", - "priority_group": "R1", + "default_priority_group": "R1", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", "mitre_description": "CWE-308", "how_to_url": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-passkey", @@ -1295,22 +1161,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/useHwKeyGithubAccess", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/useHwKeyGithubAccess", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 55, - "title": "Use AAL2/3 Passkeys for Non-Interactive GitHub Access", - "description": "Non-Interactive Github: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics", - "section_number": "1", - "section_name": "user authentication", + "title": "Use AAL2/3 passkeys for non-interactive GitHub access", + "description": "Ensure non-interactive GitHub access uses a passkey (AAL2) or hardware key (AAL3) activated by a password or biometrics", + "default_section_number": "1", + "default_section_name": "user authentication", "code_name": "useHwKeyGithubNonInteractive", - "priority_group": "R1", + "default_priority_group": "R1", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", "mitre_description": "CWE-308", "how_to_url": "https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key", @@ -1320,22 +1183,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/useHwKeyGithubNonInteractive", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/useHwKeyGithubNonInteractive", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 56, - "title": "Use AAL2/3 Passkeys in All Other Contexts", - "description": "All Other Contexts: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics", - "section_number": "1", - "section_name": "user authentication", + "title": "Use AAL2/3 passkeys in all other contexts", + "description": "Ensure all other contexts use a passkey (AAL2) or hardware key (AAL3) activated by a password or biometrics", + "default_section_number": "1", + "default_section_name": "user authentication", "code_name": "useHwKeyOtherContexts", - "priority_group": "R1", + "default_priority_group": "R1", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", "mitre_description": "CWE-308", "how_to_url": null, @@ -1345,22 +1205,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/useHwKeyOtherContexts", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/useHwKeyOtherContexts", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 57, - "title": "Require Approval for Forked Workflow Changes", - "description": "Limit changes from forks to workflows by requiring approval for all outside collaborators", - "section_number": "4", - "section_name": "github workflows", + "title": "Require approval for forked workflow changes", + "description": "Ensure changes to workflows from forks require approval for all outside collaborators", + "default_section_number": "4", + "default_section_name": "github workflows", "code_name": "forkWorkflowApproval", - "priority_group": "R2", + "default_priority_group": "R2", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", "mitre_url": "https://capec.mitre.org/data/definitions/180.html", "mitre_description": "CAPEC-180", "how_to_url": null, @@ -1370,22 +1227,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/forkWorkflowApproval", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/forkWorkflowApproval", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 58, - "title": "Use Workflow Security Scanners", - "description": "Use a Workflow Security Scanner", - "section_number": "4", - "section_name": "github workflows", + "title": "Use workflow security scanners", + "description": "Ensure a workflow security scanner is utilized", + "default_section_number": "4", + "default_section_name": "github workflows", "code_name": "workflowSecurityScanner", - "priority_group": "R2", + "default_priority_group": "R2", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", "mitre_url": "https://attack.mitre.org/mitigations/M1047/", "mitre_description": "M1047", "how_to_url": "https://github.com/step-security/secure-repo", @@ -1395,22 +1249,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/workflowSecurityScanner", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/workflowSecurityScanner", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 59, - "title": "Use GitHub Runner Security Scanners", - "description": "Use a Github Runner Security Scanner", - "section_number": "4", - "section_name": "github workflows", + "title": "Use GitHub runner security scanners", + "description": "Ensure a GitHub runner security scanner is utilized", + "default_section_number": "4", + "default_section_name": "github workflows", "code_name": "runnerSecurityScanner", - "priority_group": "R2", + "default_priority_group": "R2", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", "mitre_url": "https://attack.mitre.org/mitigations/M1047/", "mitre_description": "M1047", "how_to_url": "https://github.com/step-security/harden-runner", @@ -1420,22 +1271,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/runnerSecurityScanner", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/runnerSecurityScanner", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 60, - "title": "Require Active Admins in GitHub Org (Activity in 6 Months)", - "description": "Github Organization Admins Should Have Activity In The Last 6 Months", - "section_number": "2", - "section_name": "user account permissions", + "title": "Require active admins in GitHub organization (activity in 6 months)", + "description": "Ensure GitHub organization admins have been active within the last 6 months", + "default_section_number": "2", + "default_section_name": "user account permissions", "code_name": "activeAdminsSixMonths", - "priority_group": "R3", + "default_priority_group": "R3", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "n/a", "mitre_url": "https://attack.mitre.org/mitigations/M1026/", "mitre_description": "M1026", "how_to_url": null, @@ -1445,22 +1293,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/activeAdminsSixMonths", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/activeAdminsSixMonths", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 61, - "title": "Require Active Members with Write Access (Activity in 6 Months)", - "description": "Github Organization Members with Write Permissions Should Have Activity In The Last 6 Months", - "section_number": "2", - "section_name": "user account permissions", + "title": "Require active members with write access (activity in 6 months)", + "description": "Ensure GitHub organization members with write permissions have been active within the last 6 months", + "default_section_number": "2", + "default_section_name": "user account permissions", "code_name": "activeWritersSixMonths", - "priority_group": "R3", + "default_priority_group": "R3", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "n/a", "mitre_url": "https://attack.mitre.org/mitigations/M1026/", "mitre_description": "M1026", "how_to_url": null, @@ -1470,22 +1315,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/activeWritersSixMonths", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/activeWritersSixMonths", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 62, - "title": "Require Pull Requests Before Merging", - "description": "Require Pull Requests before Merging", - "section_number": "9", - "section_name": "source control", + "title": "Require pull requests before merging", + "description": "Require pull requests before merging", + "default_section_number": "9", + "default_section_name": "source control", "code_name": "PRsBeforeMerge", - "priority_group": "R4", + "default_priority_group": "R4", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", "mitre_url": "https://cwe.mitre.org/data/definitions/778.html", "mitre_description": "CWE-778", "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", @@ -1495,22 +1337,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/PRsBeforeMerge", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/PRsBeforeMerge", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 63, - "title": "Enforce Commit Signoff for Web-Based Commits", - "description": "Github Org Requires Commit Signoff for Web-Based Commits", - "section_number": "9", - "section_name": "source control", + "title": "Enforce commit sign-off for web based commits", + "description": "GitHub org requires commit sign-off for web-based commits", + "default_section_number": "9", + "default_section_name": "source control", "code_name": "commitSignoffForWeb", - "priority_group": "R4", + "default_priority_group": "R4", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", "mitre_url": null, "mitre_description": null, "how_to_url": "https://docs.github.com/en/organizations/managing-organization-settings/managing-the-commit-signoff-policy-for-your-organization#managing-compulsory-commit-signoffs-for-your-organization", @@ -1520,22 +1359,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/commitSignoffForWeb", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/commitSignoffForWeb", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 64, - "title": "Require Signed Commits", - "description": "Require Signed Commits", - "section_number": "9", - "section_name": "source control", + "title": "Require signed commits", + "description": "Require signed commits", + "default_section_number": "9", + "default_section_name": "source control", "code_name": "requireSignedCommits", - "priority_group": "R4", + "default_priority_group": "R4", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", "mitre_url": null, "mitre_description": null, "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-signed-commits", @@ -1545,22 +1381,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/requireSignedCommits", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/requireSignedCommits", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 65, - "title": "Include package-lock.json in Releases (Freestanding Apps)", - "description": "[Freestanding Applications Only] Commit a package-lock.json file with each release", - "section_number": "10", - "section_name": "dependency inventory", + "title": "Include package-lock.json in releases", + "description": "Commit a package-lock.json file with each release", + "default_section_number": "10", + "default_section_name": "dependency inventory", "code_name": "includePackageLock", - "priority_group": "R5", + "default_priority_group": "R5", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", "mitre_url": null, "mitre_description": null, "how_to_url": "https://docs.npmjs.com/cli/v10/commands/npm-sbom", @@ -1570,22 +1403,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/includePackageLock", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/includePackageLock", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 66, - "title": "Require Two-Party Review (Two+ Maintainers)", - "description": "[For Projects with Two or more Maintainers] Require Two Party Review", - "section_number": "8", - "section_name": "code review", + "title": "Require two-party review", + "description": "Require two party review", + "default_section_number": "8", + "default_section_name": "code review", "code_name": "requireTwoPartyReview", - "priority_group": "R6", + "default_priority_group": "R6", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "n/a", "mitre_url": "https://capec.mitre.org/data/definitions/670.html", "mitre_description": "CAPEC-670", "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", @@ -1595,47 +1425,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/requireTwoPartyReview", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" - }, - { - "id": 67, - "title": "Require Code Owners Review (Four+ Maintainers)", - "description": "[For Projects with Four or more Maintainers] Require Code Owners Review", - "section_number": "8", - "section_name": "code review", - "code_name": "requireCodeOwnersReviewForLargeTeams", - "priority_group": "R6", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "n/a", - "mitre_url": "https://capec.mitre.org/data/definitions/670.html", - "mitre_description": "CAPEC-670", - "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/requireCodeOwnersReviewForLargeTeams", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/requireTwoPartyReview", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 68, - "title": "Require Approved PRs for Mainline Commits (Two+ Maintainers)", - "description": "[For Projects with Two or more Maintainers] Require Approved PRs for all commits to mainline branches", - "section_number": "9", - "section_name": "source control", + "title": "Require approved PRs for mainline commits", + "description": "Require approved PRs for all commits to mainline branches", + "default_section_number": "9", + "default_section_name": "source control", "code_name": "requirePRApprovalForMainline", - "priority_group": "R6", + "default_priority_group": "R6", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", "mitre_url": "https://capec.mitre.org/data/definitions/670.html", "mitre_description": "CAPEC-670", "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", @@ -1645,22 +1447,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/requirePRApprovalForMainline", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/requirePRApprovalForMainline", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 69, - "title": "Limit GitHub Org Owners to Fewer Than Three", - "description": "Limit Number of Github Org Owners (ideally Fewer Than Three)", - "section_number": "2", - "section_name": "user account permissions", + "title": "Limit GitHub org owners to fewer than three", + "description": "Limit the number of GitHub org owners (ideally fewer than three)", + "default_section_number": "2", + "default_section_name": "user account permissions", "code_name": "limitOrgOwners", - "priority_group": "R7", + "default_priority_group": "R7", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", "mitre_url": "https://attack.mitre.org/mitigations/M1026/", "mitre_description": "M1026", "how_to_url": null, @@ -1670,22 +1469,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/limitOrgOwners", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/limitOrgOwners", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 70, - "title": "Limit GitHub Repo Admins to Fewer Than Three", - "description": "Limit Number of Github Repository Admins (ideally Fewer Than Three)", - "section_number": "2", - "section_name": "user account permissions", + "title": "Limit GitHub repo admins to fewer than three", + "description": "Limit number of GitHub repository admins (ideally fewer than three)", + "default_section_number": "2", + "default_section_name": "user account permissions", "code_name": "limitRepoAdmins", - "priority_group": "R7", + "default_priority_group": "R7", "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", "mitre_url": "https://capec.mitre.org/data/definitions/180.html", "mitre_description": "CAPEC-180", "how_to_url": null, @@ -1695,22 +1491,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/limitRepoAdmins", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/limitRepoAdmins", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 71, - "title": "Patch Critical/High Vulnerabilities in 14 Days", - "description": "Actively Exploited Critical and High Vulnerabilities Patched within 14 Days", - "section_number": "5", - "section_name": "vulnerability management", + "title": "Patch critical/high vulnerabilities in 14 Days", + "description": "Actively exploited critical and high vulnerabilities patched within 14 Days", + "default_section_number": "5", + "default_section_name": "vulnerability management", "code_name": "patchExploitableHighVulns14Days", - "priority_group": "R8", + "default_priority_group": "R8", "is_c_scrm": false, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "n/a", "mitre_url": null, "mitre_description": null, "how_to_url": null, @@ -1720,22 +1513,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/patchExploitableHighVulns14Days", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/patchExploitableHighVulns14Days", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 72, - "title": "Patch Non-Critical Vulnerabilities in 60 Days", - "description": "Non-Critical Expoitable Vulnerabilities Patched within 60 Days", - "section_number": "5", - "section_name": "vulnerability management", + "title": "Patch non-critical vulnerabilities in 60 Days", + "description": "Non-critical exploitable vulnerabilities patched within 60 Days", + "default_section_number": "5", + "default_section_name": "vulnerability management", "code_name": "patchExploitableNoncCriticalVulns60Days", - "priority_group": "R8", + "default_priority_group": "R8", "is_c_scrm": false, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "n/a", "mitre_url": null, "mitre_description": null, "how_to_url": null, @@ -1745,22 +1535,19 @@ "implementation_status": "pending", "implementation_type": null, "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/patchExploitableNoncCriticalVulns60Days", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/patchExploitableNoncCriticalVulns60Days", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 3, - "title": "Enforce MFA in GitHub Organization(s)", - "description": "Multi Factor Authentication (MFA) Enforced Across the Github Organization", - "section_number": "1", - "section_name": "user authentication", + "title": "Enforce MFA in GitHub organization(s)", + "description": "Multi Factor authentication (MFA) enforced across the Github Organization(s)", + "default_section_number": "1", + "default_section_name": "user authentication", "code_name": "githubOrgMFA", - "priority_group": "P1", + "default_priority_group": "P1", "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", "mitre_description": "CWE-308", "how_to_url": "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", @@ -1770,22 +1557,19 @@ "implementation_status": "completed", "implementation_type": "computed", "implementation_details_reference": "https://github.com/OpenPathfinder/visionBoard/issues/43", - "details_url": "https://openjs-security-program-standards.netlify.app/details/githubOrgMFA", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/githubOrgMFA", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" }, { "id": 1, - "title": "Training on Secure Software Design", - "description": "At least One Primary Maintainer has taken TBD Training on Secure Software Design", - "section_number": "7", - "section_name": "code quality", + "title": "Training on secure software design", + "description": "At least one primary maintainer has taken the training on Secure Software Design", + "default_section_number": "7", + "default_section_name": "code quality", "code_name": "softwareDesignTraining", - "priority_group": "P0", + "default_priority_group": "P0", "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", "mitre_url": "https://attack.mitre.org/mitigations/M1013/", "mitre_description": "M1013", "how_to_url": null, @@ -1795,8 +1579,8 @@ "implementation_status": "completed", "implementation_type": "manual", "implementation_details_reference": "https://github.com/OpenPathfinder/visionBoard/issues/52", - "details_url": "https://openjs-security-program-standards.netlify.app/details/softwareDesignTraining", - "created_at": "2024-12-22T05:21:43.514Z", - "updated_at": "2024-12-22T05:21:43.514Z" + "details_url": "https://openpathfinder.com/docs/checks/softwareDesignTraining", + "created_at": "2024-12-24T15:42:42.025Z", + "updated_at": "2024-12-24T15:42:42.025Z" } ] \ No newline at end of file diff --git a/docs/checks/MFAImpersonationDefense.mdx b/docs/checks/MFAImpersonationDefense.mdx index 56213769..80a0b090 100644 --- a/docs/checks/MFAImpersonationDefense.mdx +++ b/docs/checks/MFAImpersonationDefense.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available +Use Multi Factor Authentication (MFA) methods that defend against impersonation when available ## Details +- Default Category: user authentication +- Default Priority Group: P1 - C-SCRM: true -- Priority Group: P1 - Mitre: [CWE-290](https://cwe.mitre.org/data/definitions/290.html) - Sources: [OpenSSF Best Practices Badge Gold Level [secure_2FA]](https://www.bestpractices.dev/en/criteria/2#2.secure_2FA) - How To: [Github Docs](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa) diff --git a/docs/checks/PRsBeforeMerge.mdx b/docs/checks/PRsBeforeMerge.mdx index d45d27b4..b4e5dbd8 100644 --- a/docs/checks/PRsBeforeMerge.mdx +++ b/docs/checks/PRsBeforeMerge.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: recommended - - ## Description -Require Pull Requests before Merging +Require pull requests before merging ## Details +- Default Category: source control +- Default Priority Group: R4 - C-SCRM: true -- Priority Group: R4 - Mitre: [CWE-778](https://cwe.mitre.org/data/definitions/778.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging) diff --git a/docs/checks/SSHKeysRequired.mdx b/docs/checks/SSHKeysRequired.mdx index 3c07d92b..1c598783 100644 --- a/docs/checks/SSHKeysRequired.mdx +++ b/docs/checks/SSHKeysRequired.mdx @@ -13,13 +13,6 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description Use SSH keys for developer access to source code repositories and use a passphrase @@ -27,8 +20,9 @@ Use SSH keys for developer access to source code repositories and use a passphra ## Details +- Default Category: user authentication +- Default Priority Group: P3 - C-SCRM: true -- Priority Group: P3 - Mitre: [CWE-309](https://cwe.mitre.org/data/definitions/309.html) - Sources: [CNCF SSCP v1.0 #192](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#use-ssh-keys-to-provide-developers-access-to-source-code-repositories) - How To: [Github Docs](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/about-ssh) diff --git a/docs/checks/activeAdminsSixMonths.mdx b/docs/checks/activeAdminsSixMonths.mdx index 18defce4..4e5d1382 100644 --- a/docs/checks/activeAdminsSixMonths.mdx +++ b/docs/checks/activeAdminsSixMonths.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: n/a - - ## Description -Github Organization Admins Should Have Activity In The Last 6 Months +Ensure GitHub organization admins have been active within the last 6 months ## Details +- Default Category: user account permissions +- Default Priority Group: R3 - C-SCRM: true -- Priority Group: R3 - Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/member/stale_admin_found.html) diff --git a/docs/checks/activeWritersSixMonths.mdx b/docs/checks/activeWritersSixMonths.mdx index 6f3c2c41..2056f41d 100644 --- a/docs/checks/activeWritersSixMonths.mdx +++ b/docs/checks/activeWritersSixMonths.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: n/a - - ## Description -Github Organization Members with Write Permissions Should Have Activity In The Last 6 Months +Ensure GitHub organization members with write permissions have been active within the last 6 months ## Details +- Default Category: user account permissions +- Default Priority Group: R3 - C-SCRM: true -- Priority Group: R3 - Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/member/stale_member_found.html) diff --git a/docs/checks/adminRepoCreationOnly.mdx b/docs/checks/adminRepoCreationOnly.mdx index 0d107cac..8c4c22f2 100644 --- a/docs/checks/adminRepoCreationOnly.mdx +++ b/docs/checks/adminRepoCreationOnly.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Only Admins Should Be Able To Create Public Repositories +Only admins should be able to create public repositories ## Details +- Default Category: user account permissions +- Default Priority Group: P4 - C-SCRM: true -- Priority Group: P4 - Mitre: [CAPEC-122](https://capec.mitre.org/data/definitions/122.html) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/organization/non_admins_can_create_public_repositories.html) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization) diff --git a/docs/checks/annualDependencyRefresh.mdx b/docs/checks/annualDependencyRefresh.mdx index aefff537..3f923eef 100644 --- a/docs/checks/annualDependencyRefresh.mdx +++ b/docs/checks/annualDependencyRefresh.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -A new release to refresh dependencies occurs at least annually +Ensure dependencies are refreshed through a new release at least once annually ## Details +- Default Category: vulnerability management +- Default Priority Group: P14 - C-SCRM: true -- Priority Group: P14 - Sources: [OpenSSF Best Practices Badge Passing Level [maintained]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.maintained) diff --git a/docs/checks/assignCVEForKnownVulns.mdx b/docs/checks/assignCVEForKnownVulns.mdx index fae24a52..6eeadd8f 100644 --- a/docs/checks/assignCVEForKnownVulns.mdx +++ b/docs/checks/assignCVEForKnownVulns.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -All Known Security Vulnerabilities are Issued a CVE +Ensure all known security vulnerabilities are issued a CVE ## Details +- Default Category: coordinated vulnerability disclosure +- Default Priority Group: P7 - C-SCRM: true -- Priority Group: P7 - Sources: [OpenSSF Best Practices Badge Passing Level [release_notes_vulns]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns) diff --git a/docs/checks/automateDependencyManagement.mdx b/docs/checks/automateDependencyManagement.mdx index 0500d317..63ff3a5d 100644 --- a/docs/checks/automateDependencyManagement.mdx +++ b/docs/checks/automateDependencyManagement.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Automated Process is Used to Monitor for and Maintain a List of Out of Date Dependencies +Ensure an automated process is in place to monitor and maintain a list of outdated dependencies ## Details +- Default Category: dependency inventory +- Default Priority Group: P14 - C-SCRM: true -- Priority Group: P14 - Sources: [OWASP SCVS L1 5.7](https://scvs.owasp.org/scvs/v5-component-analysis/) - How To: [Socket.Dev](https://socket.dev/) diff --git a/docs/checks/automateVulnDetection.mdx b/docs/checks/automateVulnDetection.mdx index 61bf552f..a7215745 100644 --- a/docs/checks/automateVulnDetection.mdx +++ b/docs/checks/automateVulnDetection.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -An automated process to identify dependencies with publicly disclosed vulnerabilities +Implement an automated process to identify dependencies with publicly disclosed vulnerabilities ## Details +- Default Category: dependency management +- Default Priority Group: P6 - C-SCRM: true -- Priority Group: P6 - Mitre: [CWE-1395](https://cwe.mitre.org/data/definitions/1395.html) - Sources: [OWASP SCVS L1 5.4](https://scvs.owasp.org/scvs/v5-component-analysis/) - How To: [Github Docs](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories) diff --git a/docs/checks/blockWorkflowPRApproval.mdx b/docs/checks/blockWorkflowPRApproval.mdx index 29a2b1e5..42970cb6 100644 --- a/docs/checks/blockWorkflowPRApproval.mdx +++ b/docs/checks/blockWorkflowPRApproval.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Workflows are not Allowed To Create or Approve Pull Requests +Ensure workflows are not allowed to create or approve pull requests ## Details +- Default Category: github workflow permissions +- Default Priority Group: P9 - C-SCRM: true -- Priority Group: P9 - Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) - How To: [Github Docs](https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests) diff --git a/docs/checks/ciAndCdPipelineAsCode.mdx b/docs/checks/ciAndCdPipelineAsCode.mdx index 2642f930..ab51db6f 100644 --- a/docs/checks/ciAndCdPipelineAsCode.mdx +++ b/docs/checks/ciAndCdPipelineAsCode.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: deferrable -- Active: expected -- Retiring: n/a - - ## Description -CI/CD steps should all be automated through a pipeline defined as code +Ensure all CI/CD steps are automated through pipelines defined as code ## Details +- Default Category: source control +- Default Priority Group: P12 - C-SCRM: true -- Priority Group: P12 - Sources: [CNCF SSCP 1.0 #158](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#build-and-related-continuous-integrationcontinuous-delivery-steps-should-all-be-automated-through-a-pipeline-defined-as-code) - How To: [Github Docs](https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages) diff --git a/docs/checks/commitSignoffForWeb.mdx b/docs/checks/commitSignoffForWeb.mdx index 4228ef8a..4aa9ec5a 100644 --- a/docs/checks/commitSignoffForWeb.mdx +++ b/docs/checks/commitSignoffForWeb.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: recommended - - ## Description -Github Org Requires Commit Signoff for Web-Based Commits +GitHub org requires commit sign-off for web-based commits ## Details +- Default Category: source control +- Default Priority Group: R4 - C-SCRM: true -- Priority Group: R4 - Sources: [CNCF SSCP 1.0 #325](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-organization-settings/managing-the-commit-signoff-policy-for-your-organization#managing-compulsory-commit-signoffs-for-your-organization) diff --git a/docs/checks/commitStatusChecks.mdx b/docs/checks/commitStatusChecks.mdx index cc24c13c..aace7858 100644 --- a/docs/checks/commitStatusChecks.mdx +++ b/docs/checks/commitStatusChecks.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -All Required Commit Status Checks must pass before Merging +Ensure all required commit status checks pass before merging ## Details +- Default Category: code quality +- Default Priority Group: P6 - C-SCRM: true -- Priority Group: P6 - Mitre: [CWE-358](https://cwe.mitre.org/data/definitions/358.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) diff --git a/docs/checks/consistentBuildProcessDocs.mdx b/docs/checks/consistentBuildProcessDocs.mdx index e0cfa030..324895da 100644 --- a/docs/checks/consistentBuildProcessDocs.mdx +++ b/docs/checks/consistentBuildProcessDocs.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -Consistent and Automated Build Process is Documented and Used +Ensure a consistent and automated build process is documented and followed ## Details +- Default Category: github workflows +- Default Priority Group: P12 - C-SCRM: true -- Priority Group: P12 - Mitre: [CWE-1068](https://cwe.mitre.org/data/definitions/1068.html) diff --git a/docs/checks/defaultTokenPermissionsReadOnly.mdx b/docs/checks/defaultTokenPermissionsReadOnly.mdx index 2eb7b2a3..fc372579 100644 --- a/docs/checks/defaultTokenPermissionsReadOnly.mdx +++ b/docs/checks/defaultTokenPermissionsReadOnly.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -Github Org Default Workflow Token Permissions are Set to Read Only +Ensure GitHub organization default workflow token permissions are set to read-only ## Details +- Default Category: github workflow permissions +- Default Priority Group: P9 - C-SCRM: true -- Priority Group: P9 - Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) diff --git a/docs/checks/defineFunctionalRoles.mdx b/docs/checks/defineFunctionalRoles.mdx index 3d590278..7059741a 100644 --- a/docs/checks/defineFunctionalRoles.mdx +++ b/docs/checks/defineFunctionalRoles.mdx @@ -13,13 +13,6 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description Define roles aligned to functional responsibilities @@ -27,8 +20,9 @@ Define roles aligned to functional responsibilities ## Details +- Default Category: user account permissions +- Default Priority Group: P4 - C-SCRM: true -- Priority Group: P4 - Mitre: [CAPEC-122](https://capec.mitre.org/data/definitions/122.html) - Sources: [CNCF SSCP v1.0 #188](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-roles-aligned-to-functional-responsibilities) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization) diff --git a/docs/checks/forkWorkflowApproval.mdx b/docs/checks/forkWorkflowApproval.mdx index 9d9d1e9b..13a3ec27 100644 --- a/docs/checks/forkWorkflowApproval.mdx +++ b/docs/checks/forkWorkflowApproval.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: recommended - - ## Description -Limit changes from forks to workflows by requiring approval for all outside collaborators +Ensure changes to workflows from forks require approval for all outside collaborators ## Details +- Default Category: github workflows +- Default Priority Group: R2 - C-SCRM: true -- Priority Group: R2 - Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) - Sources: [Github Docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories) diff --git a/docs/checks/githubOrgMFA.mdx b/docs/checks/githubOrgMFA.mdx index e5ebffba..9b64f23e 100644 --- a/docs/checks/githubOrgMFA.mdx +++ b/docs/checks/githubOrgMFA.mdx @@ -9,16 +9,9 @@ slug: /checks/githubOrgMFA -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Multi Factor Authentication (MFA) Enforced Across the Github Organization +Multi Factor authentication (MFA) enforced across the Github Organization(s) ## Dashboard Inclusion @@ -27,9 +20,10 @@ We use the field `two_factor_requirement_enabled` from the GitHub Organization A ## Details +- Default Category: user authentication +- Default Priority Group: P1 - Implementation Details: It is computed ([details](https://github.com/OpenPathfinder/visionBoard/issues/43)). - C-SCRM: true -- Priority Group: P1 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [OpenSSF SCM Best PracticesOpenSSF Best Practices Badge Gold Level [require_2FA]](https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html) - How To: [Github Docs](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) diff --git a/docs/checks/githubWebhookSecrets.mdx b/docs/checks/githubWebhookSecrets.mdx index 74fd54df..eee127d0 100644 --- a/docs/checks/githubWebhookSecrets.mdx +++ b/docs/checks/githubWebhookSecrets.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Github Webhooks Use Secrets +Ensure that Github Webhooks use secrets ## Details +- Default Category: service authentication +- Default Priority Group: P3 - C-SCRM: true -- Priority Group: P3 - Mitre: [CWE-306](https://cwe.mitre.org/data/definitions/306) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#webhooks) - How To: [Github Docs](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions) diff --git a/docs/checks/githubWriteAccessRoles.mdx b/docs/checks/githubWriteAccessRoles.mdx index 0ab07f03..146ab226 100644 --- a/docs/checks/githubWriteAccessRoles.mdx +++ b/docs/checks/githubWriteAccessRoles.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Define Individuals/Teams who Write Access to a Github Repo +Define individuals/teams who write access to a GitHub Repository ## Details +- Default Category: user account permissions +- Default Priority Group: P4 - C-SCRM: true -- Priority Group: P4 - Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) - Sources: [CNCF SSCP v1.0 #185](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-individualsteams-that-are-responsible-for-code-in-a-repository-and-associated-coding-conventions) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization) diff --git a/docs/checks/identifyModifiedDependencies.mdx b/docs/checks/identifyModifiedDependencies.mdx index da5c7db3..d4582034 100644 --- a/docs/checks/identifyModifiedDependencies.mdx +++ b/docs/checks/identifyModifiedDependencies.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Modified dependencies are uniquely identified and distinct from origin dependency +Ensure modified dependencies are uniquely identified and clearly distinguished from the original dependency ## Details +- Default Category: dependency inventory +- Default Priority Group: P14 - C-SCRM: true -- Priority Group: P14 - Sources: [OWASP SCVS L2 6.5](https://scvs.owasp.org/scvs/v6-pedigree-and-provenance/) diff --git a/docs/checks/incidentResponsePlan.mdx b/docs/checks/incidentResponsePlan.mdx index 114da5f4..92328847 100644 --- a/docs/checks/incidentResponsePlan.mdx +++ b/docs/checks/incidentResponsePlan.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Establish a Clear Communication and Incident Response Plan +Establish clear communication and incident response plans ## Details +- Default Category: coordinated vulnerability disclosure +- Default Priority Group: P7 - C-SCRM: false -- Priority Group: P7 - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/#operations) diff --git a/docs/checks/includeCVEInReleaseNotes.mdx b/docs/checks/includeCVEInReleaseNotes.mdx index 98e80a9b..b30af6c1 100644 --- a/docs/checks/includeCVEInReleaseNotes.mdx +++ b/docs/checks/includeCVEInReleaseNotes.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Release Notes must Include the CVE ID of Patched Security Vulnerabilities +Ensure release notes include the CVE ID for patched security vulnerabilities ## Details +- Default Category: coordinated vulnerability disclosure +- Default Priority Group: P7 - C-SCRM: false -- Priority Group: P7 - Sources: [OpenSSF Best Practices Badge Passing Level [release_notes_vulns]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns) diff --git a/docs/checks/includePackageLock.mdx b/docs/checks/includePackageLock.mdx index 6af1e87c..546dc400 100644 --- a/docs/checks/includePackageLock.mdx +++ b/docs/checks/includePackageLock.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: recommended - - ## Description -[Freestanding Applications Only] Commit a package-lock.json file with each release +Commit a package-lock.json file with each release ## Details +- Default Category: dependency inventory +- Default Priority Group: R5 - C-SCRM: true -- Priority Group: R5 - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#sbom) - How To: [npm Docs](https://docs.npmjs.com/cli/v10/commands/npm-sbom) diff --git a/docs/checks/injectedSecretsAtRuntime.mdx b/docs/checks/injectedSecretsAtRuntime.mdx index 810cde94..3679a9e9 100644 --- a/docs/checks/injectedSecretsAtRuntime.mdx +++ b/docs/checks/injectedSecretsAtRuntime.mdx @@ -13,13 +13,6 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets) @@ -27,8 +20,9 @@ Secrets are injected at runtime, such as environment variables or as a file (eg: ## Details +- Default Category: service authentication +- Default Priority Group: P2 - C-SCRM: true -- Priority Group: P2 - Mitre: [CWE-538](https://cwe.mitre.org/data/definitions/538.html) - Sources: [CNCF CNSWP 2.0 #195](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#secrets-encryption) - How To: [Github Docs](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization) diff --git a/docs/checks/limitOrgOwners.mdx b/docs/checks/limitOrgOwners.mdx index c0d0f4c3..1677a62b 100644 --- a/docs/checks/limitOrgOwners.mdx +++ b/docs/checks/limitOrgOwners.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: recommended - - ## Description -Limit Number of Github Org Owners (ideally Fewer Than Three) +Limit the number of GitHub org owners (ideally fewer than three) ## Details +- Default Category: user account permissions +- Default Priority Group: R7 - C-SCRM: true -- Priority Group: R7 - Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/member/organization_has_too_many_admins.html) diff --git a/docs/checks/limitRepoAdmins.mdx b/docs/checks/limitRepoAdmins.mdx index b30a8a81..2c38e385 100644 --- a/docs/checks/limitRepoAdmins.mdx +++ b/docs/checks/limitRepoAdmins.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: recommended - - ## Description -Limit Number of Github Repository Admins (ideally Fewer Than Three) +Limit number of GitHub repository admins (ideally fewer than three) ## Details +- Default Category: user account permissions +- Default Priority Group: R7 - C-SCRM: true -- Priority Group: R7 - Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/repository/repository_has_too_many_admins.html) diff --git a/docs/checks/limitWorkflowWritePermissions.mdx b/docs/checks/limitWorkflowWritePermissions.mdx index 577c842f..e227b094 100644 --- a/docs/checks/limitWorkflowWritePermissions.mdx +++ b/docs/checks/limitWorkflowWritePermissions.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Only Allow Workflows Write Permissions at the Job-Level +Ensure workflows are granted write permissions only at the job level ## Details +- Default Category: github workflows +- Default Priority Group: P11 - C-SCRM: true -- Priority Group: P11 - Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) - How To: [Github Docs](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions) diff --git a/docs/checks/machineReadableDependencies.mdx b/docs/checks/machineReadableDependencies.mdx index 91268fc5..9582bc92 100644 --- a/docs/checks/machineReadableDependencies.mdx +++ b/docs/checks/machineReadableDependencies.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -[Freestanding Applications Only] A Machine Readable List of all Direct and Transitive Dependencies is Available for the Software +Ensure a machine-readable list of all direct and transitive dependencies is available for the software ## Details +- Default Category: dependency inventory +- Default Priority Group: P14 - C-SCRM: true -- Priority Group: P14 - Sources: [OWASP SCVS L1 1.3](https://scvs.owasp.org/scvs/v1-inventory/#verification-requirements) - How To: [Github Docs](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-is-the-dependency-graph) diff --git a/docs/checks/noArbitraryCodeInPipeline.mdx b/docs/checks/noArbitraryCodeInPipeline.mdx index b92d4c16..674e537e 100644 --- a/docs/checks/noArbitraryCodeInPipeline.mdx +++ b/docs/checks/noArbitraryCodeInPipeline.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -Build Pipeline Cannot Execute Arbitrary Code from Outside of a Build Script +Ensure the build pipeline cannot execute arbitrary code outside of a build script ## Details +- Default Category: github workflows +- Default Priority Group: P11 - C-SCRM: true -- Priority Group: P11 - Mitre: [CWE-94](https://cwe.mitre.org/data/definitions/94.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) diff --git a/docs/checks/noForcePushDefaultBranch.mdx b/docs/checks/noForcePushDefaultBranch.mdx index 08f6961d..c46070f3 100644 --- a/docs/checks/noForcePushDefaultBranch.mdx +++ b/docs/checks/noForcePushDefaultBranch.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Prevent Force Push on Default Branch +Ensure force push is disabled on the default branch ## Details +- Default Category: source control +- Default Priority Group: P9 - C-SCRM: true -- Priority Group: P9 - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) diff --git a/docs/checks/noSelfHostedRunners.mdx b/docs/checks/noSelfHostedRunners.mdx index c65ffcc0..f8731728 100644 --- a/docs/checks/noSelfHostedRunners.mdx +++ b/docs/checks/noSelfHostedRunners.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Disable use of Self-Hosted Runners in Github Org +Ensure the use of self-hosted runners is disabled in the GitHub organization ## Details +- Default Category: github workflows +- Default Priority Group: P10 - C-SCRM: true -- Priority Group: P10 - Mitre: [CAPEC-439](https://capec.mitre.org/data/definitions/439.html) - Sources: [Github Action Hardening Docs](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#limiting-the-use-of-self-hosted-runners) diff --git a/docs/checks/noSensitiveInfoInRepositories.mdx b/docs/checks/noSensitiveInfoInRepositories.mdx index 6d5498c1..0af159f6 100644 --- a/docs/checks/noSensitiveInfoInRepositories.mdx +++ b/docs/checks/noSensitiveInfoInRepositories.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -No Secrets and Credentials in Source Code +No secrets or credentials are included in the source code ## Details +- Default Category: service authentication +- Default Priority Group: P2 - C-SCRM: true -- Priority Group: P2 - Mitre: [CWE-540](https://cwe.mitre.org/data/definitions/540.html) - Sources: [OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]](https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials) - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) diff --git a/docs/checks/npmOrgMFA.mdx b/docs/checks/npmOrgMFA.mdx index 383b3769..f6dadd3d 100644 --- a/docs/checks/npmOrgMFA.mdx +++ b/docs/checks/npmOrgMFA.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Multi Factor Authentication (MFA) Enforced Across the npm Organization +Multi Factor Authentication (MFA) enforced across the npm organization(s) ## Details +- Default Category: user authentication +- Default Priority Group: P1 - C-SCRM: true -- Priority Group: P1 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [OpenSSF npm Best Practices](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md) - How To: [npm Docs](https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization) diff --git a/docs/checks/npmPublicationMFA.mdx b/docs/checks/npmPublicationMFA.mdx index 4b5bf8cd..6552d17a 100644 --- a/docs/checks/npmPublicationMFA.mdx +++ b/docs/checks/npmPublicationMFA.mdx @@ -13,13 +13,6 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens @@ -27,8 +20,9 @@ Publish to npm using an MFA-enabled account rather than single factor legacy or ## Details +- Default Category: service authentication +- Default Priority Group: P3 - C-SCRM: true -- Priority Group: P3 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [npm Docs](https://docs.npmjs.com/creating-and-viewing-access-tokens) diff --git a/docs/checks/orgToolingMFA.mdx b/docs/checks/orgToolingMFA.mdx index 521a15d2..d744b1de 100644 --- a/docs/checks/orgToolingMFA.mdx +++ b/docs/checks/orgToolingMFA.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible +Multi Factor Authentication (MFA) enforced in all tools wherever technically feasible ## Details +- Default Category: user authentication +- Default Priority Group: P1 - C-SCRM: false -- Priority Group: P1 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [CNCF CNSWP v1.0](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md) diff --git a/docs/checks/owaspTop10Training.mdx b/docs/checks/owaspTop10Training.mdx index b107d663..86201253 100644 --- a/docs/checks/owaspTop10Training.mdx +++ b/docs/checks/owaspTop10Training.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -At least One Primary Maintainer has taken TBD Training on OWASP Top 10 or Equivalent +At least one primary maintainer has taken the training on OWASP Top 10 or Equivalent ## Details +- Default Category: code quality +- Default Priority Group: P0 - C-SCRM: false -- Priority Group: P0 - Mitre: [M1013](https://attack.mitre.org/mitigations/M1013/) - Sources: [OpenSSF Best Practices Badge Passing Level [know_common_errors]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_common_errors) diff --git a/docs/checks/patchCriticalVulns30Days.mdx b/docs/checks/patchCriticalVulns30Days.mdx index 89684cae..e3ee1e34 100644 --- a/docs/checks/patchCriticalVulns30Days.mdx +++ b/docs/checks/patchCriticalVulns30Days.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -Actively Exploited Critical Vulnerabilities Patched within 30 Days +Actively exploited critical vulnerabilities patched within 30 Days ## Details +- Default Category: vulnerability management +- Default Priority Group: P5 - C-SCRM: false -- Priority Group: P5 - Sources: [OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]](https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed) diff --git a/docs/checks/patchExploitableHighVulns14Days.mdx b/docs/checks/patchExploitableHighVulns14Days.mdx index 67ff1b19..04af6ef3 100644 --- a/docs/checks/patchExploitableHighVulns14Days.mdx +++ b/docs/checks/patchExploitableHighVulns14Days.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: n/a - - ## Description -Actively Exploited Critical and High Vulnerabilities Patched within 14 Days +Actively exploited critical and high vulnerabilities patched within 14 Days ## Details +- Default Category: vulnerability management +- Default Priority Group: R8 - C-SCRM: false -- Priority Group: R8 - Sources: [OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]](https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed) diff --git a/docs/checks/patchExploitableNoncCriticalVulns60Days.mdx b/docs/checks/patchExploitableNoncCriticalVulns60Days.mdx index 5f44a7b3..289a8f14 100644 --- a/docs/checks/patchExploitableNoncCriticalVulns60Days.mdx +++ b/docs/checks/patchExploitableNoncCriticalVulns60Days.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: n/a - - ## Description -Non-Critical Expoitable Vulnerabilities Patched within 60 Days +Non-critical exploitable vulnerabilities patched within 60 Days ## Details +- Default Category: vulnerability management +- Default Priority Group: R8 - C-SCRM: false -- Priority Group: R8 - Sources: [OpenSSF Best Practices Badge Silver Level [vulnerabilities_fixed_60_days]](https://www.bestpractices.dev/en/criteria#0.vulnerabilities_fixed_60_days) diff --git a/docs/checks/patchNonCriticalVulns90Days.mdx b/docs/checks/patchNonCriticalVulns90Days.mdx index b2148f62..f4f2bd29 100644 --- a/docs/checks/patchNonCriticalVulns90Days.mdx +++ b/docs/checks/patchNonCriticalVulns90Days.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -Non-Critical Exploitable Vulnerabilities Patched within 90 Days +Ensure non-critical exploitable vulnerabilities are patched within 90 days ## Details +- Default Category: vulnerability management +- Default Priority Group: P5 - C-SCRM: false -- Priority Group: P5 - Sources: [Google Project Zero Vulnerability Disclosure Policy](https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html) diff --git a/docs/checks/pinActionsToSHA.mdx b/docs/checks/pinActionsToSHA.mdx index a06d22e4..bc1ca777 100644 --- a/docs/checks/pinActionsToSHA.mdx +++ b/docs/checks/pinActionsToSHA.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: deferrable -- Active: expected -- Retiring: n/a - - ## Description -Pin Actions with Access to Secrets to a Full Length Commit SHA +Ensure actions with access to secrets are pinned to a full-length commit SHA ## Details +- Default Category: github workflows +- Default Priority Group: P13 - C-SCRM: true -- Priority Group: P13 - Mitre: [CWE-1357](https://cwe.mitre.org/data/definitions/1357.html) - Sources: [Github Docs](https://securitylab.github.com/research/github-actions-building-blocks/) diff --git a/docs/checks/preventBranchProtectionBypass.mdx b/docs/checks/preventBranchProtectionBypass.mdx index 922781d0..92947a4d 100644 --- a/docs/checks/preventBranchProtectionBypass.mdx +++ b/docs/checks/preventBranchProtectionBypass.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -[For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings +Do not allow admins to bypass branch protection settings ## Details +- Default Category: user account permissions +- Default Priority Group: P4 - C-SCRM: true -- Priority Group: P4 - Mitre: [CAPEC-122](https://capec.mitre.org/data/definitions/122.html) - Sources: [Github Supply Chain Security Best Practices](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings) diff --git a/docs/checks/preventDeletionDefaultBranch.mdx b/docs/checks/preventDeletionDefaultBranch.mdx index 8b5c7f13..e6952ea0 100644 --- a/docs/checks/preventDeletionDefaultBranch.mdx +++ b/docs/checks/preventDeletionDefaultBranch.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Prevent Default Branch Deletion +Ensure the default branch cannot be deleted ## Details +- Default Category: source control +- Default Priority Group: P9 - C-SCRM: true -- Priority Group: P9 - Mitre: [CWE-267](https://cwe.mitre.org/data/definitions/267.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) diff --git a/docs/checks/preventLandingSensitiveCommits.mdx b/docs/checks/preventLandingSensitiveCommits.mdx index e777a68b..f0aad3eb 100644 --- a/docs/checks/preventLandingSensitiveCommits.mdx +++ b/docs/checks/preventLandingSensitiveCommits.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -New Commits Containing Secrets or Credentials are Blocked from Merging +New commits containing secrets or credentials are blocked from merging ## Details +- Default Category: code quality +- Default Priority Group: P2 - C-SCRM: true -- Priority Group: P2 - Mitre: [CWE-358](https://cwe.mitre.org/data/definitions/358.html) - Sources: [OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]](https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials) - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) diff --git a/docs/checks/preventScriptInjection.mdx b/docs/checks/preventScriptInjection.mdx index 49a33691..842807a9 100644 --- a/docs/checks/preventScriptInjection.mdx +++ b/docs/checks/preventScriptInjection.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -Avoid Script Injection from Untrusted Context Variables +Ensure script injection is prevented by avoiding untrusted context variables ## Details +- Default Category: github workflows +- Default Priority Group: P11 - C-SCRM: true -- Priority Group: P11 - Mitre: [CWE-454](https://cwe.mitre.org/data/definitions/454.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) - How To: [Github Docs](https://securitylab.github.com/research/github-actions-untrusted-input/) diff --git a/docs/checks/regressionTestsForVulns.mdx b/docs/checks/regressionTestsForVulns.mdx index 09fd800b..7402588d 100644 --- a/docs/checks/regressionTestsForVulns.mdx +++ b/docs/checks/regressionTestsForVulns.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: deferrable -- Active: expected -- Retiring: n/a - - ## Description -Regression Tests for => 50% of Bugs and 100% of Security Vulns +Ensure regression tests cover at least 50% of bugs and 100% of security vulnerabilities ## Details +- Default Category: code quality +- Default Priority Group: P8 - C-SCRM: false -- Priority Group: P8 - Sources: [OpenSSF Best Practices Badge Silver Level [regression_tests_added50]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.regression_tests_added50) diff --git a/docs/checks/requireCodeOwnersReviewForLargeTeams.mdx b/docs/checks/requireCodeOwnersReviewForLargeTeams.mdx index 244f824a..eeb0021a 100644 --- a/docs/checks/requireCodeOwnersReviewForLargeTeams.mdx +++ b/docs/checks/requireCodeOwnersReviewForLargeTeams.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: n/a - - ## Description -[For Projects with Four or more Maintainers] Require Code Owners Review +Require code owners review ## Details +- Default Category: code review +- Default Priority Group: R6 - C-SCRM: true -- Priority Group: R6 - Mitre: [CAPEC-670](https://capec.mitre.org/data/definitions/670.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review) - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) diff --git a/docs/checks/requirePRApprovalForMainline.mdx b/docs/checks/requirePRApprovalForMainline.mdx index 03b920db..da5b8c6a 100644 --- a/docs/checks/requirePRApprovalForMainline.mdx +++ b/docs/checks/requirePRApprovalForMainline.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: recommended - - ## Description -[For Projects with Two or more Maintainers] Require Approved PRs for all commits to mainline branches +Require approved PRs for all commits to mainline branches ## Details +- Default Category: source control +- Default Priority Group: R6 - C-SCRM: true -- Priority Group: R6 - Mitre: [CAPEC-670](https://capec.mitre.org/data/definitions/670.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) diff --git a/docs/checks/requireSignedCommits.mdx b/docs/checks/requireSignedCommits.mdx index e4b7ab86..397c4984 100644 --- a/docs/checks/requireSignedCommits.mdx +++ b/docs/checks/requireSignedCommits.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: recommended - - ## Description -Require Signed Commits +Require signed commits ## Details +- Default Category: source control +- Default Priority Group: R4 - C-SCRM: true -- Priority Group: R4 - Sources: [CNCF SSCP 1.0 #325](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-signed-commits) diff --git a/docs/checks/requireTwoPartyReview.mdx b/docs/checks/requireTwoPartyReview.mdx index 49b35086..f9a48ca5 100644 --- a/docs/checks/requireTwoPartyReview.mdx +++ b/docs/checks/requireTwoPartyReview.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: n/a - - ## Description -[For Projects with Two or more Maintainers] Require Two Party Review +Require two party review ## Details +- Default Category: code review +- Default Priority Group: R6 - C-SCRM: true -- Priority Group: R6 - Mitre: [CAPEC-670](https://capec.mitre.org/data/definitions/670.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging) diff --git a/docs/checks/resolveLinterWarnings.mdx b/docs/checks/resolveLinterWarnings.mdx index 215a28d4..0a3f10a4 100644 --- a/docs/checks/resolveLinterWarnings.mdx +++ b/docs/checks/resolveLinterWarnings.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -Compilers/Linter Warnings Addressed in order to Merge +Ensure all compiler and linter warnings are resolved before merging ## Details +- Default Category: code quality +- Default Priority Group: P6 - C-SCRM: false -- Priority Group: P6 - Mitre: [CWE-1127](https://cwe.mitre.org/data/definitions/1127.html) - Sources: [OpenSSF Best Practices Badge Silver Level [warnings_strict]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.warnings_strict) - How To: [ESLint Docs](https://eslint.org/docs/latest/use/getting-started#installation-and-usage) diff --git a/docs/checks/restrictOrgSecrets.mdx b/docs/checks/restrictOrgSecrets.mdx index f742d202..06143026 100644 --- a/docs/checks/restrictOrgSecrets.mdx +++ b/docs/checks/restrictOrgSecrets.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -GitHub Organization Secrets are Restricted to Selected Repositories +Limit GitHub organization secrets to only be accessible by selected repositories ## Details +- Default Category: github workflows +- Default Priority Group: P10 - C-SCRM: true -- Priority Group: P10 - Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/actions/all_repositories_can_run_github_actions.html) - How To: [Github Docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository) diff --git a/docs/checks/restrictedOrgPermissions.mdx b/docs/checks/restrictedOrgPermissions.mdx index 832765b0..f62bb01f 100644 --- a/docs/checks/restrictedOrgPermissions.mdx +++ b/docs/checks/restrictedOrgPermissions.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Default Github Org Member Permissions Should Be Restricted +Default GitHub organization member permissions should be restricted ## Details +- Default Category: user account permissions +- Default Priority Group: P4 - C-SCRM: true -- Priority Group: P4 - Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/organization/default_repository_permission_is_not_none.html) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization) diff --git a/docs/checks/runnerSecurityScanner.mdx b/docs/checks/runnerSecurityScanner.mdx index 762b45c1..84c5301d 100644 --- a/docs/checks/runnerSecurityScanner.mdx +++ b/docs/checks/runnerSecurityScanner.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: recommended - - ## Description -Use a Github Runner Security Scanner +Ensure a GitHub runner security scanner is utilized ## Details +- Default Category: github workflows +- Default Priority Group: R2 - C-SCRM: true -- Priority Group: R2 - Mitre: [M1047](https://attack.mitre.org/mitigations/M1047/) - Sources: [Github Action Hardening Docs](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners) - How To: [Step Security harden-runner](https://github.com/step-security/harden-runner) diff --git a/docs/checks/scanCommitsForSensitiveInfo.mdx b/docs/checks/scanCommitsForSensitiveInfo.mdx index 01d1b5e5..1e3d2e12 100644 --- a/docs/checks/scanCommitsForSensitiveInfo.mdx +++ b/docs/checks/scanCommitsForSensitiveInfo.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -All Commits are Scanned for Secrets and Credentials +All commits are scanned for secrets and credentials ## Details +- Default Category: code quality +- Default Priority Group: P2 - C-SCRM: true -- Priority Group: P2 - Mitre: [CWE-540](https://cwe.mitre.org/data/definitions/540.html) - Sources: [CNCF SSCP v1.0 #184](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#user-content-fnref-21-4e56305414bd02da4843ec1d7d856144) - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) diff --git a/docs/checks/securityMdMeetsOpenJSCVD.mdx b/docs/checks/securityMdMeetsOpenJSCVD.mdx index 8c3b4c69..9129e1f2 100644 --- a/docs/checks/securityMdMeetsOpenJSCVD.mdx +++ b/docs/checks/securityMdMeetsOpenJSCVD.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Security.md Meets OpenJS CVD Guidelines +Verify that Security.md complies with OpenJS CVD guidelines ## Details +- Default Category: coordinated vulnerability disclosure +- Default Priority Group: P7 - C-SCRM: false -- Priority Group: P7 - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy) diff --git a/docs/checks/softwareArchitectureDocs.mdx b/docs/checks/softwareArchitectureDocs.mdx index 11ff9c8f..56d5ec15 100644 --- a/docs/checks/softwareArchitectureDocs.mdx +++ b/docs/checks/softwareArchitectureDocs.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: deferrable -- Active: expected -- Retiring: n/a - - ## Description -[For Projects with Two or more Maintainers] Document Software Architecture +Ensure the software architecture is clearly documented ## Details +- Default Category: code review +- Default Priority Group: P12 - C-SCRM: false -- Priority Group: P12 - Mitre: [CWE-1053](https://cwe.mitre.org/data/definitions/1053.html) - Sources: [OpenSSF Best Practices Badge Silver Level [documentation_architecture]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.documentation_architecture) diff --git a/docs/checks/softwareDesignTraining.mdx b/docs/checks/softwareDesignTraining.mdx index cf05927f..c433cd22 100644 --- a/docs/checks/softwareDesignTraining.mdx +++ b/docs/checks/softwareDesignTraining.mdx @@ -9,16 +9,9 @@ slug: /checks/softwareDesignTraining -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -At least One Primary Maintainer has taken TBD Training on Secure Software Design +At least one primary maintainer has taken the training on Secure Software Design ## Dashboard Inclusion @@ -27,9 +20,10 @@ It is considered `passed` if there is a record for the organization in the `soft ## Details +- Default Category: code quality +- Default Priority Group: P0 - Implementation Details: It is manual ([details](https://github.com/OpenPathfinder/visionBoard/issues/52)). - C-SCRM: false -- Priority Group: P0 - Mitre: [M1013](https://attack.mitre.org/mitigations/M1013/) - Sources: [OpenSSF Best Practices Badge Passing Level [know_secure_design]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_secure_design) diff --git a/docs/checks/staticAppSecTesting.mdx b/docs/checks/staticAppSecTesting.mdx index 88dceddc..0ed107bd 100644 --- a/docs/checks/staticAppSecTesting.mdx +++ b/docs/checks/staticAppSecTesting.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -All Commits are Scanned by a Static Application Security Testing Tool +Ensure all commits are scanned by a static application security testing tool ## Details +- Default Category: code quality +- Default Priority Group: P6 - C-SCRM: false -- Priority Group: P6 - Mitre: [CWE-1076](https://cwe.mitre.org/data/definitions/1076.html) - Sources: [OWASP SCVS L1 6.6OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast) - How To: [CodeQL Docs](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) diff --git a/docs/checks/staticCodeAnalysis.mdx b/docs/checks/staticCodeAnalysis.mdx index 9940a353..12fb8bd2 100644 --- a/docs/checks/staticCodeAnalysis.mdx +++ b/docs/checks/staticCodeAnalysis.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -Use an Automated Static Code Analysis Tool (eg: ESLInt) +Implement automated static code analysis tools (e.g., ESLint) ## Details +- Default Category: code quality +- Default Priority Group: P6 - C-SCRM: false -- Priority Group: P6 - Mitre: [CWE-1076](https://cwe.mitre.org/data/definitions/1076.html) - Sources: [OWASP SCVS L1 5.1](https://scvs.owasp.org/scvs/v5-component-analysis/) - How To: [ESLint Docs](https://eslint.org/docs/latest/use/getting-started#installation-and-usage) diff --git a/docs/checks/twoOrMoreOwnersForAccess.mdx b/docs/checks/twoOrMoreOwnersForAccess.mdx index ba325a21..f322dcf9 100644 --- a/docs/checks/twoOrMoreOwnersForAccess.mdx +++ b/docs/checks/twoOrMoreOwnersForAccess.mdx @@ -11,24 +11,18 @@ slug: /checks/twoOrMoreOwnersForAccess This check is currently under development and not yet implemented. [Click here to learn how you can help](/contribute). ::: -s - -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - + ## Description -[For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity +Have at least two owners configured for access continuity ## Details +- Default Category: user account permissions +- Default Priority Group: P4 - C-SCRM: true -- Priority Group: P4 - Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) - Sources: [OpenSSF Best Practices Badge Silver Level [access_continuity]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.access_continuity) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/maintaining-ownership-continuity-for-your-organization) diff --git a/docs/checks/upToDateDefaultBranchBeforeMerge.mdx b/docs/checks/upToDateDefaultBranchBeforeMerge.mdx index b8e97ef0..e1a74884 100644 --- a/docs/checks/upToDateDefaultBranchBeforeMerge.mdx +++ b/docs/checks/upToDateDefaultBranchBeforeMerge.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Default Branch must be Up to Date before Merging +Ensure the default branch is up to date before allowing merges ## Details +- Default Category: source control +- Default Priority Group: P9 - C-SCRM: true -- Priority Group: P9 - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) diff --git a/docs/checks/upgradePathDocs.mdx b/docs/checks/upgradePathDocs.mdx index ea328a6b..fcd10662 100644 --- a/docs/checks/upgradePathDocs.mdx +++ b/docs/checks/upgradePathDocs.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -Commonly Used Older Versions Supported or Upgrade Path Provided/Documented +Ensure commonly used older versions are supported or an upgrade path is documented and provided ## Details +- Default Category: vulnerability management +- Default Priority Group: P12 - C-SCRM: true -- Priority Group: P12 - Sources: [OpenSSF Best Practices Badge Silver Level [maintenance_or_update]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.maintenance_or_update) diff --git a/docs/checks/useCVDToolForVulns.mdx b/docs/checks/useCVDToolForVulns.mdx index f80e9958..f13fd4a6 100644 --- a/docs/checks/useCVDToolForVulns.mdx +++ b/docs/checks/useCVDToolForVulns.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: expected - - ## Description -Project Leverages a CVD Tool to Privately Receive/Manage External Vulnerability Reports (eg: H1/GH PVR) +Ensure the project utilizes a CVD tool to privately receive and manage external vulnerability reports (e.g., HackerOne, GitHub PVR) ## Details +- Default Category: coordinated vulnerability disclosure +- Default Priority Group: P7 - C-SCRM: false -- Priority Group: P7 - Sources: [OpenSSF Best Practices Badge Passing Level [vulnerability_report_private]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.vulnerability_report_private) - How To: [Github Docs](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization) diff --git a/docs/checks/useHwKeyGithubAccess.mdx b/docs/checks/useHwKeyGithubAccess.mdx index a1287cd5..83f85304 100644 --- a/docs/checks/useHwKeyGithubAccess.mdx +++ b/docs/checks/useHwKeyGithubAccess.mdx @@ -13,21 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: recommended - - ## Description +Ensure GitHub access utilizes a passkey (AAL2) or hardware key (AAL3) activated by a password or biometrics ## Details +- Default Category: user authentication +- Default Priority Group: R1 - C-SCRM: true -- Priority Group: R1 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [OpenSSF Great MFA Project Security Rationale](https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md) - How To: [Github Docs](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-passkey) diff --git a/docs/checks/useHwKeyGithubNonInteractive.mdx b/docs/checks/useHwKeyGithubNonInteractive.mdx index 19169d0e..338375ce 100644 --- a/docs/checks/useHwKeyGithubNonInteractive.mdx +++ b/docs/checks/useHwKeyGithubNonInteractive.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: recommended - - ## Description -Non-Interactive Github: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics +Ensure non-interactive GitHub access uses a passkey (AAL2) or hardware key (AAL3) activated by a password or biometrics ## Details +- Default Category: user authentication +- Default Priority Group: R1 - C-SCRM: true -- Priority Group: R1 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [OpenSSF Great MFA Project Security Rationale](https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md) - How To: [Github Docs](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key) diff --git a/docs/checks/useHwKeyOtherContexts.mdx b/docs/checks/useHwKeyOtherContexts.mdx index 6c88e701..010bb26a 100644 --- a/docs/checks/useHwKeyOtherContexts.mdx +++ b/docs/checks/useHwKeyOtherContexts.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: recommended - - ## Description -All Other Contexts: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics +Ensure all other contexts use a passkey (AAL2) or hardware key (AAL3) activated by a password or biometrics ## Details +- Default Category: user authentication +- Default Priority Group: R1 - C-SCRM: true -- Priority Group: R1 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [OpenSSF Great MFA Project Security Rationale](https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md) diff --git a/docs/checks/verifiedActionsOnly.mdx b/docs/checks/verifiedActionsOnly.mdx index 971881aa..4b8c283d 100644 --- a/docs/checks/verifiedActionsOnly.mdx +++ b/docs/checks/verifiedActionsOnly.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description -GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions +Ensure GitHub Actions are limited to verified or explicitly trusted actions ## Details +- Default Category: github workflows +- Default Priority Group: P10 - C-SCRM: true -- Priority Group: P10 - Mitre: [CWE-1357](https://cwe.mitre.org/data/definitions/1357.html) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/actions/all_github_actions_are_allowed.html) - How To: [Github Docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run) diff --git a/docs/checks/vulnResponse14Days.mdx b/docs/checks/vulnResponse14Days.mdx index 45d69711..479e28d6 100644 --- a/docs/checks/vulnResponse14Days.mdx +++ b/docs/checks/vulnResponse14Days.mdx @@ -13,21 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: expected -- Active: expected -- Retiring: n/a - - ## Description +Ensure all external vulnerability reports are addressed within 14 days ## Details +- Default Category: coordinated vulnerability disclosure +- Default Priority Group: P7 - C-SCRM: false -- Priority Group: P7 - Sources: [OpenSSF Best Practices Badge Passing Level [vulnerability_report_response]](https://www.bestpractices.dev/en/criteria#0.vulnerability_report_response) diff --git a/docs/checks/workflowSecurityScanner.mdx b/docs/checks/workflowSecurityScanner.mdx index ba5b3346..755d81ca 100644 --- a/docs/checks/workflowSecurityScanner.mdx +++ b/docs/checks/workflowSecurityScanner.mdx @@ -13,22 +13,16 @@ This check is currently under development and not yet implemented. [Click here t ::: -## Use Case - -- Incubating: recommended -- Active: recommended -- Retiring: recommended - - ## Description -Use a Workflow Security Scanner +Ensure a workflow security scanner is utilized ## Details +- Default Category: github workflows +- Default Priority Group: R2 - C-SCRM: true -- Priority Group: R2 - Mitre: [M1047](https://attack.mitre.org/mitigations/M1047/) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) - How To: [Step Security secure-repo](https://github.com/step-security/secure-repo) diff --git a/scripts/populate-checks.js b/scripts/populate-checks.js index c72e893b..0f247ab0 100644 --- a/scripts/populate-checks.js +++ b/scripts/populate-checks.js @@ -5,8 +5,6 @@ const path = require('path') const checks = require('../data/checks.json') const bannerContentStartTag = '' const bannerContentEndTag = '' -const levelsStartTag = '' -const levelsEndTag = '' const descriptionStartTag = '' const descriptionEndTag = '' const detailsStartTag = '' @@ -46,11 +44,12 @@ const renderDetails = (check) => { const sourcesDetails = addContent('Sources', check.sources_description, check.sources_url) const howToDetails = addContent('How To', check.how_to_description, check.how_to_url) let content = '## Details\n' + content += `- Default Category: ${check.default_section_name}\n` + content += `- Default Priority Group: ${check.default_priority_group}\n` if (implementationDetails) { content += `${implementationDetails}\n` } content += `- C-SCRM: ${check.is_c_scrm}\n` - content += `- Priority Group: ${check.priority_group}\n` if (mitreDetails) { content += `${mitreDetails}\n` } @@ -71,11 +70,6 @@ id: ${check.id} title: ${check.title} slug: /checks/${check.code_name} ---`.trim() - const levelsContent = ` -- Incubating: ${check.level_incubating_status} -- Active: ${check.level_active_status} -- Retiring: ${check.level_retiring_status} -`.trim() //@TODO: Remove adhoc check for description when https://github.com/OpenPathfinder/visionBoard/issues/159 is fixed const bannerContent = check.implementation_status === 'completed' ? '' : ` :::tip @@ -97,9 +91,6 @@ ${bannerContent} ${bannerContentEndTag} ## Use Case -${levelsStartTag} -${levelsContent} -${levelsEndTag} ${descriptionStartTag} ${descriptionContent} @@ -118,12 +109,6 @@ ${detailsEndTag} startTag: bannerContentStartTag, endTag: bannerContentEndTag }) - fileContent = updateOrCreateSegment({ - original: fileContent, - replacementSegment: levelsContent, - startTag: levelsStartTag, - endTag: levelsEndTag - }) fileContent = updateOrCreateSegment({ original: fileContent, replacementSegment: descriptionContent,