diff --git a/.github/workflows/sync_checks.yml b/.github/workflows/sync_checks.yml new file mode 100644 index 00000000..479997ab --- /dev/null +++ b/.github/workflows/sync_checks.yml @@ -0,0 +1,100 @@ +name: Sync and update Compliance Checks + +on: + # Manually trigger the workflow + workflow_dispatch: + +permissions: + # We will create a pull request, so we need write permissions + pull-requests: write + # We will be committing to the repository, so we need write permissions + contents: write + +jobs: + sync-and-update: + runs-on: ubuntu-latest + + services: + postgres: + image: postgres:17.2 + env: + POSTGRES_DB: dashboard + POSTGRES_USER: visionBoard + POSTGRES_PASSWORD: password + ports: + - 5432:5432 + options: >- + --health-cmd="pg_isready -U visionBoard" + --health-interval=10s + --health-timeout=5s + --health-retries=5 + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Create or Checkout Branch (chore/update-content) + run: | + git fetch origin chore/update-content || true + git checkout chore/update-content || git checkout -b chore/update-content + + - name: Clone visionBoard and import checks + run: | + git clone https://github.com/OpenPathfinder/visionBoard.git temp-visionBoard + cd temp-visionBoard + npm install + npm run db:migrate + mkdir -p output + npm run db:export-checks + cp output/checks.json ../data/checks.json + cd .. + rm -rf temp-visionBoard + env: + PGHOST: localhost + PGUSER: visionBoard + PGPASSWORD: password + PGDATABASE: dashboard + + - name: Debug Git Changes + run: | + git status + git diff + + - name: Commit Updated Checks + run: | + git config user.name "GitHub Actions" + git config user.email "actions@github.com" + git add -A + git diff --cached --quiet || git commit -m "chore: sync with visionBoard Checks" + + - name: Install Dependencies and update dynamic content + run: | + npm install + npm run populate-checks + + - name: Debug Git Changes + run: | + git status + git diff + + - name: Commit and Push Changes + run: | + git config user.name "GitHub Actions" + git config user.email "actions@github.com" + git add -A + git diff --cached --quiet || git commit -m "chore: auto-update content" + git push origin chore/update-content + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Create and Assign Pull Request + run: | + gh pr create \ + --base main \ + --head chore/update-content \ + --title "[AUTO] Sync with dashboard database" \ + --body "This PR updates the content based on the current state of the Dashboard." \ + --assignee "${{ github.actor }}" \ + --reviewer "${{ github.actor }}" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/data/checks.json b/data/checks.json new file mode 100644 index 00000000..c4db91ef --- /dev/null +++ b/data/checks.json @@ -0,0 +1,1802 @@ +[ + { + "id": 2, + "title": "Training on OWASP Top 10 or Equivalent", + "description": "At least One Primary Maintainer has taken TBD Training on OWASP Top 10 or Equivalent", + "section_number": "7", + "section_name": "code quality", + "code_name": "owaspTop10Training", + "priority_group": "P0", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://attack.mitre.org/mitigations/M1013/", + "mitre_description": "M1013", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_common_errors", + "sources_description": "OpenSSF Best Practices Badge Passing Level [know_common_errors]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/owaspTop10Training", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 4, + "title": "Enforce MFA in npm Organization(s)", + "description": "Multi Factor Authentication (MFA) Enforced Across the npm Organization", + "section_number": "1", + "section_name": "user authentication", + "code_name": "npmOrgMFA", + "priority_group": "P1", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", + "mitre_description": "CWE-308", + "how_to_url": "https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization", + "how_to_description": "npm Docs", + "sources_url": "https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md", + "sources_description": "OpenSSF npm Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/npmOrgMFA", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 5, + "title": "Enforce MFA in all the tools", + "description": "Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible", + "section_number": "1", + "section_name": "user authentication", + "code_name": "orgToolingMFA", + "priority_group": "P1", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", + "mitre_description": "CWE-308", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md", + "sources_description": "CNCF CNSWP v1.0", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/orgToolingMFA", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 6, + "title": "Use MFA against impersonation", + "description": "Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available ", + "section_number": "1", + "section_name": "user authentication", + "code_name": "MFAImpersonationDefense", + "priority_group": "P1", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/290.html", + "mitre_description": "CWE-290", + "how_to_url": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa", + "how_to_description": "Github Docs", + "sources_url": "https://www.bestpractices.dev/en/criteria/2#2.secure_2FA", + "sources_description": "OpenSSF Best Practices Badge Gold Level [secure_2FA]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/MFAImpersonationDefense", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 7, + "title": "Check sensitive information", + "description": "No Secrets and Credentials in Source Code", + "section_number": "3", + "section_name": "service authentication", + "code_name": "noSensitiveInfoInRepositories", + "priority_group": "P2", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/540.html", + "mitre_description": "CWE-540", + "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", + "how_to_description": "Github Docs", + "sources_url": "https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials", + "sources_description": "OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/noSensitiveInfoInRepositories", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 8, + "title": "Ensure that the secrets are injected at runtime", + "description": "Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets)", + "section_number": "3", + "section_name": "service authentication", + "code_name": "injectedSecretsAtRuntime", + "priority_group": "P2", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/538.html", + "mitre_description": "CWE-538", + "how_to_url": "https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#secrets-encryption", + "sources_description": "CNCF CNSWP 2.0 #195", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/injectedSecretsAtRuntime", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 9, + "title": "Ensure that all the commits are scanned", + "description": "All Commits are Scanned for Secrets and Credentials ", + "section_number": "7", + "section_name": "code quality", + "code_name": "scanCommitsForSensitiveInfo", + "priority_group": "P2", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/540.html", + "mitre_description": "CWE-540", + "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#user-content-fnref-21-4e56305414bd02da4843ec1d7d856144", + "sources_description": "CNCF SSCP v1.0 #184", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/scanCommitsForSensitiveInfo", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 10, + "title": "Block New Commits with Secrets or Credentials", + "description": "New Commits Containing Secrets or Credentials are Blocked from Merging", + "section_number": "7", + "section_name": "code quality", + "code_name": "preventLandingSensitiveCommits", + "priority_group": "P2", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/358.html", + "mitre_description": "CWE-358", + "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", + "how_to_description": "Github Docs", + "sources_url": "https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials", + "sources_description": "OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/preventLandingSensitiveCommits", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 11, + "title": "Use SSH Keys with Passphrases for Repository Access", + "description": "Use SSH keys for developer access to source code repositories and use a passphrase", + "section_number": "1", + "section_name": "user authentication", + "code_name": "SSHKeysRequired", + "priority_group": "P3", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/309.html", + "mitre_description": "CWE-309", + "how_to_url": "https://docs.github.com/en/authentication/connecting-to-github-with-ssh/about-ssh", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#use-ssh-keys-to-provide-developers-access-to-source-code-repositories", + "sources_description": "CNCF SSCP v1.0 #192", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/SSHKeysRequired", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 12, + "title": "Publish to npm Using MFA-Enabled Accounts", + "description": "Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens", + "section_number": "3", + "section_name": "service authentication", + "code_name": "npmPublicationMFA", + "priority_group": "P3", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", + "mitre_description": "CWE-308", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://docs.npmjs.com/creating-and-viewing-access-tokens", + "sources_description": "npm Docs", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/npmPublicationMFA", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 13, + "title": "Secure GitHub Webhooks with Secrets", + "description": "Github Webhooks Use Secrets", + "section_number": "3", + "section_name": "service authentication", + "code_name": "githubWebhookSecrets", + "priority_group": "P3", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/306", + "mitre_description": "CWE-306", + "how_to_url": "https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#webhooks", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/githubWebhookSecrets", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 14, + "title": "Restrict Default GitHub Org Member Permissions", + "description": "Default Github Org Member Permissions Should Be Restricted", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "restrictedOrgPermissions", + "priority_group": "P4", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://capec.mitre.org/data/definitions/180.html", + "mitre_description": "CAPEC-180", + "how_to_url": "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization", + "how_to_description": "Github Docs", + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/organization/default_repository_permission_is_not_none.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/restrictedOrgPermissions", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 15, + "title": "Allow Only Admins to Create Public Repositories", + "description": "Only Admins Should Be Able To Create Public Repositories", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "adminRepoCreationOnly", + "priority_group": "P4", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://capec.mitre.org/data/definitions/122.html", + "mitre_description": "CAPEC-122", + "how_to_url": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization", + "how_to_description": "Github Docs", + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/organization/non_admins_can_create_public_repositories.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/adminRepoCreationOnly", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 16, + "title": "Prevent Admins from Bypassing Branch Protection", + "description": "[For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "preventBranchProtectionBypass", + "priority_group": "P4", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://capec.mitre.org/data/definitions/122.html", + "mitre_description": "CAPEC-122", + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings", + "how_to_description": "Github Docs", + "sources_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "sources_description": "Github Supply Chain Security Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/preventBranchProtectionBypass", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 17, + "title": "Define Roles Aligned to Functional Responsibilities", + "description": "Define roles aligned to functional responsibilities", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "defineFunctionalRoles", + "priority_group": "P4", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://capec.mitre.org/data/definitions/122.html", + "mitre_description": "CAPEC-122", + "how_to_url": "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-roles-aligned-to-functional-responsibilities", + "sources_description": "CNCF SSCP v1.0 #188", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/defineFunctionalRoles", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 18, + "title": "Define Teams/Individuals with Write Access to Repositories", + "description": "Define Individuals/Teams who Write Access to a Github Repo", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "githubWriteAccessRoles", + "priority_group": "P4", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://capec.mitre.org/data/definitions/180.html", + "mitre_description": "CAPEC-180", + "how_to_url": "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-individualsteams-that-are-responsible-for-code-in-a-repository-and-associated-coding-conventions", + "sources_description": "CNCF SSCP v1.0 #185", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/githubWriteAccessRoles", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 19, + "title": "Configure Two or more Owners for Access Continuity", + "description": "[For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "twoOrMoreOwnersForAccess", + "priority_group": "P4", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://attack.mitre.org/mitigations/M1026/", + "mitre_description": "M1026", + "how_to_url": "https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/maintaining-ownership-continuity-for-your-organization", + "how_to_description": "Github Docs", + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.access_continuity", + "sources_description": "OpenSSF Best Practices Badge Silver Level [access_continuity]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/twoOrMoreOwnersForAccess", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 20, + "title": "Patch Actively Exploited Critical Vulnerabilities within 30 Days", + "description": "Actively Exploited Critical Vulnerabilities Patched within 30 Days", + "section_number": "5", + "section_name": "vulnerability management", + "code_name": "patchCriticalVulns30Days", + "priority_group": "P5", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed", + "sources_description": "OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/patchCriticalVulns30Days", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 21, + "title": "Patch Non-Critical Vulnerabilities within 90 Days", + "description": "Non-Critical Exploitable Vulnerabilities Patched within 90 Days", + "section_number": "5", + "section_name": "vulnerability management", + "code_name": "patchNonCriticalVulns90Days", + "priority_group": "P5", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html", + "sources_description": "Google Project Zero Vulnerability Disclosure Policy", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/patchNonCriticalVulns90Days", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 22, + "title": "Automate Dependency Vulnerability Identification", + "description": "An automated process to identify dependencies with publicly disclosed vulnerabilities", + "section_number": "11", + "section_name": "dependency management", + "code_name": "automateVulnDetection", + "priority_group": "P6", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/1395.html", + "mitre_description": "CWE-1395", + "how_to_url": "https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories", + "how_to_description": "Github Docs", + "sources_url": "https://scvs.owasp.org/scvs/v5-component-analysis/", + "sources_description": "OWASP SCVS L1 5.4", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/automateVulnDetection", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 23, + "title": "Use Automated Static Code Analysis Tools", + "description": "Use an Automated Static Code Analysis Tool (eg: ESLInt)", + "section_number": "7", + "section_name": "code quality", + "code_name": "staticCodeAnalysis", + "priority_group": "P6", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/1076.html", + "mitre_description": "CWE-1076", + "how_to_url": "https://eslint.org/docs/latest/use/getting-started#installation-and-usage", + "how_to_description": "ESLint Docs", + "sources_url": "https://scvs.owasp.org/scvs/v5-component-analysis/", + "sources_description": "OWASP SCVS L1 5.1", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/staticCodeAnalysis", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 24, + "title": "Address Compiler/Linter Warnings Before Merging", + "description": "Compilers/Linter Warnings Addressed in order to Merge", + "section_number": "7", + "section_name": "code quality", + "code_name": "resolveLinterWarnings", + "priority_group": "P6", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/1127.html", + "mitre_description": "CWE-1127", + "how_to_url": "https://eslint.org/docs/latest/use/getting-started#installation-and-usage", + "how_to_description": "ESLint Docs", + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.warnings_strict", + "sources_description": "OpenSSF Best Practices Badge Silver Level [warnings_strict]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/resolveLinterWarnings", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 25, + "title": "Use Static Application Security Testing for All Commits", + "description": "All Commits are Scanned by a Static Application Security Testing Tool", + "section_number": "7", + "section_name": "code quality", + "code_name": "staticAppSecTesting", + "priority_group": "P6", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/1076.html", + "mitre_description": "CWE-1076", + "how_to_url": "https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql", + "how_to_description": "CodeQL Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast", + "sources_description": "OWASP SCVS L1 6.6OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/staticAppSecTesting", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 26, + "title": "Require Commit Status Checks to Pass Before Merging", + "description": "All Required Commit Status Checks must pass before Merging", + "section_number": "7", + "section_name": "code quality", + "code_name": "commitStatusChecks", + "priority_group": "P6", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/358.html", + "mitre_description": "CWE-358", + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/commitStatusChecks", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 27, + "title": "Ensure Security.md Meets OpenJS CVD Guidelines", + "description": "Security.md Meets OpenJS CVD Guidelines ", + "section_number": "6", + "section_name": "coordinated vulnerability disclosure", + "code_name": "securityMdMeetsOpenJSCVD", + "priority_group": "P7", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/securityMdMeetsOpenJSCVD", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 28, + "title": "Use CVD Tools to Manage Vulnerability Reports", + "description": "Project Leverages a CVD Tool to Privately Receive/Manage External Vulnerability Reports (eg: H1/GH PVR)", + "section_number": "6", + "section_name": "coordinated vulnerability disclosure", + "code_name": "useCVDToolForVulns", + "priority_group": "P7", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization", + "how_to_description": "Github Docs", + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.vulnerability_report_private", + "sources_description": "OpenSSF Best Practices Badge Passing Level [vulnerability_report_private]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/useCVDToolForVulns", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 29, + "title": "Respond to External Vulnerability Reports in Under 14 Days", + "description": "All External Vulnerability Reports Responded to <14 Days", + "section_number": "6", + "section_name": "coordinated vulnerability disclosure", + "code_name": "vulnResponse14Days", + "priority_group": "P7", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria#0.vulnerability_report_response", + "sources_description": "OpenSSF Best Practices Badge Passing Level [vulnerability_report_response]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/vulnResponse14Days", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 30, + "title": "Define Clear Communication and Incident Response Plans", + "description": "Establish a Clear Communication and Incident Response Plan", + "section_number": "6", + "section_name": "coordinated vulnerability disclosure", + "code_name": "incidentResponsePlan", + "priority_group": "P7", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://best.openssf.org/SCM-BestPractices/#operations", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/incidentResponsePlan", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 31, + "title": "Assign CVEs to All Known Security Vulnerabilities", + "description": "All Known Security Vulnerabilities are Issued a CVE", + "section_number": "6", + "section_name": "coordinated vulnerability disclosure", + "code_name": "assignCVEForKnownVulns", + "priority_group": "P7", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns", + "sources_description": "OpenSSF Best Practices Badge Passing Level [release_notes_vulns]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/assignCVEForKnownVulns", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 32, + "title": "Include CVE IDs in Release Notes for Security Fixes", + "description": "Release Notes must Include the CVE ID of Patched Security Vulnerabilities", + "section_number": "6", + "section_name": "coordinated vulnerability disclosure", + "code_name": "includeCVEInReleaseNotes", + "priority_group": "P7", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns", + "sources_description": "OpenSSF Best Practices Badge Passing Level [release_notes_vulns]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/includeCVEInReleaseNotes", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 33, + "title": "Create Regression Tests for Bugs and Security Vulnerabilities", + "description": "Regression Tests for => 50% of Bugs and 100% of Security Vulns", + "section_number": "7", + "section_name": "code quality", + "code_name": "regressionTestsForVulns", + "priority_group": "P8", + "is_c_scrm": false, + "level_incubating_status": "deferrable", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.regression_tests_added50", + "sources_description": "OpenSSF Best Practices Badge Silver Level [regression_tests_added50]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/regressionTestsForVulns", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 34, + "title": "Set Default GitHub Workflow Token Permissions to Read Only", + "description": "Github Org Default Workflow Token Permissions are Set to Read Only", + "section_number": "4", + "section_name": "github workflow permissions", + "code_name": "defaultTokenPermissionsReadOnly", + "priority_group": "P9", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", + "mitre_description": "CWE-250", + "how_to_url": null, + "how_to_description": null, + "sources_url": null, + "sources_description": null, + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/defaultTokenPermissionsReadOnly", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 35, + "title": "Prevent Workflows from Creating or Approving PRs", + "description": "Workflows are not Allowed To Create or Approve Pull Requests", + "section_number": "4", + "section_name": "github workflow permissions", + "code_name": "blockWorkflowPRApproval", + "priority_group": "P9", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", + "mitre_description": "CWE-250", + "how_to_url": "https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/blockWorkflowPRApproval", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 36, + "title": "Disable Force Push on Default Branch", + "description": "Prevent Force Push on Default Branch", + "section_number": "9", + "section_name": "source control", + "code_name": "noForcePushDefaultBranch", + "priority_group": "P9", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/noForcePushDefaultBranch", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 37, + "title": "Prevent Deletion of Default Branch", + "description": "Prevent Default Branch Deletion", + "section_number": "9", + "section_name": "source control", + "code_name": "preventDeletionDefaultBranch", + "priority_group": "P9", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/267.html", + "mitre_description": "CWE-267", + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/preventDeletionDefaultBranch", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 38, + "title": "Require Default Branch Updates Before Merging", + "description": "Default Branch must be Up to Date before Merging", + "section_number": "9", + "section_name": "source control", + "code_name": "upToDateDefaultBranchBeforeMerge", + "priority_group": "P9", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/upToDateDefaultBranchBeforeMerge", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 39, + "title": "Restrict GitHub Org Secrets to Specific Repositories", + "description": "GitHub Organization Secrets are Restricted to Selected Repositories", + "section_number": "4", + "section_name": "github workflows", + "code_name": "restrictOrgSecrets", + "priority_group": "P10", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", + "mitre_description": "CWE-250", + "how_to_url": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository", + "how_to_description": "Github Docs", + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/actions/all_repositories_can_run_github_actions.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/restrictOrgSecrets", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 40, + "title": "Limit GitHub Actions to Verified or Trusted Actions", + "description": "GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions", + "section_number": "4", + "section_name": "github workflows", + "code_name": "verifiedActionsOnly", + "priority_group": "P10", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/1357.html", + "mitre_description": "CWE-1357", + "how_to_url": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run", + "how_to_description": "Github Docs", + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/actions/all_github_actions_are_allowed.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/verifiedActionsOnly", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 41, + "title": "Disable Self-Hosted Runners in GitHub Org", + "description": "Disable use of Self-Hosted Runners in Github Org", + "section_number": "4", + "section_name": "github workflows", + "code_name": "noSelfHostedRunners", + "priority_group": "P10", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://capec.mitre.org/data/definitions/439.html", + "mitre_description": "CAPEC-439", + "how_to_url": "https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#limiting-the-use-of-self-hosted-runners", + "how_to_description": "Github Docs", + "sources_url": "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners", + "sources_description": "Github Action Hardening Docs", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/noSelfHostedRunners", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 42, + "title": "Restrict Build Pipeline Code Execution to Build Scripts", + "description": "Build Pipeline Cannot Execute Arbitrary Code from Outside of a Build Script", + "section_number": "4", + "section_name": "github workflows", + "code_name": "noArbitraryCodeInPipeline", + "priority_group": "P11", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/94.html", + "mitre_description": "CWE-94", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/noArbitraryCodeInPipeline", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 43, + "title": "Limit Workflow Write Permissions to Job-Level", + "description": "Only Allow Workflows Write Permissions at the Job-Level", + "section_number": "4", + "section_name": "github workflows", + "code_name": "limitWorkflowWritePermissions", + "priority_group": "P11", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", + "mitre_description": "CWE-250", + "how_to_url": "https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/limitWorkflowWritePermissions", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 44, + "title": "Avoid Script Injection from Untrusted Variables", + "description": "Avoid Script Injection from Untrusted Context Variables", + "section_number": "4", + "section_name": "github workflows", + "code_name": "preventScriptInjection", + "priority_group": "P11", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/454.html", + "mitre_description": "CWE-454", + "how_to_url": "https://securitylab.github.com/research/github-actions-untrusted-input/", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/preventScriptInjection", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 45, + "title": "Document Consistent and Automated Build Processes", + "description": "Consistent and Automated Build Process is Documented and Used", + "section_number": "4", + "section_name": "github workflows", + "code_name": "consistentBuildProcessDocs", + "priority_group": "P12", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/1068.html", + "mitre_description": "CWE-1068", + "how_to_url": null, + "how_to_description": null, + "sources_url": null, + "sources_description": null, + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/consistentBuildProcessDocs", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 46, + "title": "Support Older Versions or Provide Upgrade Paths", + "description": "Commonly Used Older Versions Supported or Upgrade Path Provided/Documented", + "section_number": "5", + "section_name": "vulnerability management", + "code_name": "upgradePathDocs", + "priority_group": "P12", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.maintenance_or_update", + "sources_description": "OpenSSF Best Practices Badge Silver Level [maintenance_or_update]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/upgradePathDocs", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 47, + "title": "Document Software Architecture", + "description": "[For Projects with Two or more Maintainers] Document Software Architecture", + "section_number": "8", + "section_name": "code review", + "code_name": "softwareArchitectureDocs", + "priority_group": "P12", + "is_c_scrm": false, + "level_incubating_status": "deferrable", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/1053.html", + "mitre_description": "CWE-1053", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.documentation_architecture", + "sources_description": "OpenSSF Best Practices Badge Silver Level [documentation_architecture]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/softwareArchitectureDocs", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 48, + "title": "Automate CI/CD Steps in Code-Based Pipelines", + "description": "CI/CD steps should all be automated through a pipeline defined as code", + "section_number": "9", + "section_name": "source control", + "code_name": "ciAndCdPipelineAsCode", + "priority_group": "P12", + "is_c_scrm": true, + "level_incubating_status": "deferrable", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#build-and-related-continuous-integrationcontinuous-delivery-steps-should-all-be-automated-through-a-pipeline-defined-as-code", + "sources_description": "CNCF SSCP 1.0 #158", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/ciAndCdPipelineAsCode", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 49, + "title": "Pin Actions with Secrets to Full-Length Commit SHAs", + "description": "Pin Actions with Access to Secrets to a Full Length Commit SHA", + "section_number": "4", + "section_name": "github workflows", + "code_name": "pinActionsToSHA", + "priority_group": "P13", + "is_c_scrm": true, + "level_incubating_status": "deferrable", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/1357.html", + "mitre_description": "CWE-1357", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://securitylab.github.com/research/github-actions-building-blocks/", + "sources_description": "Github Docs", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/pinActionsToSHA", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 50, + "title": "Automate Monitoring of Outdated Dependencies", + "description": "Automated Process is Used to Monitor for and Maintain a List of Out of Date Dependencies", + "section_number": "10", + "section_name": "dependency inventory", + "code_name": "automateDependencyManagement", + "priority_group": "P14", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://socket.dev/", + "how_to_description": "Socket.Dev", + "sources_url": "https://scvs.owasp.org/scvs/v5-component-analysis/", + "sources_description": "OWASP SCVS L1 5.7", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/automateDependencyManagement", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 51, + "title": "Provide Machine-Readable Dependency Lists", + "description": "[Freestanding Applications Only] A Machine Readable List of all Direct and Transitive Dependencies is Available for the Software", + "section_number": "10", + "section_name": "dependency inventory", + "code_name": "machineReadableDependencies", + "priority_group": "P14", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-is-the-dependency-graph", + "how_to_description": "Github Docs", + "sources_url": "https://scvs.owasp.org/scvs/v1-inventory/#verification-requirements", + "sources_description": "OWASP SCVS L1 1.3", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/machineReadableDependencies", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 52, + "title": "Uniquely Identify Modified Dependencies", + "description": "Modified dependencies are uniquely identified and distinct from origin dependency", + "section_number": "10", + "section_name": "dependency inventory", + "code_name": "identifyModifiedDependencies", + "priority_group": "P14", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://scvs.owasp.org/scvs/v6-pedigree-and-provenance/", + "sources_description": "OWASP SCVS L2 6.5", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/identifyModifiedDependencies", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 53, + "title": "Refresh Dependencies with Annual Releases", + "description": "A new release to refresh dependencies occurs at least annually", + "section_number": "5", + "section_name": "vulnerability management", + "code_name": "annualDependencyRefresh", + "priority_group": "P14", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.maintained", + "sources_description": "OpenSSF Best Practices Badge Passing Level [maintained]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/annualDependencyRefresh", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 54, + "title": "Use AAL2/3 Passkeys for GitHub Access", + "description": "{\"url\":\"http://github.com/\",\"description\":\"Github.com\"}", + "section_number": "1", + "section_name": "user authentication", + "code_name": "useHwKeyGithubAccess", + "priority_group": "R1", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", + "mitre_description": "CWE-308", + "how_to_url": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-passkey", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md", + "sources_description": "OpenSSF Great MFA Project Security Rationale", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/useHwKeyGithubAccess", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 55, + "title": "Use AAL2/3 Passkeys for Non-Interactive GitHub Access", + "description": "Non-Interactive Github: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics", + "section_number": "1", + "section_name": "user authentication", + "code_name": "useHwKeyGithubNonInteractive", + "priority_group": "R1", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", + "mitre_description": "CWE-308", + "how_to_url": "https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md", + "sources_description": "OpenSSF Great MFA Project Security Rationale", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/useHwKeyGithubNonInteractive", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 56, + "title": "Use AAL2/3 Passkeys in All Other Contexts", + "description": "All Other Contexts: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics", + "section_number": "1", + "section_name": "user authentication", + "code_name": "useHwKeyOtherContexts", + "priority_group": "R1", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", + "mitre_description": "CWE-308", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md", + "sources_description": "OpenSSF Great MFA Project Security Rationale", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/useHwKeyOtherContexts", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 57, + "title": "Require Approval for Forked Workflow Changes", + "description": "Limit changes from forks to workflows by requiring approval for all outside collaborators", + "section_number": "4", + "section_name": "github workflows", + "code_name": "forkWorkflowApproval", + "priority_group": "R2", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://capec.mitre.org/data/definitions/180.html", + "mitre_description": "CAPEC-180", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories", + "sources_description": "Github Docs", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/forkWorkflowApproval", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 58, + "title": "Use Workflow Security Scanners", + "description": "Use a Workflow Security Scanner", + "section_number": "4", + "section_name": "github workflows", + "code_name": "workflowSecurityScanner", + "priority_group": "R2", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://attack.mitre.org/mitigations/M1047/", + "mitre_description": "M1047", + "how_to_url": "https://github.com/step-security/secure-repo", + "how_to_description": "Step Security secure-repo", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/workflowSecurityScanner", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 59, + "title": "Use GitHub Runner Security Scanners", + "description": "Use a Github Runner Security Scanner", + "section_number": "4", + "section_name": "github workflows", + "code_name": "runnerSecurityScanner", + "priority_group": "R2", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://attack.mitre.org/mitigations/M1047/", + "mitre_description": "M1047", + "how_to_url": "https://github.com/step-security/harden-runner", + "how_to_description": "Step Security harden-runner", + "sources_url": "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners", + "sources_description": "Github Action Hardening Docs", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/runnerSecurityScanner", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 60, + "title": "Require Active Admins in GitHub Org (Activity in 6 Months)", + "description": "Github Organization Admins Should Have Activity In The Last 6 Months", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "activeAdminsSixMonths", + "priority_group": "R3", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "n/a", + "mitre_url": "https://attack.mitre.org/mitigations/M1026/", + "mitre_description": "M1026", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/member/stale_admin_found.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/activeAdminsSixMonths", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 61, + "title": "Require Active Members with Write Access (Activity in 6 Months)", + "description": "Github Organization Members with Write Permissions Should Have Activity In The Last 6 Months", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "activeWritersSixMonths", + "priority_group": "R3", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "n/a", + "mitre_url": "https://attack.mitre.org/mitigations/M1026/", + "mitre_description": "M1026", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/member/stale_member_found.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/activeWritersSixMonths", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 62, + "title": "Require Pull Requests Before Merging", + "description": "Require Pull Requests before Merging", + "section_number": "9", + "section_name": "source control", + "code_name": "PRsBeforeMerge", + "priority_group": "R4", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://cwe.mitre.org/data/definitions/778.html", + "mitre_description": "CWE-778", + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/PRsBeforeMerge", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 63, + "title": "Enforce Commit Signoff for Web-Based Commits", + "description": "Github Org Requires Commit Signoff for Web-Based Commits", + "section_number": "9", + "section_name": "source control", + "code_name": "commitSignoffForWeb", + "priority_group": "R4", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.github.com/en/organizations/managing-organization-settings/managing-the-commit-signoff-policy-for-your-organization#managing-compulsory-commit-signoffs-for-your-organization", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits", + "sources_description": "CNCF SSCP 1.0 #325", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/commitSignoffForWeb", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 64, + "title": "Require Signed Commits", + "description": "Require Signed Commits", + "section_number": "9", + "section_name": "source control", + "code_name": "requireSignedCommits", + "priority_group": "R4", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-signed-commits", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits", + "sources_description": "CNCF SSCP 1.0 #325", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/requireSignedCommits", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 65, + "title": "Include package-lock.json in Releases (Freestanding Apps)", + "description": "[Freestanding Applications Only] Commit a package-lock.json file with each release", + "section_number": "10", + "section_name": "dependency inventory", + "code_name": "includePackageLock", + "priority_group": "R5", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.npmjs.com/cli/v10/commands/npm-sbom", + "how_to_description": "npm Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sbom", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/includePackageLock", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 66, + "title": "Require Two-Party Review (Two+ Maintainers)", + "description": "[For Projects with Two or more Maintainers] Require Two Party Review", + "section_number": "8", + "section_name": "code review", + "code_name": "requireTwoPartyReview", + "priority_group": "R6", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "n/a", + "mitre_url": "https://capec.mitre.org/data/definitions/670.html", + "mitre_description": "CAPEC-670", + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/requireTwoPartyReview", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 67, + "title": "Require Code Owners Review (Four+ Maintainers)", + "description": "[For Projects with Four or more Maintainers] Require Code Owners Review", + "section_number": "8", + "section_name": "code review", + "code_name": "requireCodeOwnersReviewForLargeTeams", + "priority_group": "R6", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "n/a", + "mitre_url": "https://capec.mitre.org/data/definitions/670.html", + "mitre_description": "CAPEC-670", + "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/requireCodeOwnersReviewForLargeTeams", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 68, + "title": "Require Approved PRs for Mainline Commits (Two+ Maintainers)", + "description": "[For Projects with Two or more Maintainers] Require Approved PRs for all commits to mainline branches", + "section_number": "9", + "section_name": "source control", + "code_name": "requirePRApprovalForMainline", + "priority_group": "R6", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://capec.mitre.org/data/definitions/670.html", + "mitre_description": "CAPEC-670", + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/requirePRApprovalForMainline", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 69, + "title": "Limit GitHub Org Owners to Fewer Than Three", + "description": "Limit Number of Github Org Owners (ideally Fewer Than Three)", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "limitOrgOwners", + "priority_group": "R7", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://attack.mitre.org/mitigations/M1026/", + "mitre_description": "M1026", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/member/organization_has_too_many_admins.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/limitOrgOwners", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 70, + "title": "Limit GitHub Repo Admins to Fewer Than Three", + "description": "Limit Number of Github Repository Admins (ideally Fewer Than Three)", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "limitRepoAdmins", + "priority_group": "R7", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://capec.mitre.org/data/definitions/180.html", + "mitre_description": "CAPEC-180", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/repository/repository_has_too_many_admins.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/limitRepoAdmins", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 71, + "title": "Patch Critical/High Vulnerabilities in 14 Days", + "description": "Actively Exploited Critical and High Vulnerabilities Patched within 14 Days", + "section_number": "5", + "section_name": "vulnerability management", + "code_name": "patchExploitableHighVulns14Days", + "priority_group": "R8", + "is_c_scrm": false, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed", + "sources_description": "OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/patchExploitableHighVulns14Days", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 72, + "title": "Patch Non-Critical Vulnerabilities in 60 Days", + "description": "Non-Critical Expoitable Vulnerabilities Patched within 60 Days", + "section_number": "5", + "section_name": "vulnerability management", + "code_name": "patchExploitableNoncCriticalVulns60Days", + "priority_group": "R8", + "is_c_scrm": false, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria#0.vulnerabilities_fixed_60_days", + "sources_description": "OpenSSF Best Practices Badge Silver Level [vulnerabilities_fixed_60_days]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/patchExploitableNoncCriticalVulns60Days", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 3, + "title": "Enforce MFA in GitHub Organization(s)", + "description": "Multi Factor Authentication (MFA) Enforced Across the Github Organization", + "section_number": "1", + "section_name": "user authentication", + "code_name": "githubOrgMFA", + "priority_group": "P1", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", + "mitre_description": "CWE-308", + "how_to_url": "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "how_to_description": "Github Docs", + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html", + "sources_description": "OpenSSF SCM Best PracticesOpenSSF Best Practices Badge Gold Level [require_2FA]", + "implementation_status": "completed", + "implementation_type": "computed", + "implementation_details_reference": "https://github.com/OpenPathfinder/visionBoard/issues/43", + "details_url": "https://openjs-security-program-standards.netlify.app/details/githubOrgMFA", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + }, + { + "id": 1, + "title": "Training on Secure Software Design", + "description": "At least One Primary Maintainer has taken TBD Training on Secure Software Design", + "section_number": "7", + "section_name": "code quality", + "code_name": "softwareDesignTraining", + "priority_group": "P0", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://attack.mitre.org/mitigations/M1013/", + "mitre_description": "M1013", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_secure_design", + "sources_description": "OpenSSF Best Practices Badge Passing Level [know_secure_design]", + "implementation_status": "completed", + "implementation_type": "manual", + "implementation_details_reference": "https://github.com/OpenPathfinder/visionBoard/issues/52", + "details_url": "https://openjs-security-program-standards.netlify.app/details/softwareDesignTraining", + "created_at": "2024-12-18T20:19:27.410Z", + "updated_at": "2024-12-18T20:19:27.410Z" + } + ] \ No newline at end of file diff --git a/docs/checks/MFAImpersonationDefense.mdx b/docs/checks/MFAImpersonationDefense.mdx new file mode 100644 index 00000000..8994148a --- /dev/null +++ b/docs/checks/MFAImpersonationDefense.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 4 +id: 6 +title: Use MFA against impersonation +slug: /checks/MFAImpersonationDefense +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P1 +- Mitre: [CWE-290](https://cwe.mitre.org/data/definitions/290.html) +- Sources: [OpenSSF Best Practices Badge Gold Level [secure_2FA]](https://www.bestpractices.dev/en/criteria/2#2.secure_2FA) +- How To: [Github Docs](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/PRsBeforeMerge.mdx b/docs/checks/PRsBeforeMerge.mdx new file mode 100644 index 00000000..c9ac7218 --- /dev/null +++ b/docs/checks/PRsBeforeMerge.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 60 +id: 62 +title: Require Pull Requests Before Merging +slug: /checks/PRsBeforeMerge +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: recommended + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R4 +- Mitre: [CWE-778](https://cwe.mitre.org/data/definitions/778.html) +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) +- How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/SSHKeysRequired.mdx b/docs/checks/SSHKeysRequired.mdx new file mode 100644 index 00000000..8c07cb13 --- /dev/null +++ b/docs/checks/SSHKeysRequired.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 9 +id: 11 +title: Use SSH Keys with Passphrases for Repository Access +slug: /checks/SSHKeysRequired +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P3 +- Mitre: [CWE-309](https://cwe.mitre.org/data/definitions/309.html) +- Sources: [CNCF SSCP v1.0 #192](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#use-ssh-keys-to-provide-developers-access-to-source-code-repositories) +- How To: [Github Docs](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/about-ssh) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/_category_.json b/docs/checks/_category_.json new file mode 100644 index 00000000..31800d2e --- /dev/null +++ b/docs/checks/_category_.json @@ -0,0 +1,4 @@ +{ + "label": "Checks", + "position": 3 + } \ No newline at end of file diff --git a/docs/checks/activeAdminsSixMonths.mdx b/docs/checks/activeAdminsSixMonths.mdx new file mode 100644 index 00000000..1a9f7cc6 --- /dev/null +++ b/docs/checks/activeAdminsSixMonths.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 58 +id: 60 +title: Require Active Admins in GitHub Org (Activity in 6 Months) +slug: /checks/activeAdminsSixMonths +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R3 +- Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) +- Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/member/stale_admin_found.html) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/activeWritersSixMonths.mdx b/docs/checks/activeWritersSixMonths.mdx new file mode 100644 index 00000000..058a5d66 --- /dev/null +++ b/docs/checks/activeWritersSixMonths.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 59 +id: 61 +title: Require Active Members with Write Access (Activity in 6 Months) +slug: /checks/activeWritersSixMonths +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R3 +- Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) +- Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/member/stale_member_found.html) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/adminRepoCreationOnly.mdx b/docs/checks/adminRepoCreationOnly.mdx new file mode 100644 index 00000000..89434f9c --- /dev/null +++ b/docs/checks/adminRepoCreationOnly.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 13 +id: 15 +title: Allow Only Admins to Create Public Repositories +slug: /checks/adminRepoCreationOnly +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P4 +- Mitre: [CAPEC-122](https://capec.mitre.org/data/definitions/122.html) +- Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/organization/non_admins_can_create_public_repositories.html) +- How To: [Github Docs](https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/annualDependencyRefresh.mdx b/docs/checks/annualDependencyRefresh.mdx new file mode 100644 index 00000000..ac838802 --- /dev/null +++ b/docs/checks/annualDependencyRefresh.mdx @@ -0,0 +1,27 @@ +--- +sidebar_position: 51 +id: 53 +title: Refresh Dependencies with Annual Releases +slug: /checks/annualDependencyRefresh +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P14 +- Sources: [OpenSSF Best Practices Badge Passing Level [maintained]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.maintained) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/assignCVEForKnownVulns.mdx b/docs/checks/assignCVEForKnownVulns.mdx new file mode 100644 index 00000000..b0deaed9 --- /dev/null +++ b/docs/checks/assignCVEForKnownVulns.mdx @@ -0,0 +1,27 @@ +--- +sidebar_position: 29 +id: 31 +title: Assign CVEs to All Known Security Vulnerabilities +slug: /checks/assignCVEForKnownVulns +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P7 +- Sources: [OpenSSF Best Practices Badge Passing Level [release_notes_vulns]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/automateDependencyManagement.mdx b/docs/checks/automateDependencyManagement.mdx new file mode 100644 index 00000000..5b38d910 --- /dev/null +++ b/docs/checks/automateDependencyManagement.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 48 +id: 50 +title: Automate Monitoring of Outdated Dependencies +slug: /checks/automateDependencyManagement +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P14 +- Sources: [OWASP SCVS L1 5.7](https://scvs.owasp.org/scvs/v5-component-analysis/) +- How To: [Socket.Dev](https://socket.dev/) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/automateVulnDetection.mdx b/docs/checks/automateVulnDetection.mdx new file mode 100644 index 00000000..9a7d5e47 --- /dev/null +++ b/docs/checks/automateVulnDetection.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 20 +id: 22 +title: Automate Dependency Vulnerability Identification +slug: /checks/automateVulnDetection +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P6 +- Mitre: [CWE-1395](https://cwe.mitre.org/data/definitions/1395.html) +- Sources: [OWASP SCVS L1 5.4](https://scvs.owasp.org/scvs/v5-component-analysis/) +- How To: [Github Docs](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/blockWorkflowPRApproval.mdx b/docs/checks/blockWorkflowPRApproval.mdx new file mode 100644 index 00000000..922166ff --- /dev/null +++ b/docs/checks/blockWorkflowPRApproval.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 33 +id: 35 +title: Prevent Workflows from Creating or Approving PRs +slug: /checks/blockWorkflowPRApproval +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P9 +- Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) +- How To: [Github Docs](https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/ciAndCdPipelineAsCode.mdx b/docs/checks/ciAndCdPipelineAsCode.mdx new file mode 100644 index 00000000..b542141e --- /dev/null +++ b/docs/checks/ciAndCdPipelineAsCode.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 46 +id: 48 +title: Automate CI/CD Steps in Code-Based Pipelines +slug: /checks/ciAndCdPipelineAsCode +--- + +## Use Case + +- Incubating: deferrable +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P12 +- Sources: [CNCF SSCP 1.0 #158](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#build-and-related-continuous-integrationcontinuous-delivery-steps-should-all-be-automated-through-a-pipeline-defined-as-code) +- How To: [Github Docs](https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/commitSignoffForWeb.mdx b/docs/checks/commitSignoffForWeb.mdx new file mode 100644 index 00000000..ba9d0423 --- /dev/null +++ b/docs/checks/commitSignoffForWeb.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 61 +id: 63 +title: Enforce Commit Signoff for Web-Based Commits +slug: /checks/commitSignoffForWeb +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: recommended + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R4 +- Sources: [CNCF SSCP 1.0 #325](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits) +- How To: [Github Docs](https://docs.github.com/en/organizations/managing-organization-settings/managing-the-commit-signoff-policy-for-your-organization#managing-compulsory-commit-signoffs-for-your-organization) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/commitStatusChecks.mdx b/docs/checks/commitStatusChecks.mdx new file mode 100644 index 00000000..f023a138 --- /dev/null +++ b/docs/checks/commitStatusChecks.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 24 +id: 26 +title: Require Commit Status Checks to Pass Before Merging +slug: /checks/commitStatusChecks +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P6 +- Mitre: [CWE-358](https://cwe.mitre.org/data/definitions/358.html) +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) +- How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/consistentBuildProcessDocs.mdx b/docs/checks/consistentBuildProcessDocs.mdx new file mode 100644 index 00000000..3f9ecc9f --- /dev/null +++ b/docs/checks/consistentBuildProcessDocs.mdx @@ -0,0 +1,27 @@ +--- +sidebar_position: 43 +id: 45 +title: Document Consistent and Automated Build Processes +slug: /checks/consistentBuildProcessDocs +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P12 +- Mitre: [CWE-1068](https://cwe.mitre.org/data/definitions/1068.html) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/defaultTokenPermissionsReadOnly.mdx b/docs/checks/defaultTokenPermissionsReadOnly.mdx new file mode 100644 index 00000000..d7e93ab7 --- /dev/null +++ b/docs/checks/defaultTokenPermissionsReadOnly.mdx @@ -0,0 +1,27 @@ +--- +sidebar_position: 32 +id: 34 +title: Set Default GitHub Workflow Token Permissions to Read Only +slug: /checks/defaultTokenPermissionsReadOnly +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P9 +- Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/defineFunctionalRoles.mdx b/docs/checks/defineFunctionalRoles.mdx new file mode 100644 index 00000000..657424c2 --- /dev/null +++ b/docs/checks/defineFunctionalRoles.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 15 +id: 17 +title: Define Roles Aligned to Functional Responsibilities +slug: /checks/defineFunctionalRoles +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P4 +- Mitre: [CAPEC-122](https://capec.mitre.org/data/definitions/122.html) +- Sources: [CNCF SSCP v1.0 #188](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-roles-aligned-to-functional-responsibilities) +- How To: [Github Docs](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/forkWorkflowApproval.mdx b/docs/checks/forkWorkflowApproval.mdx new file mode 100644 index 00000000..46cc17f2 --- /dev/null +++ b/docs/checks/forkWorkflowApproval.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 55 +id: 57 +title: Require Approval for Forked Workflow Changes +slug: /checks/forkWorkflowApproval +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: recommended + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R2 +- Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) +- Sources: [Github Docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/githubOrgMFA.mdx b/docs/checks/githubOrgMFA.mdx new file mode 100644 index 00000000..1ab49240 --- /dev/null +++ b/docs/checks/githubOrgMFA.mdx @@ -0,0 +1,34 @@ +--- +sidebar_position: 71 +id: 3 +title: Enforce MFA in GitHub Organization(s) +slug: /checks/githubOrgMFA +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + +## Dashboard Inclusion + +We use the field `two_factor_requirement_enabled` from the GitHub Organization API to check if the project has enforced this policy. [More information](https://github.com/secure-dashboards/openjs-foundation-dashboard/issues/43) + + +## Details +- Implementation Status: completed +- Implementation Details: It is computed ([details](https://github.com/OpenPathfinder/visionBoard/issues/43)). +- C-SCRM: true +- Priority Group: P1 +- Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) +- Sources: [OpenSSF SCM Best PracticesOpenSSF Best Practices Badge Gold Level [require_2FA]](https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html) +- How To: [Github Docs](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/githubWebhookSecrets.mdx b/docs/checks/githubWebhookSecrets.mdx new file mode 100644 index 00000000..ceca2cd3 --- /dev/null +++ b/docs/checks/githubWebhookSecrets.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 11 +id: 13 +title: Secure GitHub Webhooks with Secrets +slug: /checks/githubWebhookSecrets +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P3 +- Mitre: [CWE-306](https://cwe.mitre.org/data/definitions/306) +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#webhooks) +- How To: [Github Docs](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/githubWriteAccessRoles.mdx b/docs/checks/githubWriteAccessRoles.mdx new file mode 100644 index 00000000..d4974b47 --- /dev/null +++ b/docs/checks/githubWriteAccessRoles.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 16 +id: 18 +title: Define Teams/Individuals with Write Access to Repositories +slug: /checks/githubWriteAccessRoles +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P4 +- Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) +- Sources: [CNCF SSCP v1.0 #185](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-individualsteams-that-are-responsible-for-code-in-a-repository-and-associated-coding-conventions) +- How To: [Github Docs](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/identifyModifiedDependencies.mdx b/docs/checks/identifyModifiedDependencies.mdx new file mode 100644 index 00000000..3c51db5a --- /dev/null +++ b/docs/checks/identifyModifiedDependencies.mdx @@ -0,0 +1,27 @@ +--- +sidebar_position: 50 +id: 52 +title: Uniquely Identify Modified Dependencies +slug: /checks/identifyModifiedDependencies +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P14 +- Sources: [OWASP SCVS L2 6.5](https://scvs.owasp.org/scvs/v6-pedigree-and-provenance/) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/incidentResponsePlan.mdx b/docs/checks/incidentResponsePlan.mdx new file mode 100644 index 00000000..2ac71a1d --- /dev/null +++ b/docs/checks/incidentResponsePlan.mdx @@ -0,0 +1,27 @@ +--- +sidebar_position: 28 +id: 30 +title: Define Clear Communication and Incident Response Plans +slug: /checks/incidentResponsePlan +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: P7 +- Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/#operations) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/includeCVEInReleaseNotes.mdx b/docs/checks/includeCVEInReleaseNotes.mdx new file mode 100644 index 00000000..9cb0c992 --- /dev/null +++ b/docs/checks/includeCVEInReleaseNotes.mdx @@ -0,0 +1,27 @@ +--- +sidebar_position: 30 +id: 32 +title: Include CVE IDs in Release Notes for Security Fixes +slug: /checks/includeCVEInReleaseNotes +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: P7 +- Sources: [OpenSSF Best Practices Badge Passing Level [release_notes_vulns]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/includePackageLock.mdx b/docs/checks/includePackageLock.mdx new file mode 100644 index 00000000..5e35299a --- /dev/null +++ b/docs/checks/includePackageLock.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 63 +id: 65 +title: Include package-lock.json in Releases (Freestanding Apps) +slug: /checks/includePackageLock +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: recommended + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R5 +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#sbom) +- How To: [npm Docs](https://docs.npmjs.com/cli/v10/commands/npm-sbom) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/injectedSecretsAtRuntime.mdx b/docs/checks/injectedSecretsAtRuntime.mdx new file mode 100644 index 00000000..09f67cca --- /dev/null +++ b/docs/checks/injectedSecretsAtRuntime.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 6 +id: 8 +title: Ensure that the secrets are injected at runtime +slug: /checks/injectedSecretsAtRuntime +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P2 +- Mitre: [CWE-538](https://cwe.mitre.org/data/definitions/538.html) +- Sources: [CNCF CNSWP 2.0 #195](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#secrets-encryption) +- How To: [Github Docs](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/limitOrgOwners.mdx b/docs/checks/limitOrgOwners.mdx new file mode 100644 index 00000000..510670ee --- /dev/null +++ b/docs/checks/limitOrgOwners.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 67 +id: 69 +title: Limit GitHub Org Owners to Fewer Than Three +slug: /checks/limitOrgOwners +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: recommended + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R7 +- Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) +- Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/member/organization_has_too_many_admins.html) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/limitRepoAdmins.mdx b/docs/checks/limitRepoAdmins.mdx new file mode 100644 index 00000000..c3b35377 --- /dev/null +++ b/docs/checks/limitRepoAdmins.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 68 +id: 70 +title: Limit GitHub Repo Admins to Fewer Than Three +slug: /checks/limitRepoAdmins +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: recommended + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R7 +- Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) +- Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/repository/repository_has_too_many_admins.html) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/limitWorkflowWritePermissions.mdx b/docs/checks/limitWorkflowWritePermissions.mdx new file mode 100644 index 00000000..16e37da0 --- /dev/null +++ b/docs/checks/limitWorkflowWritePermissions.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 41 +id: 43 +title: Limit Workflow Write Permissions to Job-Level +slug: /checks/limitWorkflowWritePermissions +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P11 +- Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) +- How To: [Github Docs](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/machineReadableDependencies.mdx b/docs/checks/machineReadableDependencies.mdx new file mode 100644 index 00000000..41bdb531 --- /dev/null +++ b/docs/checks/machineReadableDependencies.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 49 +id: 51 +title: Provide Machine-Readable Dependency Lists +slug: /checks/machineReadableDependencies +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P14 +- Sources: [OWASP SCVS L1 1.3](https://scvs.owasp.org/scvs/v1-inventory/#verification-requirements) +- How To: [Github Docs](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-is-the-dependency-graph) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/noArbitraryCodeInPipeline.mdx b/docs/checks/noArbitraryCodeInPipeline.mdx new file mode 100644 index 00000000..f59c2bf8 --- /dev/null +++ b/docs/checks/noArbitraryCodeInPipeline.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 40 +id: 42 +title: Restrict Build Pipeline Code Execution to Build Scripts +slug: /checks/noArbitraryCodeInPipeline +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P11 +- Mitre: [CWE-94](https://cwe.mitre.org/data/definitions/94.html) +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/noForcePushDefaultBranch.mdx b/docs/checks/noForcePushDefaultBranch.mdx new file mode 100644 index 00000000..8182ce92 --- /dev/null +++ b/docs/checks/noForcePushDefaultBranch.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 34 +id: 36 +title: Disable Force Push on Default Branch +slug: /checks/noForcePushDefaultBranch +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P9 +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) +- How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/noSelfHostedRunners.mdx b/docs/checks/noSelfHostedRunners.mdx new file mode 100644 index 00000000..bd152954 --- /dev/null +++ b/docs/checks/noSelfHostedRunners.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 39 +id: 41 +title: Disable Self-Hosted Runners in GitHub Org +slug: /checks/noSelfHostedRunners +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P10 +- Mitre: [CAPEC-439](https://capec.mitre.org/data/definitions/439.html) +- Sources: [Github Action Hardening Docs](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners) +- How To: [Github Docs](https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#limiting-the-use-of-self-hosted-runners) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/noSensitiveInfoInRepositories.mdx b/docs/checks/noSensitiveInfoInRepositories.mdx new file mode 100644 index 00000000..1de4a819 --- /dev/null +++ b/docs/checks/noSensitiveInfoInRepositories.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 5 +id: 7 +title: Check sensitive information +slug: /checks/noSensitiveInfoInRepositories +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P2 +- Mitre: [CWE-540](https://cwe.mitre.org/data/definitions/540.html) +- Sources: [OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]](https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials) +- How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/npmOrgMFA.mdx b/docs/checks/npmOrgMFA.mdx new file mode 100644 index 00000000..d0310962 --- /dev/null +++ b/docs/checks/npmOrgMFA.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 2 +id: 4 +title: Enforce MFA in npm Organization(s) +slug: /checks/npmOrgMFA +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P1 +- Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) +- Sources: [OpenSSF npm Best Practices](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md) +- How To: [npm Docs](https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/npmPublicationMFA.mdx b/docs/checks/npmPublicationMFA.mdx new file mode 100644 index 00000000..0ff37ed6 --- /dev/null +++ b/docs/checks/npmPublicationMFA.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 10 +id: 12 +title: Publish to npm Using MFA-Enabled Accounts +slug: /checks/npmPublicationMFA +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P3 +- Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) +- Sources: [npm Docs](https://docs.npmjs.com/creating-and-viewing-access-tokens) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/orgToolingMFA.mdx b/docs/checks/orgToolingMFA.mdx new file mode 100644 index 00000000..1f7af86e --- /dev/null +++ b/docs/checks/orgToolingMFA.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 3 +id: 5 +title: Enforce MFA in all the tools +slug: /checks/orgToolingMFA +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: P1 +- Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) +- Sources: [CNCF CNSWP v1.0](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/owaspTop10Training.mdx b/docs/checks/owaspTop10Training.mdx new file mode 100644 index 00000000..3637b37a --- /dev/null +++ b/docs/checks/owaspTop10Training.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 1 +id: 2 +title: Training on OWASP Top 10 or Equivalent +slug: /checks/owaspTop10Training +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: P0 +- Mitre: [M1013](https://attack.mitre.org/mitigations/M1013/) +- Sources: [OpenSSF Best Practices Badge Passing Level [know_common_errors]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_common_errors) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/patchCriticalVulns30Days.mdx b/docs/checks/patchCriticalVulns30Days.mdx new file mode 100644 index 00000000..a0dd9619 --- /dev/null +++ b/docs/checks/patchCriticalVulns30Days.mdx @@ -0,0 +1,27 @@ +--- +sidebar_position: 18 +id: 20 +title: Patch Actively Exploited Critical Vulnerabilities within 30 Days +slug: /checks/patchCriticalVulns30Days +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: P5 +- Sources: [OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]](https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/patchExploitableHighVulns14Days.mdx b/docs/checks/patchExploitableHighVulns14Days.mdx new file mode 100644 index 00000000..5c525efd --- /dev/null +++ b/docs/checks/patchExploitableHighVulns14Days.mdx @@ -0,0 +1,27 @@ +--- +sidebar_position: 69 +id: 71 +title: Patch Critical/High Vulnerabilities in 14 Days +slug: /checks/patchExploitableHighVulns14Days +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: R8 +- Sources: [OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]](https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/patchExploitableNoncCriticalVulns60Days.mdx b/docs/checks/patchExploitableNoncCriticalVulns60Days.mdx new file mode 100644 index 00000000..f55d2e62 --- /dev/null +++ b/docs/checks/patchExploitableNoncCriticalVulns60Days.mdx @@ -0,0 +1,27 @@ +--- +sidebar_position: 70 +id: 72 +title: Patch Non-Critical Vulnerabilities in 60 Days +slug: /checks/patchExploitableNoncCriticalVulns60Days +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: R8 +- Sources: [OpenSSF Best Practices Badge Silver Level [vulnerabilities_fixed_60_days]](https://www.bestpractices.dev/en/criteria#0.vulnerabilities_fixed_60_days) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/patchNonCriticalVulns90Days.mdx b/docs/checks/patchNonCriticalVulns90Days.mdx new file mode 100644 index 00000000..524cfc52 --- /dev/null +++ b/docs/checks/patchNonCriticalVulns90Days.mdx @@ -0,0 +1,27 @@ +--- +sidebar_position: 19 +id: 21 +title: Patch Non-Critical Vulnerabilities within 90 Days +slug: /checks/patchNonCriticalVulns90Days +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: P5 +- Sources: [Google Project Zero Vulnerability Disclosure Policy](https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/pinActionsToSHA.mdx b/docs/checks/pinActionsToSHA.mdx new file mode 100644 index 00000000..5d00b29d --- /dev/null +++ b/docs/checks/pinActionsToSHA.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 47 +id: 49 +title: Pin Actions with Secrets to Full-Length Commit SHAs +slug: /checks/pinActionsToSHA +--- + +## Use Case + +- Incubating: deferrable +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P13 +- Mitre: [CWE-1357](https://cwe.mitre.org/data/definitions/1357.html) +- Sources: [Github Docs](https://securitylab.github.com/research/github-actions-building-blocks/) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/preventBranchProtectionBypass.mdx b/docs/checks/preventBranchProtectionBypass.mdx new file mode 100644 index 00000000..31f2feff --- /dev/null +++ b/docs/checks/preventBranchProtectionBypass.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 14 +id: 16 +title: Prevent Admins from Bypassing Branch Protection +slug: /checks/preventBranchProtectionBypass +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P4 +- Mitre: [CAPEC-122](https://capec.mitre.org/data/definitions/122.html) +- Sources: [Github Supply Chain Security Best Practices](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) +- How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/preventDeletionDefaultBranch.mdx b/docs/checks/preventDeletionDefaultBranch.mdx new file mode 100644 index 00000000..37c118e6 --- /dev/null +++ b/docs/checks/preventDeletionDefaultBranch.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 35 +id: 37 +title: Prevent Deletion of Default Branch +slug: /checks/preventDeletionDefaultBranch +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P9 +- Mitre: [CWE-267](https://cwe.mitre.org/data/definitions/267.html) +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) +- How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/preventLandingSensitiveCommits.mdx b/docs/checks/preventLandingSensitiveCommits.mdx new file mode 100644 index 00000000..9ae0fa8c --- /dev/null +++ b/docs/checks/preventLandingSensitiveCommits.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 8 +id: 10 +title: Block New Commits with Secrets or Credentials +slug: /checks/preventLandingSensitiveCommits +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P2 +- Mitre: [CWE-358](https://cwe.mitre.org/data/definitions/358.html) +- Sources: [OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]](https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials) +- How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/preventScriptInjection.mdx b/docs/checks/preventScriptInjection.mdx new file mode 100644 index 00000000..ac05a1d2 --- /dev/null +++ b/docs/checks/preventScriptInjection.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 42 +id: 44 +title: Avoid Script Injection from Untrusted Variables +slug: /checks/preventScriptInjection +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P11 +- Mitre: [CWE-454](https://cwe.mitre.org/data/definitions/454.html) +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) +- How To: [Github Docs](https://securitylab.github.com/research/github-actions-untrusted-input/) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/regressionTestsForVulns.mdx b/docs/checks/regressionTestsForVulns.mdx new file mode 100644 index 00000000..d3141e5d --- /dev/null +++ b/docs/checks/regressionTestsForVulns.mdx @@ -0,0 +1,27 @@ +--- +sidebar_position: 31 +id: 33 +title: Create Regression Tests for Bugs and Security Vulnerabilities +slug: /checks/regressionTestsForVulns +--- + +## Use Case + +- Incubating: deferrable +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: P8 +- Sources: [OpenSSF Best Practices Badge Silver Level [regression_tests_added50]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.regression_tests_added50) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/requireCodeOwnersReviewForLargeTeams.mdx b/docs/checks/requireCodeOwnersReviewForLargeTeams.mdx new file mode 100644 index 00000000..134adade --- /dev/null +++ b/docs/checks/requireCodeOwnersReviewForLargeTeams.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 65 +id: 67 +title: Require Code Owners Review (Four+ Maintainers) +slug: /checks/requireCodeOwnersReviewForLargeTeams +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R6 +- Mitre: [CAPEC-670](https://capec.mitre.org/data/definitions/670.html) +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review) +- How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/requirePRApprovalForMainline.mdx b/docs/checks/requirePRApprovalForMainline.mdx new file mode 100644 index 00000000..9481eeae --- /dev/null +++ b/docs/checks/requirePRApprovalForMainline.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 66 +id: 68 +title: Require Approved PRs for Mainline Commits (Two+ Maintainers) +slug: /checks/requirePRApprovalForMainline +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: recommended + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R6 +- Mitre: [CAPEC-670](https://capec.mitre.org/data/definitions/670.html) +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) +- How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/requireSignedCommits.mdx b/docs/checks/requireSignedCommits.mdx new file mode 100644 index 00000000..dabd6861 --- /dev/null +++ b/docs/checks/requireSignedCommits.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 62 +id: 64 +title: Require Signed Commits +slug: /checks/requireSignedCommits +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: recommended + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R4 +- Sources: [CNCF SSCP 1.0 #325](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits) +- How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-signed-commits) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/requireTwoPartyReview.mdx b/docs/checks/requireTwoPartyReview.mdx new file mode 100644 index 00000000..a099af59 --- /dev/null +++ b/docs/checks/requireTwoPartyReview.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 64 +id: 66 +title: Require Two-Party Review (Two+ Maintainers) +slug: /checks/requireTwoPartyReview +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R6 +- Mitre: [CAPEC-670](https://capec.mitre.org/data/definitions/670.html) +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review) +- How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/resolveLinterWarnings.mdx b/docs/checks/resolveLinterWarnings.mdx new file mode 100644 index 00000000..e0b9f432 --- /dev/null +++ b/docs/checks/resolveLinterWarnings.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 22 +id: 24 +title: Address Compiler/Linter Warnings Before Merging +slug: /checks/resolveLinterWarnings +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: P6 +- Mitre: [CWE-1127](https://cwe.mitre.org/data/definitions/1127.html) +- Sources: [OpenSSF Best Practices Badge Silver Level [warnings_strict]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.warnings_strict) +- How To: [ESLint Docs](https://eslint.org/docs/latest/use/getting-started#installation-and-usage) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/restrictOrgSecrets.mdx b/docs/checks/restrictOrgSecrets.mdx new file mode 100644 index 00000000..cee3b66b --- /dev/null +++ b/docs/checks/restrictOrgSecrets.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 37 +id: 39 +title: Restrict GitHub Org Secrets to Specific Repositories +slug: /checks/restrictOrgSecrets +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P10 +- Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) +- Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/actions/all_repositories_can_run_github_actions.html) +- How To: [Github Docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/restrictedOrgPermissions.mdx b/docs/checks/restrictedOrgPermissions.mdx new file mode 100644 index 00000000..67dcbe06 --- /dev/null +++ b/docs/checks/restrictedOrgPermissions.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 12 +id: 14 +title: Restrict Default GitHub Org Member Permissions +slug: /checks/restrictedOrgPermissions +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P4 +- Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) +- Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/organization/default_repository_permission_is_not_none.html) +- How To: [Github Docs](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/runnerSecurityScanner.mdx b/docs/checks/runnerSecurityScanner.mdx new file mode 100644 index 00000000..e9221a3c --- /dev/null +++ b/docs/checks/runnerSecurityScanner.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 57 +id: 59 +title: Use GitHub Runner Security Scanners +slug: /checks/runnerSecurityScanner +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: recommended + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R2 +- Mitre: [M1047](https://attack.mitre.org/mitigations/M1047/) +- Sources: [Github Action Hardening Docs](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners) +- How To: [Step Security harden-runner](https://github.com/step-security/harden-runner) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/scanCommitsForSensitiveInfo.mdx b/docs/checks/scanCommitsForSensitiveInfo.mdx new file mode 100644 index 00000000..a490930f --- /dev/null +++ b/docs/checks/scanCommitsForSensitiveInfo.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 7 +id: 9 +title: Ensure that all the commits are scanned +slug: /checks/scanCommitsForSensitiveInfo +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P2 +- Mitre: [CWE-540](https://cwe.mitre.org/data/definitions/540.html) +- Sources: [CNCF SSCP v1.0 #184](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#user-content-fnref-21-4e56305414bd02da4843ec1d7d856144) +- How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/securityMdMeetsOpenJSCVD.mdx b/docs/checks/securityMdMeetsOpenJSCVD.mdx new file mode 100644 index 00000000..4d14d531 --- /dev/null +++ b/docs/checks/securityMdMeetsOpenJSCVD.mdx @@ -0,0 +1,27 @@ +--- +sidebar_position: 25 +id: 27 +title: Ensure Security.md Meets OpenJS CVD Guidelines +slug: /checks/securityMdMeetsOpenJSCVD +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: P7 +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/softwareArchitectureDocs.mdx b/docs/checks/softwareArchitectureDocs.mdx new file mode 100644 index 00000000..debe382f --- /dev/null +++ b/docs/checks/softwareArchitectureDocs.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 45 +id: 47 +title: Document Software Architecture +slug: /checks/softwareArchitectureDocs +--- + +## Use Case + +- Incubating: deferrable +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: P12 +- Mitre: [CWE-1053](https://cwe.mitre.org/data/definitions/1053.html) +- Sources: [OpenSSF Best Practices Badge Silver Level [documentation_architecture]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.documentation_architecture) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/softwareDesignTraining.mdx b/docs/checks/softwareDesignTraining.mdx new file mode 100644 index 00000000..606af59f --- /dev/null +++ b/docs/checks/softwareDesignTraining.mdx @@ -0,0 +1,33 @@ +--- +sidebar_position: 72 +id: 1 +title: Training on Secure Software Design +slug: /checks/softwareDesignTraining +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + +## Dashboard Inclusion + +It is considered `passed` if there is a record for the organization in the `software_design_training` dashboard table and the date falls within the valid range (one natural year). This table is maintained manually, [more information](https://github.com/secure-dashboards/openjs-foundation-dashboard/issues/52) + + +## Details +- Implementation Status: completed +- Implementation Details: It is manual ([details](https://github.com/OpenPathfinder/visionBoard/issues/52)). +- C-SCRM: false +- Priority Group: P0 +- Mitre: [M1013](https://attack.mitre.org/mitigations/M1013/) +- Sources: [OpenSSF Best Practices Badge Passing Level [know_secure_design]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_secure_design) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/staticAppSecTesting.mdx b/docs/checks/staticAppSecTesting.mdx new file mode 100644 index 00000000..70d6722d --- /dev/null +++ b/docs/checks/staticAppSecTesting.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 23 +id: 25 +title: Use Static Application Security Testing for All Commits +slug: /checks/staticAppSecTesting +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: P6 +- Mitre: [CWE-1076](https://cwe.mitre.org/data/definitions/1076.html) +- Sources: [OWASP SCVS L1 6.6OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast) +- How To: [CodeQL Docs](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/staticCodeAnalysis.mdx b/docs/checks/staticCodeAnalysis.mdx new file mode 100644 index 00000000..c95b9729 --- /dev/null +++ b/docs/checks/staticCodeAnalysis.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 21 +id: 23 +title: Use Automated Static Code Analysis Tools +slug: /checks/staticCodeAnalysis +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: P6 +- Mitre: [CWE-1076](https://cwe.mitre.org/data/definitions/1076.html) +- Sources: [OWASP SCVS L1 5.1](https://scvs.owasp.org/scvs/v5-component-analysis/) +- How To: [ESLint Docs](https://eslint.org/docs/latest/use/getting-started#installation-and-usage) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/twoOrMoreOwnersForAccess.mdx b/docs/checks/twoOrMoreOwnersForAccess.mdx new file mode 100644 index 00000000..022c95fb --- /dev/null +++ b/docs/checks/twoOrMoreOwnersForAccess.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 17 +id: 19 +title: Configure Two or more Owners for Access Continuity +slug: /checks/twoOrMoreOwnersForAccess +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P4 +- Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) +- Sources: [OpenSSF Best Practices Badge Silver Level [access_continuity]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.access_continuity) +- How To: [Github Docs](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/maintaining-ownership-continuity-for-your-organization) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/upToDateDefaultBranchBeforeMerge.mdx b/docs/checks/upToDateDefaultBranchBeforeMerge.mdx new file mode 100644 index 00000000..03da3d29 --- /dev/null +++ b/docs/checks/upToDateDefaultBranchBeforeMerge.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 36 +id: 38 +title: Require Default Branch Updates Before Merging +slug: /checks/upToDateDefaultBranchBeforeMerge +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P9 +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) +- How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/upgradePathDocs.mdx b/docs/checks/upgradePathDocs.mdx new file mode 100644 index 00000000..fdccbb37 --- /dev/null +++ b/docs/checks/upgradePathDocs.mdx @@ -0,0 +1,27 @@ +--- +sidebar_position: 44 +id: 46 +title: Support Older Versions or Provide Upgrade Paths +slug: /checks/upgradePathDocs +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P12 +- Sources: [OpenSSF Best Practices Badge Silver Level [maintenance_or_update]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.maintenance_or_update) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/useCVDToolForVulns.mdx b/docs/checks/useCVDToolForVulns.mdx new file mode 100644 index 00000000..101cf882 --- /dev/null +++ b/docs/checks/useCVDToolForVulns.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 26 +id: 28 +title: Use CVD Tools to Manage Vulnerability Reports +slug: /checks/useCVDToolForVulns +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: expected + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: P7 +- Sources: [OpenSSF Best Practices Badge Passing Level [vulnerability_report_private]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.vulnerability_report_private) +- How To: [Github Docs](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/useHwKeyGithubAccess.mdx b/docs/checks/useHwKeyGithubAccess.mdx new file mode 100644 index 00000000..707f9be5 --- /dev/null +++ b/docs/checks/useHwKeyGithubAccess.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 52 +id: 54 +title: Use AAL2/3 Passkeys for GitHub Access +slug: /checks/useHwKeyGithubAccess +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: recommended + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R1 +- Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) +- Sources: [OpenSSF Great MFA Project Security Rationale](https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md) +- How To: [Github Docs](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-passkey) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/useHwKeyGithubNonInteractive.mdx b/docs/checks/useHwKeyGithubNonInteractive.mdx new file mode 100644 index 00000000..0b239ac1 --- /dev/null +++ b/docs/checks/useHwKeyGithubNonInteractive.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 53 +id: 55 +title: Use AAL2/3 Passkeys for Non-Interactive GitHub Access +slug: /checks/useHwKeyGithubNonInteractive +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: recommended + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R1 +- Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) +- Sources: [OpenSSF Great MFA Project Security Rationale](https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md) +- How To: [Github Docs](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/useHwKeyOtherContexts.mdx b/docs/checks/useHwKeyOtherContexts.mdx new file mode 100644 index 00000000..4a71c8a3 --- /dev/null +++ b/docs/checks/useHwKeyOtherContexts.mdx @@ -0,0 +1,28 @@ +--- +sidebar_position: 54 +id: 56 +title: Use AAL2/3 Passkeys in All Other Contexts +slug: /checks/useHwKeyOtherContexts +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: recommended + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R1 +- Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) +- Sources: [OpenSSF Great MFA Project Security Rationale](https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/verifiedActionsOnly.mdx b/docs/checks/verifiedActionsOnly.mdx new file mode 100644 index 00000000..f3967056 --- /dev/null +++ b/docs/checks/verifiedActionsOnly.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 38 +id: 40 +title: Limit GitHub Actions to Verified or Trusted Actions +slug: /checks/verifiedActionsOnly +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: P10 +- Mitre: [CWE-1357](https://cwe.mitre.org/data/definitions/1357.html) +- Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/actions/all_github_actions_are_allowed.html) +- How To: [Github Docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/vulnResponse14Days.mdx b/docs/checks/vulnResponse14Days.mdx new file mode 100644 index 00000000..cc482883 --- /dev/null +++ b/docs/checks/vulnResponse14Days.mdx @@ -0,0 +1,27 @@ +--- +sidebar_position: 27 +id: 29 +title: Respond to External Vulnerability Reports in Under 14 Days +slug: /checks/vulnResponse14Days +--- + +## Use Case + +- Incubating: expected +- Active: expected +- Retiring: n/a + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: false +- Priority Group: P7 +- Sources: [OpenSSF Best Practices Badge Passing Level [vulnerability_report_response]](https://www.bestpractices.dev/en/criteria#0.vulnerability_report_response) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/docs/checks/workflowSecurityScanner.mdx b/docs/checks/workflowSecurityScanner.mdx new file mode 100644 index 00000000..11727ad3 --- /dev/null +++ b/docs/checks/workflowSecurityScanner.mdx @@ -0,0 +1,29 @@ +--- +sidebar_position: 56 +id: 58 +title: Use Workflow Security Scanners +slug: /checks/workflowSecurityScanner +--- + +## Use Case + +- Incubating: recommended +- Active: recommended +- Retiring: recommended + + + +## Description + + + +## Details +- Implementation Status: pending +- C-SCRM: true +- Priority Group: R2 +- Mitre: [M1047](https://attack.mitre.org/mitigations/M1047/) +- Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) +- How To: [Step Security secure-repo](https://github.com/step-security/secure-repo) +- Created at 2024-12-18T20:19:27.410Z +- Updated at 2024-12-18T20:19:27.410Z + diff --git a/package-lock.json b/package-lock.json index 074f3a04..fd0a0e6f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11,6 +11,7 @@ "@docusaurus/core": "3.6.3", "@docusaurus/preset-classic": "3.6.3", "@mdx-js/react": "^3.0.0", + "@ulisesgascon/text-tags-manager": "^2.0.0", "clsx": "^2.0.0", "prism-react-renderer": "^2.3.0", "react": "^18.0.0", @@ -4953,6 +4954,15 @@ "integrity": "sha512-I4q9QU9MQv4oEOz4tAHJtNz1cwuLxn2F3xcc2iV5WdqLPpUnj30aUuxt1mAxYTG+oe8CZMV/+6rU4S4gRDzqtQ==", "license": "MIT" }, + "node_modules/@ulisesgascon/text-tags-manager": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@ulisesgascon/text-tags-manager/-/text-tags-manager-2.0.0.tgz", + "integrity": "sha512-H0x8ut2O//hFYDaalfXA3wYobBXXeY+jq2z5Hj4xvhcOY7gB+yFVI+2OBR8wehpcOWoHytGCO6YhBKgfEfr1WQ==", + "license": "MIT", + "engines": { + "node": ">=18.0.0" + } + }, "node_modules/@ungap/structured-clone": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/@ungap/structured-clone/-/structured-clone-1.2.1.tgz", diff --git a/package.json b/package.json index 96f98748..78323c55 100644 --- a/package.json +++ b/package.json @@ -11,12 +11,14 @@ "clear": "docusaurus clear", "serve": "docusaurus serve", "write-translations": "docusaurus write-translations", - "write-heading-ids": "docusaurus write-heading-ids" + "write-heading-ids": "docusaurus write-heading-ids", + "populate-checks": "node scripts/populate-checks.js" }, "dependencies": { "@docusaurus/core": "3.6.3", "@docusaurus/preset-classic": "3.6.3", "@mdx-js/react": "^3.0.0", + "@ulisesgascon/text-tags-manager": "^2.0.0", "clsx": "^2.0.0", "prism-react-renderer": "^2.3.0", "react": "^18.0.0", diff --git a/scripts/populate-checks.js b/scripts/populate-checks.js new file mode 100644 index 00000000..dd090e48 --- /dev/null +++ b/scripts/populate-checks.js @@ -0,0 +1,129 @@ +const { writeFileSync, existsSync, readFileSync } = require('fs') +const { updateOrCreateSegment } = require('@ulisesgascon/text-tags-manager') +const path = require('path') + +const checks = require('../data/checks.json') +const levelsStartTag = '' +const levelsEndTag = '' +const descriptionStartTag = '' +const descriptionEndTag = '' +const detailsStartTag = '' +const detailsEndTag = '' + +// @TODO: Move this function to a shared file +const replaceMetadata = (fileContent, metadata) => { + return fileContent.replace(/---[^]*?---/, metadata) +} + +const addImplementationDetails = (check) => { + if (!check.implementation_type) { + return '' + } + let content = `- Implementation Details: It is ${check.implementation_type}` + if (check.implementation_details_reference) { + content += ` ([details](${check.implementation_details_reference})).` + } + return content +} + +const addContent = (title, description, url) => { + if (!description && !url) { + return '' + } + + if (url) { + return `- ${title}: [${description}](${url})` + } + + return `- ${title}: ${description}` +} + +const renderDetails = (check) => { + const implementationDetails = addImplementationDetails(check) + const mitreDetails = addContent('Mitre', check.mitre_description, check.mitre_url) + const sourcesDetails = addContent('Sources', check.sources_description, check.sources_url) + const howToDetails = addContent('How To', check.how_to_description, check.how_to_url) + let content = '## Details\n' + content += `- Implementation Status: ${check.implementation_status}\n` + if (implementationDetails) { + content += `${implementationDetails}\n` + } + content += `- C-SCRM: ${check.is_c_scrm}\n` + content += `- Priority Group: ${check.priority_group}\n` + if (mitreDetails) { + content += `${mitreDetails}\n` + } + if (sourcesDetails) { + content += `${sourcesDetails}\n` + } + if (howToDetails) { + content += `${howToDetails}\n` + } + content += `- Created at ${check.created_at}\n` + content += `- Updated at ${check.updated_at}` + return content +} + +// Prepare the markdown files +checks.forEach((check, index) => { + const metadata = `--- +sidebar_position: ${index + 1} +id: ${check.id} +title: ${check.title} +slug: /checks/${check.code_name} +---`.trim() + const levelsContent = ` +- Incubating: ${check.level_incubating_status} +- Active: ${check.level_active_status} +- Retiring: ${check.level_retiring_status} +`.trim() + const descriptionContent = `## Description +${typeof check.description === check.description.replace(/[&<>"']/g, c => `&#${c.charCodeAt(0)};`) ? check.description : ''}`.trim() + const detailsContent = renderDetails(check) + + let fileContent = `${metadata} + +## Use Case +${levelsStartTag} +${levelsContent} +${levelsEndTag} + +${descriptionStartTag} +${descriptionContent} +${descriptionEndTag} + +${detailsStartTag} +${detailsContent} +${detailsEndTag} +` + const updateContent = (currentContent) => { + fileContent = currentContent + replaceMetadata(fileContent, metadata) + fileContent = updateOrCreateSegment({ + original: fileContent, + replacementSegment: levelsContent, + startTag: levelsStartTag, + endTag: levelsEndTag + }) + fileContent = updateOrCreateSegment({ + original: fileContent, + replacementSegment: descriptionContent, + startTag: descriptionStartTag, + endTag: descriptionEndTag + }) + fileContent = updateOrCreateSegment({ + original: fileContent, + replacementSegment: detailsContent, + startTag: detailsStartTag, + endTag: detailsEndTag + }) + } + + const destination = path.join(process.cwd(), `docs/checks/${check.code_name}.mdx`) + const fileExists = existsSync(destination) + if (fileExists) { + const currentFileContent = readFileSync(destination, 'utf8') + updateContent(currentFileContent) + } + writeFileSync(destination, fileContent) +}) \ No newline at end of file