From 96f8e43a3b73c6dde3516ccdf6be813f2c408ca8 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Sun, 22 Dec 2024 04:04:31 +0000 Subject: [PATCH 1/2] chore: sync with visionBoard Checks --- data/checks.json | 3602 +++++++++++++++++++++++----------------------- 1 file changed, 1801 insertions(+), 1801 deletions(-) diff --git a/data/checks.json b/data/checks.json index c4db91ef..c47db947 100644 --- a/data/checks.json +++ b/data/checks.json @@ -1,1802 +1,1802 @@ [ - { - "id": 2, - "title": "Training on OWASP Top 10 or Equivalent", - "description": "At least One Primary Maintainer has taken TBD Training on OWASP Top 10 or Equivalent", - "section_number": "7", - "section_name": "code quality", - "code_name": "owaspTop10Training", - "priority_group": "P0", - "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://attack.mitre.org/mitigations/M1013/", - "mitre_description": "M1013", - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_common_errors", - "sources_description": "OpenSSF Best Practices Badge Passing Level [know_common_errors]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/owaspTop10Training", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 4, - "title": "Enforce MFA in npm Organization(s)", - "description": "Multi Factor Authentication (MFA) Enforced Across the npm Organization", - "section_number": "1", - "section_name": "user authentication", - "code_name": "npmOrgMFA", - "priority_group": "P1", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", - "mitre_description": "CWE-308", - "how_to_url": "https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization", - "how_to_description": "npm Docs", - "sources_url": "https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md", - "sources_description": "OpenSSF npm Best Practices", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/npmOrgMFA", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 5, - "title": "Enforce MFA in all the tools", - "description": "Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible", - "section_number": "1", - "section_name": "user authentication", - "code_name": "orgToolingMFA", - "priority_group": "P1", - "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", - "mitre_description": "CWE-308", - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md", - "sources_description": "CNCF CNSWP v1.0", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/orgToolingMFA", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 6, - "title": "Use MFA against impersonation", - "description": "Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available ", - "section_number": "1", - "section_name": "user authentication", - "code_name": "MFAImpersonationDefense", - "priority_group": "P1", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://cwe.mitre.org/data/definitions/290.html", - "mitre_description": "CWE-290", - "how_to_url": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa", - "how_to_description": "Github Docs", - "sources_url": "https://www.bestpractices.dev/en/criteria/2#2.secure_2FA", - "sources_description": "OpenSSF Best Practices Badge Gold Level [secure_2FA]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/MFAImpersonationDefense", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 7, - "title": "Check sensitive information", - "description": "No Secrets and Credentials in Source Code", - "section_number": "3", - "section_name": "service authentication", - "code_name": "noSensitiveInfoInRepositories", - "priority_group": "P2", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://cwe.mitre.org/data/definitions/540.html", - "mitre_description": "CWE-540", - "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", - "how_to_description": "Github Docs", - "sources_url": "https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials", - "sources_description": "OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/noSensitiveInfoInRepositories", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 8, - "title": "Ensure that the secrets are injected at runtime", - "description": "Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets)", - "section_number": "3", - "section_name": "service authentication", - "code_name": "injectedSecretsAtRuntime", - "priority_group": "P2", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://cwe.mitre.org/data/definitions/538.html", - "mitre_description": "CWE-538", - "how_to_url": "https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#secrets-encryption", - "sources_description": "CNCF CNSWP 2.0 #195", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/injectedSecretsAtRuntime", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 9, - "title": "Ensure that all the commits are scanned", - "description": "All Commits are Scanned for Secrets and Credentials ", - "section_number": "7", - "section_name": "code quality", - "code_name": "scanCommitsForSensitiveInfo", - "priority_group": "P2", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": "https://cwe.mitre.org/data/definitions/540.html", - "mitre_description": "CWE-540", - "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#user-content-fnref-21-4e56305414bd02da4843ec1d7d856144", - "sources_description": "CNCF SSCP v1.0 #184", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/scanCommitsForSensitiveInfo", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 10, - "title": "Block New Commits with Secrets or Credentials", - "description": "New Commits Containing Secrets or Credentials are Blocked from Merging", - "section_number": "7", - "section_name": "code quality", - "code_name": "preventLandingSensitiveCommits", - "priority_group": "P2", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": "https://cwe.mitre.org/data/definitions/358.html", - "mitre_description": "CWE-358", - "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", - "how_to_description": "Github Docs", - "sources_url": "https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials", - "sources_description": "OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/preventLandingSensitiveCommits", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 11, - "title": "Use SSH Keys with Passphrases for Repository Access", - "description": "Use SSH keys for developer access to source code repositories and use a passphrase", - "section_number": "1", - "section_name": "user authentication", - "code_name": "SSHKeysRequired", - "priority_group": "P3", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://cwe.mitre.org/data/definitions/309.html", - "mitre_description": "CWE-309", - "how_to_url": "https://docs.github.com/en/authentication/connecting-to-github-with-ssh/about-ssh", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#use-ssh-keys-to-provide-developers-access-to-source-code-repositories", - "sources_description": "CNCF SSCP v1.0 #192", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/SSHKeysRequired", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 12, - "title": "Publish to npm Using MFA-Enabled Accounts", - "description": "Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens", - "section_number": "3", - "section_name": "service authentication", - "code_name": "npmPublicationMFA", - "priority_group": "P3", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", - "mitre_description": "CWE-308", - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://docs.npmjs.com/creating-and-viewing-access-tokens", - "sources_description": "npm Docs", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/npmPublicationMFA", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 13, - "title": "Secure GitHub Webhooks with Secrets", - "description": "Github Webhooks Use Secrets", - "section_number": "3", - "section_name": "service authentication", - "code_name": "githubWebhookSecrets", - "priority_group": "P3", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://cwe.mitre.org/data/definitions/306", - "mitre_description": "CWE-306", - "how_to_url": "https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#webhooks", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/githubWebhookSecrets", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 14, - "title": "Restrict Default GitHub Org Member Permissions", - "description": "Default Github Org Member Permissions Should Be Restricted", - "section_number": "2", - "section_name": "user account permissions", - "code_name": "restrictedOrgPermissions", - "priority_group": "P4", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://capec.mitre.org/data/definitions/180.html", - "mitre_description": "CAPEC-180", - "how_to_url": "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization", - "how_to_description": "Github Docs", - "sources_url": "https://best.openssf.org/SCM-BestPractices/github/organization/default_repository_permission_is_not_none.html", - "sources_description": "OpenSSF SCM Best Practices", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/restrictedOrgPermissions", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 15, - "title": "Allow Only Admins to Create Public Repositories", - "description": "Only Admins Should Be Able To Create Public Repositories", - "section_number": "2", - "section_name": "user account permissions", - "code_name": "adminRepoCreationOnly", - "priority_group": "P4", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://capec.mitre.org/data/definitions/122.html", - "mitre_description": "CAPEC-122", - "how_to_url": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization", - "how_to_description": "Github Docs", - "sources_url": "https://best.openssf.org/SCM-BestPractices/github/organization/non_admins_can_create_public_repositories.html", - "sources_description": "OpenSSF SCM Best Practices", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/adminRepoCreationOnly", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 16, - "title": "Prevent Admins from Bypassing Branch Protection", - "description": "[For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings", - "section_number": "2", - "section_name": "user account permissions", - "code_name": "preventBranchProtectionBypass", - "priority_group": "P4", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://capec.mitre.org/data/definitions/122.html", - "mitre_description": "CAPEC-122", - "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings", - "how_to_description": "Github Docs", - "sources_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", - "sources_description": "Github Supply Chain Security Best Practices", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/preventBranchProtectionBypass", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 17, - "title": "Define Roles Aligned to Functional Responsibilities", - "description": "Define roles aligned to functional responsibilities", - "section_number": "2", - "section_name": "user account permissions", - "code_name": "defineFunctionalRoles", - "priority_group": "P4", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://capec.mitre.org/data/definitions/122.html", - "mitre_description": "CAPEC-122", - "how_to_url": "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-roles-aligned-to-functional-responsibilities", - "sources_description": "CNCF SSCP v1.0 #188", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/defineFunctionalRoles", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 18, - "title": "Define Teams/Individuals with Write Access to Repositories", - "description": "Define Individuals/Teams who Write Access to a Github Repo", - "section_number": "2", - "section_name": "user account permissions", - "code_name": "githubWriteAccessRoles", - "priority_group": "P4", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://capec.mitre.org/data/definitions/180.html", - "mitre_description": "CAPEC-180", - "how_to_url": "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-individualsteams-that-are-responsible-for-code-in-a-repository-and-associated-coding-conventions", - "sources_description": "CNCF SSCP v1.0 #185", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/githubWriteAccessRoles", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 19, - "title": "Configure Two or more Owners for Access Continuity", - "description": "[For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity", - "section_number": "2", - "section_name": "user account permissions", - "code_name": "twoOrMoreOwnersForAccess", - "priority_group": "P4", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://attack.mitre.org/mitigations/M1026/", - "mitre_description": "M1026", - "how_to_url": "https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/maintaining-ownership-continuity-for-your-organization", - "how_to_description": "Github Docs", - "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.access_continuity", - "sources_description": "OpenSSF Best Practices Badge Silver Level [access_continuity]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/twoOrMoreOwnersForAccess", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 20, - "title": "Patch Actively Exploited Critical Vulnerabilities within 30 Days", - "description": "Actively Exploited Critical Vulnerabilities Patched within 30 Days", - "section_number": "5", - "section_name": "vulnerability management", - "code_name": "patchCriticalVulns30Days", - "priority_group": "P5", - "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": null, - "mitre_description": null, - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed", - "sources_description": "OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/patchCriticalVulns30Days", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 21, - "title": "Patch Non-Critical Vulnerabilities within 90 Days", - "description": "Non-Critical Exploitable Vulnerabilities Patched within 90 Days", - "section_number": "5", - "section_name": "vulnerability management", - "code_name": "patchNonCriticalVulns90Days", - "priority_group": "P5", - "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": null, - "mitre_description": null, - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html", - "sources_description": "Google Project Zero Vulnerability Disclosure Policy", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/patchNonCriticalVulns90Days", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 22, - "title": "Automate Dependency Vulnerability Identification", - "description": "An automated process to identify dependencies with publicly disclosed vulnerabilities", - "section_number": "11", - "section_name": "dependency management", - "code_name": "automateVulnDetection", - "priority_group": "P6", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://cwe.mitre.org/data/definitions/1395.html", - "mitre_description": "CWE-1395", - "how_to_url": "https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories", - "how_to_description": "Github Docs", - "sources_url": "https://scvs.owasp.org/scvs/v5-component-analysis/", - "sources_description": "OWASP SCVS L1 5.4", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/automateVulnDetection", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 23, - "title": "Use Automated Static Code Analysis Tools", - "description": "Use an Automated Static Code Analysis Tool (eg: ESLInt)", - "section_number": "7", - "section_name": "code quality", - "code_name": "staticCodeAnalysis", - "priority_group": "P6", - "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": "https://cwe.mitre.org/data/definitions/1076.html", - "mitre_description": "CWE-1076", - "how_to_url": "https://eslint.org/docs/latest/use/getting-started#installation-and-usage", - "how_to_description": "ESLint Docs", - "sources_url": "https://scvs.owasp.org/scvs/v5-component-analysis/", - "sources_description": "OWASP SCVS L1 5.1", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/staticCodeAnalysis", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 24, - "title": "Address Compiler/Linter Warnings Before Merging", - "description": "Compilers/Linter Warnings Addressed in order to Merge", - "section_number": "7", - "section_name": "code quality", - "code_name": "resolveLinterWarnings", - "priority_group": "P6", - "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": "https://cwe.mitre.org/data/definitions/1127.html", - "mitre_description": "CWE-1127", - "how_to_url": "https://eslint.org/docs/latest/use/getting-started#installation-and-usage", - "how_to_description": "ESLint Docs", - "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.warnings_strict", - "sources_description": "OpenSSF Best Practices Badge Silver Level [warnings_strict]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/resolveLinterWarnings", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 25, - "title": "Use Static Application Security Testing for All Commits", - "description": "All Commits are Scanned by a Static Application Security Testing Tool", - "section_number": "7", - "section_name": "code quality", - "code_name": "staticAppSecTesting", - "priority_group": "P6", - "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": "https://cwe.mitre.org/data/definitions/1076.html", - "mitre_description": "CWE-1076", - "how_to_url": "https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql", - "how_to_description": "CodeQL Docs", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast", - "sources_description": "OWASP SCVS L1 6.6OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/staticAppSecTesting", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 26, - "title": "Require Commit Status Checks to Pass Before Merging", - "description": "All Required Commit Status Checks must pass before Merging", - "section_number": "7", - "section_name": "code quality", - "code_name": "commitStatusChecks", - "priority_group": "P6", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": "https://cwe.mitre.org/data/definitions/358.html", - "mitre_description": "CWE-358", - "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/commitStatusChecks", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 27, - "title": "Ensure Security.md Meets OpenJS CVD Guidelines", - "description": "Security.md Meets OpenJS CVD Guidelines ", - "section_number": "6", - "section_name": "coordinated vulnerability disclosure", - "code_name": "securityMdMeetsOpenJSCVD", - "priority_group": "P7", - "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": null, - "mitre_description": null, - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/securityMdMeetsOpenJSCVD", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 28, - "title": "Use CVD Tools to Manage Vulnerability Reports", - "description": "Project Leverages a CVD Tool to Privately Receive/Manage External Vulnerability Reports (eg: H1/GH PVR)", - "section_number": "6", - "section_name": "coordinated vulnerability disclosure", - "code_name": "useCVDToolForVulns", - "priority_group": "P7", - "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": null, - "mitre_description": null, - "how_to_url": "https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization", - "how_to_description": "Github Docs", - "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.vulnerability_report_private", - "sources_description": "OpenSSF Best Practices Badge Passing Level [vulnerability_report_private]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/useCVDToolForVulns", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 29, - "title": "Respond to External Vulnerability Reports in Under 14 Days", - "description": "All External Vulnerability Reports Responded to <14 Days", - "section_number": "6", - "section_name": "coordinated vulnerability disclosure", - "code_name": "vulnResponse14Days", - "priority_group": "P7", - "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": null, - "mitre_description": null, - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://www.bestpractices.dev/en/criteria#0.vulnerability_report_response", - "sources_description": "OpenSSF Best Practices Badge Passing Level [vulnerability_report_response]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/vulnResponse14Days", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 30, - "title": "Define Clear Communication and Incident Response Plans", - "description": "Establish a Clear Communication and Incident Response Plan", - "section_number": "6", - "section_name": "coordinated vulnerability disclosure", - "code_name": "incidentResponsePlan", - "priority_group": "P7", - "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": null, - "mitre_description": null, - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://best.openssf.org/SCM-BestPractices/#operations", - "sources_description": "OpenSSF SCM Best Practices", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/incidentResponsePlan", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 31, - "title": "Assign CVEs to All Known Security Vulnerabilities", - "description": "All Known Security Vulnerabilities are Issued a CVE", - "section_number": "6", - "section_name": "coordinated vulnerability disclosure", - "code_name": "assignCVEForKnownVulns", - "priority_group": "P7", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": null, - "mitre_description": null, - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns", - "sources_description": "OpenSSF Best Practices Badge Passing Level [release_notes_vulns]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/assignCVEForKnownVulns", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 32, - "title": "Include CVE IDs in Release Notes for Security Fixes", - "description": "Release Notes must Include the CVE ID of Patched Security Vulnerabilities", - "section_number": "6", - "section_name": "coordinated vulnerability disclosure", - "code_name": "includeCVEInReleaseNotes", - "priority_group": "P7", - "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": null, - "mitre_description": null, - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns", - "sources_description": "OpenSSF Best Practices Badge Passing Level [release_notes_vulns]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/includeCVEInReleaseNotes", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 33, - "title": "Create Regression Tests for Bugs and Security Vulnerabilities", - "description": "Regression Tests for => 50% of Bugs and 100% of Security Vulns", - "section_number": "7", - "section_name": "code quality", - "code_name": "regressionTestsForVulns", - "priority_group": "P8", - "is_c_scrm": false, - "level_incubating_status": "deferrable", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": null, - "mitre_description": null, - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.regression_tests_added50", - "sources_description": "OpenSSF Best Practices Badge Silver Level [regression_tests_added50]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/regressionTestsForVulns", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 34, - "title": "Set Default GitHub Workflow Token Permissions to Read Only", - "description": "Github Org Default Workflow Token Permissions are Set to Read Only", - "section_number": "4", - "section_name": "github workflow permissions", - "code_name": "defaultTokenPermissionsReadOnly", - "priority_group": "P9", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", - "mitre_description": "CWE-250", - "how_to_url": null, - "how_to_description": null, - "sources_url": null, - "sources_description": null, - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/defaultTokenPermissionsReadOnly", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 35, - "title": "Prevent Workflows from Creating or Approving PRs", - "description": "Workflows are not Allowed To Create or Approve Pull Requests", - "section_number": "4", - "section_name": "github workflow permissions", - "code_name": "blockWorkflowPRApproval", - "priority_group": "P9", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", - "mitre_description": "CWE-250", - "how_to_url": "https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/blockWorkflowPRApproval", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 36, - "title": "Disable Force Push on Default Branch", - "description": "Prevent Force Push on Default Branch", - "section_number": "9", - "section_name": "source control", - "code_name": "noForcePushDefaultBranch", - "priority_group": "P9", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": null, - "mitre_description": null, - "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/noForcePushDefaultBranch", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 37, - "title": "Prevent Deletion of Default Branch", - "description": "Prevent Default Branch Deletion", - "section_number": "9", - "section_name": "source control", - "code_name": "preventDeletionDefaultBranch", - "priority_group": "P9", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://cwe.mitre.org/data/definitions/267.html", - "mitre_description": "CWE-267", - "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/preventDeletionDefaultBranch", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 38, - "title": "Require Default Branch Updates Before Merging", - "description": "Default Branch must be Up to Date before Merging", - "section_number": "9", - "section_name": "source control", - "code_name": "upToDateDefaultBranchBeforeMerge", - "priority_group": "P9", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": null, - "mitre_description": null, - "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/upToDateDefaultBranchBeforeMerge", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 39, - "title": "Restrict GitHub Org Secrets to Specific Repositories", - "description": "GitHub Organization Secrets are Restricted to Selected Repositories", - "section_number": "4", - "section_name": "github workflows", - "code_name": "restrictOrgSecrets", - "priority_group": "P10", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", - "mitre_description": "CWE-250", - "how_to_url": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository", - "how_to_description": "Github Docs", - "sources_url": "https://best.openssf.org/SCM-BestPractices/github/actions/all_repositories_can_run_github_actions.html", - "sources_description": "OpenSSF SCM Best Practices", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/restrictOrgSecrets", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 40, - "title": "Limit GitHub Actions to Verified or Trusted Actions", - "description": "GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions", - "section_number": "4", - "section_name": "github workflows", - "code_name": "verifiedActionsOnly", - "priority_group": "P10", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": "https://cwe.mitre.org/data/definitions/1357.html", - "mitre_description": "CWE-1357", - "how_to_url": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run", - "how_to_description": "Github Docs", - "sources_url": "https://best.openssf.org/SCM-BestPractices/github/actions/all_github_actions_are_allowed.html", - "sources_description": "OpenSSF SCM Best Practices", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/verifiedActionsOnly", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 41, - "title": "Disable Self-Hosted Runners in GitHub Org", - "description": "Disable use of Self-Hosted Runners in Github Org", - "section_number": "4", - "section_name": "github workflows", - "code_name": "noSelfHostedRunners", - "priority_group": "P10", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://capec.mitre.org/data/definitions/439.html", - "mitre_description": "CAPEC-439", - "how_to_url": "https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#limiting-the-use-of-self-hosted-runners", - "how_to_description": "Github Docs", - "sources_url": "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners", - "sources_description": "Github Action Hardening Docs", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/noSelfHostedRunners", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 42, - "title": "Restrict Build Pipeline Code Execution to Build Scripts", - "description": "Build Pipeline Cannot Execute Arbitrary Code from Outside of a Build Script", - "section_number": "4", - "section_name": "github workflows", - "code_name": "noArbitraryCodeInPipeline", - "priority_group": "P11", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": "https://cwe.mitre.org/data/definitions/94.html", - "mitre_description": "CWE-94", - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/noArbitraryCodeInPipeline", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 43, - "title": "Limit Workflow Write Permissions to Job-Level", - "description": "Only Allow Workflows Write Permissions at the Job-Level", - "section_number": "4", - "section_name": "github workflows", - "code_name": "limitWorkflowWritePermissions", - "priority_group": "P11", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", - "mitre_description": "CWE-250", - "how_to_url": "https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/limitWorkflowWritePermissions", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 44, - "title": "Avoid Script Injection from Untrusted Variables", - "description": "Avoid Script Injection from Untrusted Context Variables", - "section_number": "4", - "section_name": "github workflows", - "code_name": "preventScriptInjection", - "priority_group": "P11", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": "https://cwe.mitre.org/data/definitions/454.html", - "mitre_description": "CWE-454", - "how_to_url": "https://securitylab.github.com/research/github-actions-untrusted-input/", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/preventScriptInjection", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 45, - "title": "Document Consistent and Automated Build Processes", - "description": "Consistent and Automated Build Process is Documented and Used", - "section_number": "4", - "section_name": "github workflows", - "code_name": "consistentBuildProcessDocs", - "priority_group": "P12", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": "https://cwe.mitre.org/data/definitions/1068.html", - "mitre_description": "CWE-1068", - "how_to_url": null, - "how_to_description": null, - "sources_url": null, - "sources_description": null, - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/consistentBuildProcessDocs", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 46, - "title": "Support Older Versions or Provide Upgrade Paths", - "description": "Commonly Used Older Versions Supported or Upgrade Path Provided/Documented", - "section_number": "5", - "section_name": "vulnerability management", - "code_name": "upgradePathDocs", - "priority_group": "P12", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": null, - "mitre_description": null, - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.maintenance_or_update", - "sources_description": "OpenSSF Best Practices Badge Silver Level [maintenance_or_update]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/upgradePathDocs", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 47, - "title": "Document Software Architecture", - "description": "[For Projects with Two or more Maintainers] Document Software Architecture", - "section_number": "8", - "section_name": "code review", - "code_name": "softwareArchitectureDocs", - "priority_group": "P12", - "is_c_scrm": false, - "level_incubating_status": "deferrable", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": "https://cwe.mitre.org/data/definitions/1053.html", - "mitre_description": "CWE-1053", - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.documentation_architecture", - "sources_description": "OpenSSF Best Practices Badge Silver Level [documentation_architecture]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/softwareArchitectureDocs", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 48, - "title": "Automate CI/CD Steps in Code-Based Pipelines", - "description": "CI/CD steps should all be automated through a pipeline defined as code", - "section_number": "9", - "section_name": "source control", - "code_name": "ciAndCdPipelineAsCode", - "priority_group": "P12", - "is_c_scrm": true, - "level_incubating_status": "deferrable", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": null, - "mitre_description": null, - "how_to_url": "https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#build-and-related-continuous-integrationcontinuous-delivery-steps-should-all-be-automated-through-a-pipeline-defined-as-code", - "sources_description": "CNCF SSCP 1.0 #158", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/ciAndCdPipelineAsCode", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 49, - "title": "Pin Actions with Secrets to Full-Length Commit SHAs", - "description": "Pin Actions with Access to Secrets to a Full Length Commit SHA", - "section_number": "4", - "section_name": "github workflows", - "code_name": "pinActionsToSHA", - "priority_group": "P13", - "is_c_scrm": true, - "level_incubating_status": "deferrable", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": "https://cwe.mitre.org/data/definitions/1357.html", - "mitre_description": "CWE-1357", - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://securitylab.github.com/research/github-actions-building-blocks/", - "sources_description": "Github Docs", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/pinActionsToSHA", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 50, - "title": "Automate Monitoring of Outdated Dependencies", - "description": "Automated Process is Used to Monitor for and Maintain a List of Out of Date Dependencies", - "section_number": "10", - "section_name": "dependency inventory", - "code_name": "automateDependencyManagement", - "priority_group": "P14", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": null, - "mitre_description": null, - "how_to_url": "https://socket.dev/", - "how_to_description": "Socket.Dev", - "sources_url": "https://scvs.owasp.org/scvs/v5-component-analysis/", - "sources_description": "OWASP SCVS L1 5.7", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/automateDependencyManagement", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 51, - "title": "Provide Machine-Readable Dependency Lists", - "description": "[Freestanding Applications Only] A Machine Readable List of all Direct and Transitive Dependencies is Available for the Software", - "section_number": "10", - "section_name": "dependency inventory", - "code_name": "machineReadableDependencies", - "priority_group": "P14", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": null, - "mitre_description": null, - "how_to_url": "https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-is-the-dependency-graph", - "how_to_description": "Github Docs", - "sources_url": "https://scvs.owasp.org/scvs/v1-inventory/#verification-requirements", - "sources_description": "OWASP SCVS L1 1.3", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/machineReadableDependencies", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 52, - "title": "Uniquely Identify Modified Dependencies", - "description": "Modified dependencies are uniquely identified and distinct from origin dependency", - "section_number": "10", - "section_name": "dependency inventory", - "code_name": "identifyModifiedDependencies", - "priority_group": "P14", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": null, - "mitre_description": null, - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://scvs.owasp.org/scvs/v6-pedigree-and-provenance/", - "sources_description": "OWASP SCVS L2 6.5", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/identifyModifiedDependencies", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 53, - "title": "Refresh Dependencies with Annual Releases", - "description": "A new release to refresh dependencies occurs at least annually", - "section_number": "5", - "section_name": "vulnerability management", - "code_name": "annualDependencyRefresh", - "priority_group": "P14", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "n/a", - "mitre_url": null, - "mitre_description": null, - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.maintained", - "sources_description": "OpenSSF Best Practices Badge Passing Level [maintained]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/annualDependencyRefresh", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 54, - "title": "Use AAL2/3 Passkeys for GitHub Access", - "description": "{\"url\":\"http://github.com/\",\"description\":\"Github.com\"}", - "section_number": "1", - "section_name": "user authentication", - "code_name": "useHwKeyGithubAccess", - "priority_group": "R1", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", - "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", - "mitre_description": "CWE-308", - "how_to_url": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-passkey", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md", - "sources_description": "OpenSSF Great MFA Project Security Rationale", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/useHwKeyGithubAccess", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 55, - "title": "Use AAL2/3 Passkeys for Non-Interactive GitHub Access", - "description": "Non-Interactive Github: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics", - "section_number": "1", - "section_name": "user authentication", - "code_name": "useHwKeyGithubNonInteractive", - "priority_group": "R1", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", - "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", - "mitre_description": "CWE-308", - "how_to_url": "https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md", - "sources_description": "OpenSSF Great MFA Project Security Rationale", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/useHwKeyGithubNonInteractive", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 56, - "title": "Use AAL2/3 Passkeys in All Other Contexts", - "description": "All Other Contexts: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics", - "section_number": "1", - "section_name": "user authentication", - "code_name": "useHwKeyOtherContexts", - "priority_group": "R1", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", - "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", - "mitre_description": "CWE-308", - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md", - "sources_description": "OpenSSF Great MFA Project Security Rationale", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/useHwKeyOtherContexts", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 57, - "title": "Require Approval for Forked Workflow Changes", - "description": "Limit changes from forks to workflows by requiring approval for all outside collaborators", - "section_number": "4", - "section_name": "github workflows", - "code_name": "forkWorkflowApproval", - "priority_group": "R2", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", - "mitre_url": "https://capec.mitre.org/data/definitions/180.html", - "mitre_description": "CAPEC-180", - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories", - "sources_description": "Github Docs", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/forkWorkflowApproval", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 58, - "title": "Use Workflow Security Scanners", - "description": "Use a Workflow Security Scanner", - "section_number": "4", - "section_name": "github workflows", - "code_name": "workflowSecurityScanner", - "priority_group": "R2", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", - "mitre_url": "https://attack.mitre.org/mitigations/M1047/", - "mitre_description": "M1047", - "how_to_url": "https://github.com/step-security/secure-repo", - "how_to_description": "Step Security secure-repo", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/workflowSecurityScanner", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 59, - "title": "Use GitHub Runner Security Scanners", - "description": "Use a Github Runner Security Scanner", - "section_number": "4", - "section_name": "github workflows", - "code_name": "runnerSecurityScanner", - "priority_group": "R2", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", - "mitre_url": "https://attack.mitre.org/mitigations/M1047/", - "mitre_description": "M1047", - "how_to_url": "https://github.com/step-security/harden-runner", - "how_to_description": "Step Security harden-runner", - "sources_url": "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners", - "sources_description": "Github Action Hardening Docs", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/runnerSecurityScanner", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 60, - "title": "Require Active Admins in GitHub Org (Activity in 6 Months)", - "description": "Github Organization Admins Should Have Activity In The Last 6 Months", - "section_number": "2", - "section_name": "user account permissions", - "code_name": "activeAdminsSixMonths", - "priority_group": "R3", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "n/a", - "mitre_url": "https://attack.mitre.org/mitigations/M1026/", - "mitre_description": "M1026", - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://best.openssf.org/SCM-BestPractices/github/member/stale_admin_found.html", - "sources_description": "OpenSSF SCM Best Practices", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/activeAdminsSixMonths", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 61, - "title": "Require Active Members with Write Access (Activity in 6 Months)", - "description": "Github Organization Members with Write Permissions Should Have Activity In The Last 6 Months", - "section_number": "2", - "section_name": "user account permissions", - "code_name": "activeWritersSixMonths", - "priority_group": "R3", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "n/a", - "mitre_url": "https://attack.mitre.org/mitigations/M1026/", - "mitre_description": "M1026", - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://best.openssf.org/SCM-BestPractices/github/member/stale_member_found.html", - "sources_description": "OpenSSF SCM Best Practices", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/activeWritersSixMonths", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 62, - "title": "Require Pull Requests Before Merging", - "description": "Require Pull Requests before Merging", - "section_number": "9", - "section_name": "source control", - "code_name": "PRsBeforeMerge", - "priority_group": "R4", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", - "mitre_url": "https://cwe.mitre.org/data/definitions/778.html", - "mitre_description": "CWE-778", - "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/PRsBeforeMerge", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 63, - "title": "Enforce Commit Signoff for Web-Based Commits", - "description": "Github Org Requires Commit Signoff for Web-Based Commits", - "section_number": "9", - "section_name": "source control", - "code_name": "commitSignoffForWeb", - "priority_group": "R4", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", - "mitre_url": null, - "mitre_description": null, - "how_to_url": "https://docs.github.com/en/organizations/managing-organization-settings/managing-the-commit-signoff-policy-for-your-organization#managing-compulsory-commit-signoffs-for-your-organization", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits", - "sources_description": "CNCF SSCP 1.0 #325", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/commitSignoffForWeb", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 64, - "title": "Require Signed Commits", - "description": "Require Signed Commits", - "section_number": "9", - "section_name": "source control", - "code_name": "requireSignedCommits", - "priority_group": "R4", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", - "mitre_url": null, - "mitre_description": null, - "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-signed-commits", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits", - "sources_description": "CNCF SSCP 1.0 #325", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/requireSignedCommits", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 65, - "title": "Include package-lock.json in Releases (Freestanding Apps)", - "description": "[Freestanding Applications Only] Commit a package-lock.json file with each release", - "section_number": "10", - "section_name": "dependency inventory", - "code_name": "includePackageLock", - "priority_group": "R5", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", - "mitre_url": null, - "mitre_description": null, - "how_to_url": "https://docs.npmjs.com/cli/v10/commands/npm-sbom", - "how_to_description": "npm Docs", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sbom", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/includePackageLock", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 66, - "title": "Require Two-Party Review (Two+ Maintainers)", - "description": "[For Projects with Two or more Maintainers] Require Two Party Review", - "section_number": "8", - "section_name": "code review", - "code_name": "requireTwoPartyReview", - "priority_group": "R6", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "n/a", - "mitre_url": "https://capec.mitre.org/data/definitions/670.html", - "mitre_description": "CAPEC-670", - "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/requireTwoPartyReview", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 67, - "title": "Require Code Owners Review (Four+ Maintainers)", - "description": "[For Projects with Four or more Maintainers] Require Code Owners Review", - "section_number": "8", - "section_name": "code review", - "code_name": "requireCodeOwnersReviewForLargeTeams", - "priority_group": "R6", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "n/a", - "mitre_url": "https://capec.mitre.org/data/definitions/670.html", - "mitre_description": "CAPEC-670", - "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/requireCodeOwnersReviewForLargeTeams", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 68, - "title": "Require Approved PRs for Mainline Commits (Two+ Maintainers)", - "description": "[For Projects with Two or more Maintainers] Require Approved PRs for all commits to mainline branches", - "section_number": "9", - "section_name": "source control", - "code_name": "requirePRApprovalForMainline", - "priority_group": "R6", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", - "mitre_url": "https://capec.mitre.org/data/definitions/670.html", - "mitre_description": "CAPEC-670", - "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", - "how_to_description": "Github Docs", - "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", - "sources_description": "OpenSSF Scorecard", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/requirePRApprovalForMainline", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 69, - "title": "Limit GitHub Org Owners to Fewer Than Three", - "description": "Limit Number of Github Org Owners (ideally Fewer Than Three)", - "section_number": "2", - "section_name": "user account permissions", - "code_name": "limitOrgOwners", - "priority_group": "R7", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", - "mitre_url": "https://attack.mitre.org/mitigations/M1026/", - "mitre_description": "M1026", - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://best.openssf.org/SCM-BestPractices/github/member/organization_has_too_many_admins.html", - "sources_description": "OpenSSF SCM Best Practices", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/limitOrgOwners", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 70, - "title": "Limit GitHub Repo Admins to Fewer Than Three", - "description": "Limit Number of Github Repository Admins (ideally Fewer Than Three)", - "section_number": "2", - "section_name": "user account permissions", - "code_name": "limitRepoAdmins", - "priority_group": "R7", - "is_c_scrm": true, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "recommended", - "mitre_url": "https://capec.mitre.org/data/definitions/180.html", - "mitre_description": "CAPEC-180", - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://best.openssf.org/SCM-BestPractices/github/repository/repository_has_too_many_admins.html", - "sources_description": "OpenSSF SCM Best Practices", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/limitRepoAdmins", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 71, - "title": "Patch Critical/High Vulnerabilities in 14 Days", - "description": "Actively Exploited Critical and High Vulnerabilities Patched within 14 Days", - "section_number": "5", - "section_name": "vulnerability management", - "code_name": "patchExploitableHighVulns14Days", - "priority_group": "R8", - "is_c_scrm": false, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "n/a", - "mitre_url": null, - "mitre_description": null, - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed", - "sources_description": "OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/patchExploitableHighVulns14Days", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 72, - "title": "Patch Non-Critical Vulnerabilities in 60 Days", - "description": "Non-Critical Expoitable Vulnerabilities Patched within 60 Days", - "section_number": "5", - "section_name": "vulnerability management", - "code_name": "patchExploitableNoncCriticalVulns60Days", - "priority_group": "R8", - "is_c_scrm": false, - "level_incubating_status": "recommended", - "level_active_status": "recommended", - "level_retiring_status": "n/a", - "mitre_url": null, - "mitre_description": null, - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://www.bestpractices.dev/en/criteria#0.vulnerabilities_fixed_60_days", - "sources_description": "OpenSSF Best Practices Badge Silver Level [vulnerabilities_fixed_60_days]", - "implementation_status": "pending", - "implementation_type": null, - "implementation_details_reference": null, - "details_url": "https://openjs-security-program-standards.netlify.app/details/patchExploitableNoncCriticalVulns60Days", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 3, - "title": "Enforce MFA in GitHub Organization(s)", - "description": "Multi Factor Authentication (MFA) Enforced Across the Github Organization", - "section_number": "1", - "section_name": "user authentication", - "code_name": "githubOrgMFA", - "priority_group": "P1", - "is_c_scrm": true, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", - "mitre_description": "CWE-308", - "how_to_url": "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", - "how_to_description": "Github Docs", - "sources_url": "https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html", - "sources_description": "OpenSSF SCM Best PracticesOpenSSF Best Practices Badge Gold Level [require_2FA]", - "implementation_status": "completed", - "implementation_type": "computed", - "implementation_details_reference": "https://github.com/OpenPathfinder/visionBoard/issues/43", - "details_url": "https://openjs-security-program-standards.netlify.app/details/githubOrgMFA", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - }, - { - "id": 1, - "title": "Training on Secure Software Design", - "description": "At least One Primary Maintainer has taken TBD Training on Secure Software Design", - "section_number": "7", - "section_name": "code quality", - "code_name": "softwareDesignTraining", - "priority_group": "P0", - "is_c_scrm": false, - "level_incubating_status": "expected", - "level_active_status": "expected", - "level_retiring_status": "expected", - "mitre_url": "https://attack.mitre.org/mitigations/M1013/", - "mitre_description": "M1013", - "how_to_url": null, - "how_to_description": null, - "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_secure_design", - "sources_description": "OpenSSF Best Practices Badge Passing Level [know_secure_design]", - "implementation_status": "completed", - "implementation_type": "manual", - "implementation_details_reference": "https://github.com/OpenPathfinder/visionBoard/issues/52", - "details_url": "https://openjs-security-program-standards.netlify.app/details/softwareDesignTraining", - "created_at": "2024-12-18T20:19:27.410Z", - "updated_at": "2024-12-18T20:19:27.410Z" - } - ] \ No newline at end of file + { + "id": 2, + "title": "Training on OWASP Top 10 or Equivalent", + "description": "At least One Primary Maintainer has taken TBD Training on OWASP Top 10 or Equivalent", + "section_number": "7", + "section_name": "code quality", + "code_name": "owaspTop10Training", + "priority_group": "P0", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://attack.mitre.org/mitigations/M1013/", + "mitre_description": "M1013", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_common_errors", + "sources_description": "OpenSSF Best Practices Badge Passing Level [know_common_errors]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/owaspTop10Training", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 4, + "title": "Enforce MFA in npm Organization(s)", + "description": "Multi Factor Authentication (MFA) Enforced Across the npm Organization", + "section_number": "1", + "section_name": "user authentication", + "code_name": "npmOrgMFA", + "priority_group": "P1", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", + "mitre_description": "CWE-308", + "how_to_url": "https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization", + "how_to_description": "npm Docs", + "sources_url": "https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md", + "sources_description": "OpenSSF npm Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/npmOrgMFA", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 5, + "title": "Enforce MFA in all the tools", + "description": "Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible", + "section_number": "1", + "section_name": "user authentication", + "code_name": "orgToolingMFA", + "priority_group": "P1", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", + "mitre_description": "CWE-308", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md", + "sources_description": "CNCF CNSWP v1.0", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/orgToolingMFA", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 6, + "title": "Use MFA against impersonation", + "description": "Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available ", + "section_number": "1", + "section_name": "user authentication", + "code_name": "MFAImpersonationDefense", + "priority_group": "P1", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/290.html", + "mitre_description": "CWE-290", + "how_to_url": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa", + "how_to_description": "Github Docs", + "sources_url": "https://www.bestpractices.dev/en/criteria/2#2.secure_2FA", + "sources_description": "OpenSSF Best Practices Badge Gold Level [secure_2FA]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/MFAImpersonationDefense", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 7, + "title": "Check sensitive information", + "description": "No Secrets and Credentials in Source Code", + "section_number": "3", + "section_name": "service authentication", + "code_name": "noSensitiveInfoInRepositories", + "priority_group": "P2", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/540.html", + "mitre_description": "CWE-540", + "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", + "how_to_description": "Github Docs", + "sources_url": "https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials", + "sources_description": "OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/noSensitiveInfoInRepositories", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 8, + "title": "Ensure that the secrets are injected at runtime", + "description": "Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets)", + "section_number": "3", + "section_name": "service authentication", + "code_name": "injectedSecretsAtRuntime", + "priority_group": "P2", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/538.html", + "mitre_description": "CWE-538", + "how_to_url": "https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#secrets-encryption", + "sources_description": "CNCF CNSWP 2.0 #195", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/injectedSecretsAtRuntime", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 9, + "title": "Ensure that all the commits are scanned", + "description": "All Commits are Scanned for Secrets and Credentials ", + "section_number": "7", + "section_name": "code quality", + "code_name": "scanCommitsForSensitiveInfo", + "priority_group": "P2", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/540.html", + "mitre_description": "CWE-540", + "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#user-content-fnref-21-4e56305414bd02da4843ec1d7d856144", + "sources_description": "CNCF SSCP v1.0 #184", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/scanCommitsForSensitiveInfo", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 10, + "title": "Block New Commits with Secrets or Credentials", + "description": "New Commits Containing Secrets or Credentials are Blocked from Merging", + "section_number": "7", + "section_name": "code quality", + "code_name": "preventLandingSensitiveCommits", + "priority_group": "P2", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/358.html", + "mitre_description": "CWE-358", + "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", + "how_to_description": "Github Docs", + "sources_url": "https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials", + "sources_description": "OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/preventLandingSensitiveCommits", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 11, + "title": "Use SSH Keys with Passphrases for Repository Access", + "description": "Use SSH keys for developer access to source code repositories and use a passphrase", + "section_number": "1", + "section_name": "user authentication", + "code_name": "SSHKeysRequired", + "priority_group": "P3", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/309.html", + "mitre_description": "CWE-309", + "how_to_url": "https://docs.github.com/en/authentication/connecting-to-github-with-ssh/about-ssh", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#use-ssh-keys-to-provide-developers-access-to-source-code-repositories", + "sources_description": "CNCF SSCP v1.0 #192", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/SSHKeysRequired", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 12, + "title": "Publish to npm Using MFA-Enabled Accounts", + "description": "Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens", + "section_number": "3", + "section_name": "service authentication", + "code_name": "npmPublicationMFA", + "priority_group": "P3", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", + "mitre_description": "CWE-308", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://docs.npmjs.com/creating-and-viewing-access-tokens", + "sources_description": "npm Docs", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/npmPublicationMFA", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 13, + "title": "Secure GitHub Webhooks with Secrets", + "description": "Github Webhooks Use Secrets", + "section_number": "3", + "section_name": "service authentication", + "code_name": "githubWebhookSecrets", + "priority_group": "P3", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/306", + "mitre_description": "CWE-306", + "how_to_url": "https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#webhooks", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/githubWebhookSecrets", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 14, + "title": "Restrict Default GitHub Org Member Permissions", + "description": "Default Github Org Member Permissions Should Be Restricted", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "restrictedOrgPermissions", + "priority_group": "P4", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://capec.mitre.org/data/definitions/180.html", + "mitre_description": "CAPEC-180", + "how_to_url": "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization", + "how_to_description": "Github Docs", + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/organization/default_repository_permission_is_not_none.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/restrictedOrgPermissions", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 15, + "title": "Allow Only Admins to Create Public Repositories", + "description": "Only Admins Should Be Able To Create Public Repositories", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "adminRepoCreationOnly", + "priority_group": "P4", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://capec.mitre.org/data/definitions/122.html", + "mitre_description": "CAPEC-122", + "how_to_url": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization", + "how_to_description": "Github Docs", + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/organization/non_admins_can_create_public_repositories.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/adminRepoCreationOnly", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 16, + "title": "Prevent Admins from Bypassing Branch Protection", + "description": "[For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "preventBranchProtectionBypass", + "priority_group": "P4", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://capec.mitre.org/data/definitions/122.html", + "mitre_description": "CAPEC-122", + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings", + "how_to_description": "Github Docs", + "sources_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "sources_description": "Github Supply Chain Security Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/preventBranchProtectionBypass", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 17, + "title": "Define Roles Aligned to Functional Responsibilities", + "description": "Define roles aligned to functional responsibilities", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "defineFunctionalRoles", + "priority_group": "P4", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://capec.mitre.org/data/definitions/122.html", + "mitre_description": "CAPEC-122", + "how_to_url": "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-roles-aligned-to-functional-responsibilities", + "sources_description": "CNCF SSCP v1.0 #188", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/defineFunctionalRoles", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 18, + "title": "Define Teams/Individuals with Write Access to Repositories", + "description": "Define Individuals/Teams who Write Access to a Github Repo", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "githubWriteAccessRoles", + "priority_group": "P4", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://capec.mitre.org/data/definitions/180.html", + "mitre_description": "CAPEC-180", + "how_to_url": "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-individualsteams-that-are-responsible-for-code-in-a-repository-and-associated-coding-conventions", + "sources_description": "CNCF SSCP v1.0 #185", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/githubWriteAccessRoles", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 19, + "title": "Configure Two or more Owners for Access Continuity", + "description": "[For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "twoOrMoreOwnersForAccess", + "priority_group": "P4", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://attack.mitre.org/mitigations/M1026/", + "mitre_description": "M1026", + "how_to_url": "https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/maintaining-ownership-continuity-for-your-organization", + "how_to_description": "Github Docs", + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.access_continuity", + "sources_description": "OpenSSF Best Practices Badge Silver Level [access_continuity]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/twoOrMoreOwnersForAccess", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 20, + "title": "Patch Actively Exploited Critical Vulnerabilities within 30 Days", + "description": "Actively Exploited Critical Vulnerabilities Patched within 30 Days", + "section_number": "5", + "section_name": "vulnerability management", + "code_name": "patchCriticalVulns30Days", + "priority_group": "P5", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed", + "sources_description": "OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/patchCriticalVulns30Days", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 21, + "title": "Patch Non-Critical Vulnerabilities within 90 Days", + "description": "Non-Critical Exploitable Vulnerabilities Patched within 90 Days", + "section_number": "5", + "section_name": "vulnerability management", + "code_name": "patchNonCriticalVulns90Days", + "priority_group": "P5", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html", + "sources_description": "Google Project Zero Vulnerability Disclosure Policy", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/patchNonCriticalVulns90Days", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 22, + "title": "Automate Dependency Vulnerability Identification", + "description": "An automated process to identify dependencies with publicly disclosed vulnerabilities", + "section_number": "11", + "section_name": "dependency management", + "code_name": "automateVulnDetection", + "priority_group": "P6", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/1395.html", + "mitre_description": "CWE-1395", + "how_to_url": "https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories", + "how_to_description": "Github Docs", + "sources_url": "https://scvs.owasp.org/scvs/v5-component-analysis/", + "sources_description": "OWASP SCVS L1 5.4", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/automateVulnDetection", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 23, + "title": "Use Automated Static Code Analysis Tools", + "description": "Use an Automated Static Code Analysis Tool (eg: ESLInt)", + "section_number": "7", + "section_name": "code quality", + "code_name": "staticCodeAnalysis", + "priority_group": "P6", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/1076.html", + "mitre_description": "CWE-1076", + "how_to_url": "https://eslint.org/docs/latest/use/getting-started#installation-and-usage", + "how_to_description": "ESLint Docs", + "sources_url": "https://scvs.owasp.org/scvs/v5-component-analysis/", + "sources_description": "OWASP SCVS L1 5.1", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/staticCodeAnalysis", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 24, + "title": "Address Compiler/Linter Warnings Before Merging", + "description": "Compilers/Linter Warnings Addressed in order to Merge", + "section_number": "7", + "section_name": "code quality", + "code_name": "resolveLinterWarnings", + "priority_group": "P6", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/1127.html", + "mitre_description": "CWE-1127", + "how_to_url": "https://eslint.org/docs/latest/use/getting-started#installation-and-usage", + "how_to_description": "ESLint Docs", + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.warnings_strict", + "sources_description": "OpenSSF Best Practices Badge Silver Level [warnings_strict]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/resolveLinterWarnings", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 25, + "title": "Use Static Application Security Testing for All Commits", + "description": "All Commits are Scanned by a Static Application Security Testing Tool", + "section_number": "7", + "section_name": "code quality", + "code_name": "staticAppSecTesting", + "priority_group": "P6", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/1076.html", + "mitre_description": "CWE-1076", + "how_to_url": "https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql", + "how_to_description": "CodeQL Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast", + "sources_description": "OWASP SCVS L1 6.6OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/staticAppSecTesting", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 26, + "title": "Require Commit Status Checks to Pass Before Merging", + "description": "All Required Commit Status Checks must pass before Merging", + "section_number": "7", + "section_name": "code quality", + "code_name": "commitStatusChecks", + "priority_group": "P6", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/358.html", + "mitre_description": "CWE-358", + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/commitStatusChecks", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 27, + "title": "Ensure Security.md Meets OpenJS CVD Guidelines", + "description": "Security.md Meets OpenJS CVD Guidelines ", + "section_number": "6", + "section_name": "coordinated vulnerability disclosure", + "code_name": "securityMdMeetsOpenJSCVD", + "priority_group": "P7", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/securityMdMeetsOpenJSCVD", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 28, + "title": "Use CVD Tools to Manage Vulnerability Reports", + "description": "Project Leverages a CVD Tool to Privately Receive/Manage External Vulnerability Reports (eg: H1/GH PVR)", + "section_number": "6", + "section_name": "coordinated vulnerability disclosure", + "code_name": "useCVDToolForVulns", + "priority_group": "P7", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization", + "how_to_description": "Github Docs", + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.vulnerability_report_private", + "sources_description": "OpenSSF Best Practices Badge Passing Level [vulnerability_report_private]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/useCVDToolForVulns", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 29, + "title": "Respond to External Vulnerability Reports in Under 14 Days", + "description": "All External Vulnerability Reports Responded to <14 Days", + "section_number": "6", + "section_name": "coordinated vulnerability disclosure", + "code_name": "vulnResponse14Days", + "priority_group": "P7", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria#0.vulnerability_report_response", + "sources_description": "OpenSSF Best Practices Badge Passing Level [vulnerability_report_response]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/vulnResponse14Days", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 30, + "title": "Define Clear Communication and Incident Response Plans", + "description": "Establish a Clear Communication and Incident Response Plan", + "section_number": "6", + "section_name": "coordinated vulnerability disclosure", + "code_name": "incidentResponsePlan", + "priority_group": "P7", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://best.openssf.org/SCM-BestPractices/#operations", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/incidentResponsePlan", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 31, + "title": "Assign CVEs to All Known Security Vulnerabilities", + "description": "All Known Security Vulnerabilities are Issued a CVE", + "section_number": "6", + "section_name": "coordinated vulnerability disclosure", + "code_name": "assignCVEForKnownVulns", + "priority_group": "P7", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns", + "sources_description": "OpenSSF Best Practices Badge Passing Level [release_notes_vulns]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/assignCVEForKnownVulns", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 32, + "title": "Include CVE IDs in Release Notes for Security Fixes", + "description": "Release Notes must Include the CVE ID of Patched Security Vulnerabilities", + "section_number": "6", + "section_name": "coordinated vulnerability disclosure", + "code_name": "includeCVEInReleaseNotes", + "priority_group": "P7", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns", + "sources_description": "OpenSSF Best Practices Badge Passing Level [release_notes_vulns]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/includeCVEInReleaseNotes", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 33, + "title": "Create Regression Tests for Bugs and Security Vulnerabilities", + "description": "Regression Tests for => 50% of Bugs and 100% of Security Vulns", + "section_number": "7", + "section_name": "code quality", + "code_name": "regressionTestsForVulns", + "priority_group": "P8", + "is_c_scrm": false, + "level_incubating_status": "deferrable", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.regression_tests_added50", + "sources_description": "OpenSSF Best Practices Badge Silver Level [regression_tests_added50]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/regressionTestsForVulns", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 34, + "title": "Set Default GitHub Workflow Token Permissions to Read Only", + "description": "Github Org Default Workflow Token Permissions are Set to Read Only", + "section_number": "4", + "section_name": "github workflow permissions", + "code_name": "defaultTokenPermissionsReadOnly", + "priority_group": "P9", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", + "mitre_description": "CWE-250", + "how_to_url": null, + "how_to_description": null, + "sources_url": null, + "sources_description": null, + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/defaultTokenPermissionsReadOnly", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 35, + "title": "Prevent Workflows from Creating or Approving PRs", + "description": "Workflows are not Allowed To Create or Approve Pull Requests", + "section_number": "4", + "section_name": "github workflow permissions", + "code_name": "blockWorkflowPRApproval", + "priority_group": "P9", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", + "mitre_description": "CWE-250", + "how_to_url": "https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/blockWorkflowPRApproval", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 36, + "title": "Disable Force Push on Default Branch", + "description": "Prevent Force Push on Default Branch", + "section_number": "9", + "section_name": "source control", + "code_name": "noForcePushDefaultBranch", + "priority_group": "P9", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/noForcePushDefaultBranch", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 37, + "title": "Prevent Deletion of Default Branch", + "description": "Prevent Default Branch Deletion", + "section_number": "9", + "section_name": "source control", + "code_name": "preventDeletionDefaultBranch", + "priority_group": "P9", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/267.html", + "mitre_description": "CWE-267", + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/preventDeletionDefaultBranch", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 38, + "title": "Require Default Branch Updates Before Merging", + "description": "Default Branch must be Up to Date before Merging", + "section_number": "9", + "section_name": "source control", + "code_name": "upToDateDefaultBranchBeforeMerge", + "priority_group": "P9", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/upToDateDefaultBranchBeforeMerge", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 39, + "title": "Restrict GitHub Org Secrets to Specific Repositories", + "description": "GitHub Organization Secrets are Restricted to Selected Repositories", + "section_number": "4", + "section_name": "github workflows", + "code_name": "restrictOrgSecrets", + "priority_group": "P10", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", + "mitre_description": "CWE-250", + "how_to_url": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository", + "how_to_description": "Github Docs", + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/actions/all_repositories_can_run_github_actions.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/restrictOrgSecrets", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 40, + "title": "Limit GitHub Actions to Verified or Trusted Actions", + "description": "GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions", + "section_number": "4", + "section_name": "github workflows", + "code_name": "verifiedActionsOnly", + "priority_group": "P10", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/1357.html", + "mitre_description": "CWE-1357", + "how_to_url": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run", + "how_to_description": "Github Docs", + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/actions/all_github_actions_are_allowed.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/verifiedActionsOnly", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 41, + "title": "Disable Self-Hosted Runners in GitHub Org", + "description": "Disable use of Self-Hosted Runners in Github Org", + "section_number": "4", + "section_name": "github workflows", + "code_name": "noSelfHostedRunners", + "priority_group": "P10", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://capec.mitre.org/data/definitions/439.html", + "mitre_description": "CAPEC-439", + "how_to_url": "https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#limiting-the-use-of-self-hosted-runners", + "how_to_description": "Github Docs", + "sources_url": "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners", + "sources_description": "Github Action Hardening Docs", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/noSelfHostedRunners", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 42, + "title": "Restrict Build Pipeline Code Execution to Build Scripts", + "description": "Build Pipeline Cannot Execute Arbitrary Code from Outside of a Build Script", + "section_number": "4", + "section_name": "github workflows", + "code_name": "noArbitraryCodeInPipeline", + "priority_group": "P11", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/94.html", + "mitre_description": "CWE-94", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/noArbitraryCodeInPipeline", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 43, + "title": "Limit Workflow Write Permissions to Job-Level", + "description": "Only Allow Workflows Write Permissions at the Job-Level", + "section_number": "4", + "section_name": "github workflows", + "code_name": "limitWorkflowWritePermissions", + "priority_group": "P11", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/250.html", + "mitre_description": "CWE-250", + "how_to_url": "https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/limitWorkflowWritePermissions", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 44, + "title": "Avoid Script Injection from Untrusted Variables", + "description": "Avoid Script Injection from Untrusted Context Variables", + "section_number": "4", + "section_name": "github workflows", + "code_name": "preventScriptInjection", + "priority_group": "P11", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/454.html", + "mitre_description": "CWE-454", + "how_to_url": "https://securitylab.github.com/research/github-actions-untrusted-input/", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/preventScriptInjection", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 45, + "title": "Document Consistent and Automated Build Processes", + "description": "Consistent and Automated Build Process is Documented and Used", + "section_number": "4", + "section_name": "github workflows", + "code_name": "consistentBuildProcessDocs", + "priority_group": "P12", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/1068.html", + "mitre_description": "CWE-1068", + "how_to_url": null, + "how_to_description": null, + "sources_url": null, + "sources_description": null, + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/consistentBuildProcessDocs", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 46, + "title": "Support Older Versions or Provide Upgrade Paths", + "description": "Commonly Used Older Versions Supported or Upgrade Path Provided/Documented", + "section_number": "5", + "section_name": "vulnerability management", + "code_name": "upgradePathDocs", + "priority_group": "P12", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.maintenance_or_update", + "sources_description": "OpenSSF Best Practices Badge Silver Level [maintenance_or_update]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/upgradePathDocs", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 47, + "title": "Document Software Architecture", + "description": "[For Projects with Two or more Maintainers] Document Software Architecture", + "section_number": "8", + "section_name": "code review", + "code_name": "softwareArchitectureDocs", + "priority_group": "P12", + "is_c_scrm": false, + "level_incubating_status": "deferrable", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/1053.html", + "mitre_description": "CWE-1053", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.documentation_architecture", + "sources_description": "OpenSSF Best Practices Badge Silver Level [documentation_architecture]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/softwareArchitectureDocs", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 48, + "title": "Automate CI/CD Steps in Code-Based Pipelines", + "description": "CI/CD steps should all be automated through a pipeline defined as code", + "section_number": "9", + "section_name": "source control", + "code_name": "ciAndCdPipelineAsCode", + "priority_group": "P12", + "is_c_scrm": true, + "level_incubating_status": "deferrable", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#build-and-related-continuous-integrationcontinuous-delivery-steps-should-all-be-automated-through-a-pipeline-defined-as-code", + "sources_description": "CNCF SSCP 1.0 #158", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/ciAndCdPipelineAsCode", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 49, + "title": "Pin Actions with Secrets to Full-Length Commit SHAs", + "description": "Pin Actions with Access to Secrets to a Full Length Commit SHA", + "section_number": "4", + "section_name": "github workflows", + "code_name": "pinActionsToSHA", + "priority_group": "P13", + "is_c_scrm": true, + "level_incubating_status": "deferrable", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": "https://cwe.mitre.org/data/definitions/1357.html", + "mitre_description": "CWE-1357", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://securitylab.github.com/research/github-actions-building-blocks/", + "sources_description": "Github Docs", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/pinActionsToSHA", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 50, + "title": "Automate Monitoring of Outdated Dependencies", + "description": "Automated Process is Used to Monitor for and Maintain a List of Out of Date Dependencies", + "section_number": "10", + "section_name": "dependency inventory", + "code_name": "automateDependencyManagement", + "priority_group": "P14", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://socket.dev/", + "how_to_description": "Socket.Dev", + "sources_url": "https://scvs.owasp.org/scvs/v5-component-analysis/", + "sources_description": "OWASP SCVS L1 5.7", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/automateDependencyManagement", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 51, + "title": "Provide Machine-Readable Dependency Lists", + "description": "[Freestanding Applications Only] A Machine Readable List of all Direct and Transitive Dependencies is Available for the Software", + "section_number": "10", + "section_name": "dependency inventory", + "code_name": "machineReadableDependencies", + "priority_group": "P14", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-is-the-dependency-graph", + "how_to_description": "Github Docs", + "sources_url": "https://scvs.owasp.org/scvs/v1-inventory/#verification-requirements", + "sources_description": "OWASP SCVS L1 1.3", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/machineReadableDependencies", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 52, + "title": "Uniquely Identify Modified Dependencies", + "description": "Modified dependencies are uniquely identified and distinct from origin dependency", + "section_number": "10", + "section_name": "dependency inventory", + "code_name": "identifyModifiedDependencies", + "priority_group": "P14", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://scvs.owasp.org/scvs/v6-pedigree-and-provenance/", + "sources_description": "OWASP SCVS L2 6.5", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/identifyModifiedDependencies", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 53, + "title": "Refresh Dependencies with Annual Releases", + "description": "A new release to refresh dependencies occurs at least annually", + "section_number": "5", + "section_name": "vulnerability management", + "code_name": "annualDependencyRefresh", + "priority_group": "P14", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.maintained", + "sources_description": "OpenSSF Best Practices Badge Passing Level [maintained]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/annualDependencyRefresh", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 54, + "title": "Use AAL2/3 Passkeys for GitHub Access", + "description": "{\"url\":\"http://github.com/\",\"description\":\"Github.com\"}", + "section_number": "1", + "section_name": "user authentication", + "code_name": "useHwKeyGithubAccess", + "priority_group": "R1", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", + "mitre_description": "CWE-308", + "how_to_url": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-passkey", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md", + "sources_description": "OpenSSF Great MFA Project Security Rationale", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/useHwKeyGithubAccess", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 55, + "title": "Use AAL2/3 Passkeys for Non-Interactive GitHub Access", + "description": "Non-Interactive Github: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics", + "section_number": "1", + "section_name": "user authentication", + "code_name": "useHwKeyGithubNonInteractive", + "priority_group": "R1", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", + "mitre_description": "CWE-308", + "how_to_url": "https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md", + "sources_description": "OpenSSF Great MFA Project Security Rationale", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/useHwKeyGithubNonInteractive", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 56, + "title": "Use AAL2/3 Passkeys in All Other Contexts", + "description": "All Other Contexts: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics", + "section_number": "1", + "section_name": "user authentication", + "code_name": "useHwKeyOtherContexts", + "priority_group": "R1", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", + "mitre_description": "CWE-308", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md", + "sources_description": "OpenSSF Great MFA Project Security Rationale", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/useHwKeyOtherContexts", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 57, + "title": "Require Approval for Forked Workflow Changes", + "description": "Limit changes from forks to workflows by requiring approval for all outside collaborators", + "section_number": "4", + "section_name": "github workflows", + "code_name": "forkWorkflowApproval", + "priority_group": "R2", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://capec.mitre.org/data/definitions/180.html", + "mitre_description": "CAPEC-180", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories", + "sources_description": "Github Docs", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/forkWorkflowApproval", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 58, + "title": "Use Workflow Security Scanners", + "description": "Use a Workflow Security Scanner", + "section_number": "4", + "section_name": "github workflows", + "code_name": "workflowSecurityScanner", + "priority_group": "R2", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://attack.mitre.org/mitigations/M1047/", + "mitre_description": "M1047", + "how_to_url": "https://github.com/step-security/secure-repo", + "how_to_description": "Step Security secure-repo", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/workflowSecurityScanner", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 59, + "title": "Use GitHub Runner Security Scanners", + "description": "Use a Github Runner Security Scanner", + "section_number": "4", + "section_name": "github workflows", + "code_name": "runnerSecurityScanner", + "priority_group": "R2", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://attack.mitre.org/mitigations/M1047/", + "mitre_description": "M1047", + "how_to_url": "https://github.com/step-security/harden-runner", + "how_to_description": "Step Security harden-runner", + "sources_url": "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners", + "sources_description": "Github Action Hardening Docs", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/runnerSecurityScanner", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 60, + "title": "Require Active Admins in GitHub Org (Activity in 6 Months)", + "description": "Github Organization Admins Should Have Activity In The Last 6 Months", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "activeAdminsSixMonths", + "priority_group": "R3", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "n/a", + "mitre_url": "https://attack.mitre.org/mitigations/M1026/", + "mitre_description": "M1026", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/member/stale_admin_found.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/activeAdminsSixMonths", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 61, + "title": "Require Active Members with Write Access (Activity in 6 Months)", + "description": "Github Organization Members with Write Permissions Should Have Activity In The Last 6 Months", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "activeWritersSixMonths", + "priority_group": "R3", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "n/a", + "mitre_url": "https://attack.mitre.org/mitigations/M1026/", + "mitre_description": "M1026", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/member/stale_member_found.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/activeWritersSixMonths", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 62, + "title": "Require Pull Requests Before Merging", + "description": "Require Pull Requests before Merging", + "section_number": "9", + "section_name": "source control", + "code_name": "PRsBeforeMerge", + "priority_group": "R4", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://cwe.mitre.org/data/definitions/778.html", + "mitre_description": "CWE-778", + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/PRsBeforeMerge", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 63, + "title": "Enforce Commit Signoff for Web-Based Commits", + "description": "Github Org Requires Commit Signoff for Web-Based Commits", + "section_number": "9", + "section_name": "source control", + "code_name": "commitSignoffForWeb", + "priority_group": "R4", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.github.com/en/organizations/managing-organization-settings/managing-the-commit-signoff-policy-for-your-organization#managing-compulsory-commit-signoffs-for-your-organization", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits", + "sources_description": "CNCF SSCP 1.0 #325", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/commitSignoffForWeb", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 64, + "title": "Require Signed Commits", + "description": "Require Signed Commits", + "section_number": "9", + "section_name": "source control", + "code_name": "requireSignedCommits", + "priority_group": "R4", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-signed-commits", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits", + "sources_description": "CNCF SSCP 1.0 #325", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/requireSignedCommits", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 65, + "title": "Include package-lock.json in Releases (Freestanding Apps)", + "description": "[Freestanding Applications Only] Commit a package-lock.json file with each release", + "section_number": "10", + "section_name": "dependency inventory", + "code_name": "includePackageLock", + "priority_group": "R5", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": null, + "mitre_description": null, + "how_to_url": "https://docs.npmjs.com/cli/v10/commands/npm-sbom", + "how_to_description": "npm Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sbom", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/includePackageLock", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 66, + "title": "Require Two-Party Review (Two+ Maintainers)", + "description": "[For Projects with Two or more Maintainers] Require Two Party Review", + "section_number": "8", + "section_name": "code review", + "code_name": "requireTwoPartyReview", + "priority_group": "R6", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "n/a", + "mitre_url": "https://capec.mitre.org/data/definitions/670.html", + "mitre_description": "CAPEC-670", + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/requireTwoPartyReview", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 67, + "title": "Require Code Owners Review (Four+ Maintainers)", + "description": "[For Projects with Four or more Maintainers] Require Code Owners Review", + "section_number": "8", + "section_name": "code review", + "code_name": "requireCodeOwnersReviewForLargeTeams", + "priority_group": "R6", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "n/a", + "mitre_url": "https://capec.mitre.org/data/definitions/670.html", + "mitre_description": "CAPEC-670", + "how_to_url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/requireCodeOwnersReviewForLargeTeams", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 68, + "title": "Require Approved PRs for Mainline Commits (Two+ Maintainers)", + "description": "[For Projects with Two or more Maintainers] Require Approved PRs for all commits to mainline branches", + "section_number": "9", + "section_name": "source control", + "code_name": "requirePRApprovalForMainline", + "priority_group": "R6", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://capec.mitre.org/data/definitions/670.html", + "mitre_description": "CAPEC-670", + "how_to_url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "how_to_description": "Github Docs", + "sources_url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", + "sources_description": "OpenSSF Scorecard", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/requirePRApprovalForMainline", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 69, + "title": "Limit GitHub Org Owners to Fewer Than Three", + "description": "Limit Number of Github Org Owners (ideally Fewer Than Three)", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "limitOrgOwners", + "priority_group": "R7", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://attack.mitre.org/mitigations/M1026/", + "mitre_description": "M1026", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/member/organization_has_too_many_admins.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/limitOrgOwners", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 70, + "title": "Limit GitHub Repo Admins to Fewer Than Three", + "description": "Limit Number of Github Repository Admins (ideally Fewer Than Three)", + "section_number": "2", + "section_name": "user account permissions", + "code_name": "limitRepoAdmins", + "priority_group": "R7", + "is_c_scrm": true, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "recommended", + "mitre_url": "https://capec.mitre.org/data/definitions/180.html", + "mitre_description": "CAPEC-180", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/repository/repository_has_too_many_admins.html", + "sources_description": "OpenSSF SCM Best Practices", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/limitRepoAdmins", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 71, + "title": "Patch Critical/High Vulnerabilities in 14 Days", + "description": "Actively Exploited Critical and High Vulnerabilities Patched within 14 Days", + "section_number": "5", + "section_name": "vulnerability management", + "code_name": "patchExploitableHighVulns14Days", + "priority_group": "R8", + "is_c_scrm": false, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed", + "sources_description": "OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/patchExploitableHighVulns14Days", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 72, + "title": "Patch Non-Critical Vulnerabilities in 60 Days", + "description": "Non-Critical Expoitable Vulnerabilities Patched within 60 Days", + "section_number": "5", + "section_name": "vulnerability management", + "code_name": "patchExploitableNoncCriticalVulns60Days", + "priority_group": "R8", + "is_c_scrm": false, + "level_incubating_status": "recommended", + "level_active_status": "recommended", + "level_retiring_status": "n/a", + "mitre_url": null, + "mitre_description": null, + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria#0.vulnerabilities_fixed_60_days", + "sources_description": "OpenSSF Best Practices Badge Silver Level [vulnerabilities_fixed_60_days]", + "implementation_status": "pending", + "implementation_type": null, + "implementation_details_reference": null, + "details_url": "https://openjs-security-program-standards.netlify.app/details/patchExploitableNoncCriticalVulns60Days", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 3, + "title": "Enforce MFA in GitHub Organization(s)", + "description": "Multi Factor Authentication (MFA) Enforced Across the Github Organization", + "section_number": "1", + "section_name": "user authentication", + "code_name": "githubOrgMFA", + "priority_group": "P1", + "is_c_scrm": true, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://cwe.mitre.org/data/definitions/308.html", + "mitre_description": "CWE-308", + "how_to_url": "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "how_to_description": "Github Docs", + "sources_url": "https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html", + "sources_description": "OpenSSF SCM Best PracticesOpenSSF Best Practices Badge Gold Level [require_2FA]", + "implementation_status": "completed", + "implementation_type": "computed", + "implementation_details_reference": "https://github.com/OpenPathfinder/visionBoard/issues/43", + "details_url": "https://openjs-security-program-standards.netlify.app/details/githubOrgMFA", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + }, + { + "id": 1, + "title": "Training on Secure Software Design", + "description": "At least One Primary Maintainer has taken TBD Training on Secure Software Design", + "section_number": "7", + "section_name": "code quality", + "code_name": "softwareDesignTraining", + "priority_group": "P0", + "is_c_scrm": false, + "level_incubating_status": "expected", + "level_active_status": "expected", + "level_retiring_status": "expected", + "mitre_url": "https://attack.mitre.org/mitigations/M1013/", + "mitre_description": "M1013", + "how_to_url": null, + "how_to_description": null, + "sources_url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_secure_design", + "sources_description": "OpenSSF Best Practices Badge Passing Level [know_secure_design]", + "implementation_status": "completed", + "implementation_type": "manual", + "implementation_details_reference": "https://github.com/OpenPathfinder/visionBoard/issues/52", + "details_url": "https://openjs-security-program-standards.netlify.app/details/softwareDesignTraining", + "created_at": "2024-12-22T04:04:30.161Z", + "updated_at": "2024-12-22T04:04:30.161Z" + } +] \ No newline at end of file From 7f6bb22d74ba4c9ecff9a540ec4815a61ce4405e Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Sun, 22 Dec 2024 04:04:42 +0000 Subject: [PATCH 2/2] chore: auto-update content --- docs/checks/MFAImpersonationDefense.mdx | 4 ++-- docs/checks/PRsBeforeMerge.mdx | 4 ++-- docs/checks/SSHKeysRequired.mdx | 4 ++-- docs/checks/activeAdminsSixMonths.mdx | 4 ++-- docs/checks/activeWritersSixMonths.mdx | 4 ++-- docs/checks/adminRepoCreationOnly.mdx | 4 ++-- docs/checks/annualDependencyRefresh.mdx | 4 ++-- docs/checks/assignCVEForKnownVulns.mdx | 4 ++-- docs/checks/automateDependencyManagement.mdx | 4 ++-- docs/checks/automateVulnDetection.mdx | 4 ++-- docs/checks/blockWorkflowPRApproval.mdx | 4 ++-- docs/checks/ciAndCdPipelineAsCode.mdx | 4 ++-- docs/checks/commitSignoffForWeb.mdx | 4 ++-- docs/checks/commitStatusChecks.mdx | 4 ++-- docs/checks/consistentBuildProcessDocs.mdx | 4 ++-- docs/checks/defaultTokenPermissionsReadOnly.mdx | 4 ++-- docs/checks/defineFunctionalRoles.mdx | 4 ++-- docs/checks/forkWorkflowApproval.mdx | 4 ++-- docs/checks/githubOrgMFA.mdx | 4 ++-- docs/checks/githubWebhookSecrets.mdx | 4 ++-- docs/checks/githubWriteAccessRoles.mdx | 4 ++-- docs/checks/identifyModifiedDependencies.mdx | 4 ++-- docs/checks/incidentResponsePlan.mdx | 4 ++-- docs/checks/includeCVEInReleaseNotes.mdx | 4 ++-- docs/checks/includePackageLock.mdx | 4 ++-- docs/checks/injectedSecretsAtRuntime.mdx | 4 ++-- docs/checks/limitOrgOwners.mdx | 4 ++-- docs/checks/limitRepoAdmins.mdx | 4 ++-- docs/checks/limitWorkflowWritePermissions.mdx | 4 ++-- docs/checks/machineReadableDependencies.mdx | 4 ++-- docs/checks/noArbitraryCodeInPipeline.mdx | 4 ++-- docs/checks/noForcePushDefaultBranch.mdx | 4 ++-- docs/checks/noSelfHostedRunners.mdx | 4 ++-- docs/checks/noSensitiveInfoInRepositories.mdx | 4 ++-- docs/checks/npmOrgMFA.mdx | 4 ++-- docs/checks/npmPublicationMFA.mdx | 4 ++-- docs/checks/orgToolingMFA.mdx | 4 ++-- docs/checks/owaspTop10Training.mdx | 4 ++-- docs/checks/patchCriticalVulns30Days.mdx | 4 ++-- docs/checks/patchExploitableHighVulns14Days.mdx | 4 ++-- docs/checks/patchExploitableNoncCriticalVulns60Days.mdx | 4 ++-- docs/checks/patchNonCriticalVulns90Days.mdx | 4 ++-- docs/checks/pinActionsToSHA.mdx | 4 ++-- docs/checks/preventBranchProtectionBypass.mdx | 4 ++-- docs/checks/preventDeletionDefaultBranch.mdx | 4 ++-- docs/checks/preventLandingSensitiveCommits.mdx | 4 ++-- docs/checks/preventScriptInjection.mdx | 4 ++-- docs/checks/regressionTestsForVulns.mdx | 4 ++-- docs/checks/requireCodeOwnersReviewForLargeTeams.mdx | 4 ++-- docs/checks/requirePRApprovalForMainline.mdx | 4 ++-- docs/checks/requireSignedCommits.mdx | 4 ++-- docs/checks/requireTwoPartyReview.mdx | 4 ++-- docs/checks/resolveLinterWarnings.mdx | 4 ++-- docs/checks/restrictOrgSecrets.mdx | 4 ++-- docs/checks/restrictedOrgPermissions.mdx | 4 ++-- docs/checks/runnerSecurityScanner.mdx | 4 ++-- docs/checks/scanCommitsForSensitiveInfo.mdx | 4 ++-- docs/checks/securityMdMeetsOpenJSCVD.mdx | 4 ++-- docs/checks/softwareArchitectureDocs.mdx | 4 ++-- docs/checks/softwareDesignTraining.mdx | 4 ++-- docs/checks/staticAppSecTesting.mdx | 4 ++-- docs/checks/staticCodeAnalysis.mdx | 4 ++-- docs/checks/twoOrMoreOwnersForAccess.mdx | 4 ++-- docs/checks/upToDateDefaultBranchBeforeMerge.mdx | 4 ++-- docs/checks/upgradePathDocs.mdx | 4 ++-- docs/checks/useCVDToolForVulns.mdx | 4 ++-- docs/checks/useHwKeyGithubAccess.mdx | 4 ++-- docs/checks/useHwKeyGithubNonInteractive.mdx | 4 ++-- docs/checks/useHwKeyOtherContexts.mdx | 4 ++-- docs/checks/verifiedActionsOnly.mdx | 4 ++-- docs/checks/vulnResponse14Days.mdx | 4 ++-- docs/checks/workflowSecurityScanner.mdx | 4 ++-- 72 files changed, 144 insertions(+), 144 deletions(-) diff --git a/docs/checks/MFAImpersonationDefense.mdx b/docs/checks/MFAImpersonationDefense.mdx index 8994148a..24db2e7b 100644 --- a/docs/checks/MFAImpersonationDefense.mdx +++ b/docs/checks/MFAImpersonationDefense.mdx @@ -24,6 +24,6 @@ slug: /checks/MFAImpersonationDefense - Mitre: [CWE-290](https://cwe.mitre.org/data/definitions/290.html) - Sources: [OpenSSF Best Practices Badge Gold Level [secure_2FA]](https://www.bestpractices.dev/en/criteria/2#2.secure_2FA) - How To: [Github Docs](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/PRsBeforeMerge.mdx b/docs/checks/PRsBeforeMerge.mdx index c9ac7218..bb3666f0 100644 --- a/docs/checks/PRsBeforeMerge.mdx +++ b/docs/checks/PRsBeforeMerge.mdx @@ -24,6 +24,6 @@ slug: /checks/PRsBeforeMerge - Mitre: [CWE-778](https://cwe.mitre.org/data/definitions/778.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/SSHKeysRequired.mdx b/docs/checks/SSHKeysRequired.mdx index 8c07cb13..17ba4aff 100644 --- a/docs/checks/SSHKeysRequired.mdx +++ b/docs/checks/SSHKeysRequired.mdx @@ -24,6 +24,6 @@ slug: /checks/SSHKeysRequired - Mitre: [CWE-309](https://cwe.mitre.org/data/definitions/309.html) - Sources: [CNCF SSCP v1.0 #192](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#use-ssh-keys-to-provide-developers-access-to-source-code-repositories) - How To: [Github Docs](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/about-ssh) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/activeAdminsSixMonths.mdx b/docs/checks/activeAdminsSixMonths.mdx index 1a9f7cc6..edbc8951 100644 --- a/docs/checks/activeAdminsSixMonths.mdx +++ b/docs/checks/activeAdminsSixMonths.mdx @@ -23,6 +23,6 @@ slug: /checks/activeAdminsSixMonths - Priority Group: R3 - Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/member/stale_admin_found.html) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/activeWritersSixMonths.mdx b/docs/checks/activeWritersSixMonths.mdx index 058a5d66..fccdfaf2 100644 --- a/docs/checks/activeWritersSixMonths.mdx +++ b/docs/checks/activeWritersSixMonths.mdx @@ -23,6 +23,6 @@ slug: /checks/activeWritersSixMonths - Priority Group: R3 - Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/member/stale_member_found.html) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/adminRepoCreationOnly.mdx b/docs/checks/adminRepoCreationOnly.mdx index 89434f9c..0793abb7 100644 --- a/docs/checks/adminRepoCreationOnly.mdx +++ b/docs/checks/adminRepoCreationOnly.mdx @@ -24,6 +24,6 @@ slug: /checks/adminRepoCreationOnly - Mitre: [CAPEC-122](https://capec.mitre.org/data/definitions/122.html) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/organization/non_admins_can_create_public_repositories.html) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/annualDependencyRefresh.mdx b/docs/checks/annualDependencyRefresh.mdx index ac838802..1247836f 100644 --- a/docs/checks/annualDependencyRefresh.mdx +++ b/docs/checks/annualDependencyRefresh.mdx @@ -22,6 +22,6 @@ slug: /checks/annualDependencyRefresh - C-SCRM: true - Priority Group: P14 - Sources: [OpenSSF Best Practices Badge Passing Level [maintained]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.maintained) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/assignCVEForKnownVulns.mdx b/docs/checks/assignCVEForKnownVulns.mdx index b0deaed9..630b2bd8 100644 --- a/docs/checks/assignCVEForKnownVulns.mdx +++ b/docs/checks/assignCVEForKnownVulns.mdx @@ -22,6 +22,6 @@ slug: /checks/assignCVEForKnownVulns - C-SCRM: true - Priority Group: P7 - Sources: [OpenSSF Best Practices Badge Passing Level [release_notes_vulns]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/automateDependencyManagement.mdx b/docs/checks/automateDependencyManagement.mdx index 5b38d910..6445b52a 100644 --- a/docs/checks/automateDependencyManagement.mdx +++ b/docs/checks/automateDependencyManagement.mdx @@ -23,6 +23,6 @@ slug: /checks/automateDependencyManagement - Priority Group: P14 - Sources: [OWASP SCVS L1 5.7](https://scvs.owasp.org/scvs/v5-component-analysis/) - How To: [Socket.Dev](https://socket.dev/) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/automateVulnDetection.mdx b/docs/checks/automateVulnDetection.mdx index 9a7d5e47..905e9d1c 100644 --- a/docs/checks/automateVulnDetection.mdx +++ b/docs/checks/automateVulnDetection.mdx @@ -24,6 +24,6 @@ slug: /checks/automateVulnDetection - Mitre: [CWE-1395](https://cwe.mitre.org/data/definitions/1395.html) - Sources: [OWASP SCVS L1 5.4](https://scvs.owasp.org/scvs/v5-component-analysis/) - How To: [Github Docs](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/blockWorkflowPRApproval.mdx b/docs/checks/blockWorkflowPRApproval.mdx index 922166ff..6f7e2eb9 100644 --- a/docs/checks/blockWorkflowPRApproval.mdx +++ b/docs/checks/blockWorkflowPRApproval.mdx @@ -24,6 +24,6 @@ slug: /checks/blockWorkflowPRApproval - Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) - How To: [Github Docs](https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/ciAndCdPipelineAsCode.mdx b/docs/checks/ciAndCdPipelineAsCode.mdx index b542141e..4a90168d 100644 --- a/docs/checks/ciAndCdPipelineAsCode.mdx +++ b/docs/checks/ciAndCdPipelineAsCode.mdx @@ -23,6 +23,6 @@ slug: /checks/ciAndCdPipelineAsCode - Priority Group: P12 - Sources: [CNCF SSCP 1.0 #158](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#build-and-related-continuous-integrationcontinuous-delivery-steps-should-all-be-automated-through-a-pipeline-defined-as-code) - How To: [Github Docs](https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/commitSignoffForWeb.mdx b/docs/checks/commitSignoffForWeb.mdx index ba9d0423..2200bf47 100644 --- a/docs/checks/commitSignoffForWeb.mdx +++ b/docs/checks/commitSignoffForWeb.mdx @@ -23,6 +23,6 @@ slug: /checks/commitSignoffForWeb - Priority Group: R4 - Sources: [CNCF SSCP 1.0 #325](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-organization-settings/managing-the-commit-signoff-policy-for-your-organization#managing-compulsory-commit-signoffs-for-your-organization) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/commitStatusChecks.mdx b/docs/checks/commitStatusChecks.mdx index f023a138..03893443 100644 --- a/docs/checks/commitStatusChecks.mdx +++ b/docs/checks/commitStatusChecks.mdx @@ -24,6 +24,6 @@ slug: /checks/commitStatusChecks - Mitre: [CWE-358](https://cwe.mitre.org/data/definitions/358.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/consistentBuildProcessDocs.mdx b/docs/checks/consistentBuildProcessDocs.mdx index 3f9ecc9f..db6153cb 100644 --- a/docs/checks/consistentBuildProcessDocs.mdx +++ b/docs/checks/consistentBuildProcessDocs.mdx @@ -22,6 +22,6 @@ slug: /checks/consistentBuildProcessDocs - C-SCRM: true - Priority Group: P12 - Mitre: [CWE-1068](https://cwe.mitre.org/data/definitions/1068.html) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/defaultTokenPermissionsReadOnly.mdx b/docs/checks/defaultTokenPermissionsReadOnly.mdx index d7e93ab7..3d2dc467 100644 --- a/docs/checks/defaultTokenPermissionsReadOnly.mdx +++ b/docs/checks/defaultTokenPermissionsReadOnly.mdx @@ -22,6 +22,6 @@ slug: /checks/defaultTokenPermissionsReadOnly - C-SCRM: true - Priority Group: P9 - Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/defineFunctionalRoles.mdx b/docs/checks/defineFunctionalRoles.mdx index 657424c2..e087a84a 100644 --- a/docs/checks/defineFunctionalRoles.mdx +++ b/docs/checks/defineFunctionalRoles.mdx @@ -24,6 +24,6 @@ slug: /checks/defineFunctionalRoles - Mitre: [CAPEC-122](https://capec.mitre.org/data/definitions/122.html) - Sources: [CNCF SSCP v1.0 #188](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-roles-aligned-to-functional-responsibilities) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/forkWorkflowApproval.mdx b/docs/checks/forkWorkflowApproval.mdx index 46cc17f2..2f4d4e8d 100644 --- a/docs/checks/forkWorkflowApproval.mdx +++ b/docs/checks/forkWorkflowApproval.mdx @@ -23,6 +23,6 @@ slug: /checks/forkWorkflowApproval - Priority Group: R2 - Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) - Sources: [Github Docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/githubOrgMFA.mdx b/docs/checks/githubOrgMFA.mdx index 1ab49240..4e0840ec 100644 --- a/docs/checks/githubOrgMFA.mdx +++ b/docs/checks/githubOrgMFA.mdx @@ -29,6 +29,6 @@ We use the field `two_factor_requirement_enabled` from the GitHub Organization A - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [OpenSSF SCM Best PracticesOpenSSF Best Practices Badge Gold Level [require_2FA]](https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html) - How To: [Github Docs](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/githubWebhookSecrets.mdx b/docs/checks/githubWebhookSecrets.mdx index ceca2cd3..b982fe81 100644 --- a/docs/checks/githubWebhookSecrets.mdx +++ b/docs/checks/githubWebhookSecrets.mdx @@ -24,6 +24,6 @@ slug: /checks/githubWebhookSecrets - Mitre: [CWE-306](https://cwe.mitre.org/data/definitions/306) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#webhooks) - How To: [Github Docs](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/githubWriteAccessRoles.mdx b/docs/checks/githubWriteAccessRoles.mdx index d4974b47..668dc24b 100644 --- a/docs/checks/githubWriteAccessRoles.mdx +++ b/docs/checks/githubWriteAccessRoles.mdx @@ -24,6 +24,6 @@ slug: /checks/githubWriteAccessRoles - Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) - Sources: [CNCF SSCP v1.0 #185](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-individualsteams-that-are-responsible-for-code-in-a-repository-and-associated-coding-conventions) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/identifyModifiedDependencies.mdx b/docs/checks/identifyModifiedDependencies.mdx index 3c51db5a..b61ff7b7 100644 --- a/docs/checks/identifyModifiedDependencies.mdx +++ b/docs/checks/identifyModifiedDependencies.mdx @@ -22,6 +22,6 @@ slug: /checks/identifyModifiedDependencies - C-SCRM: true - Priority Group: P14 - Sources: [OWASP SCVS L2 6.5](https://scvs.owasp.org/scvs/v6-pedigree-and-provenance/) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/incidentResponsePlan.mdx b/docs/checks/incidentResponsePlan.mdx index 2ac71a1d..f7b43a22 100644 --- a/docs/checks/incidentResponsePlan.mdx +++ b/docs/checks/incidentResponsePlan.mdx @@ -22,6 +22,6 @@ slug: /checks/incidentResponsePlan - C-SCRM: false - Priority Group: P7 - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/#operations) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/includeCVEInReleaseNotes.mdx b/docs/checks/includeCVEInReleaseNotes.mdx index 9cb0c992..f7c913e0 100644 --- a/docs/checks/includeCVEInReleaseNotes.mdx +++ b/docs/checks/includeCVEInReleaseNotes.mdx @@ -22,6 +22,6 @@ slug: /checks/includeCVEInReleaseNotes - C-SCRM: false - Priority Group: P7 - Sources: [OpenSSF Best Practices Badge Passing Level [release_notes_vulns]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/includePackageLock.mdx b/docs/checks/includePackageLock.mdx index 5e35299a..57060cfa 100644 --- a/docs/checks/includePackageLock.mdx +++ b/docs/checks/includePackageLock.mdx @@ -23,6 +23,6 @@ slug: /checks/includePackageLock - Priority Group: R5 - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#sbom) - How To: [npm Docs](https://docs.npmjs.com/cli/v10/commands/npm-sbom) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/injectedSecretsAtRuntime.mdx b/docs/checks/injectedSecretsAtRuntime.mdx index 09f67cca..a7cf1a02 100644 --- a/docs/checks/injectedSecretsAtRuntime.mdx +++ b/docs/checks/injectedSecretsAtRuntime.mdx @@ -24,6 +24,6 @@ slug: /checks/injectedSecretsAtRuntime - Mitre: [CWE-538](https://cwe.mitre.org/data/definitions/538.html) - Sources: [CNCF CNSWP 2.0 #195](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#secrets-encryption) - How To: [Github Docs](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/limitOrgOwners.mdx b/docs/checks/limitOrgOwners.mdx index 510670ee..b547810f 100644 --- a/docs/checks/limitOrgOwners.mdx +++ b/docs/checks/limitOrgOwners.mdx @@ -23,6 +23,6 @@ slug: /checks/limitOrgOwners - Priority Group: R7 - Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/member/organization_has_too_many_admins.html) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/limitRepoAdmins.mdx b/docs/checks/limitRepoAdmins.mdx index c3b35377..d5642f14 100644 --- a/docs/checks/limitRepoAdmins.mdx +++ b/docs/checks/limitRepoAdmins.mdx @@ -23,6 +23,6 @@ slug: /checks/limitRepoAdmins - Priority Group: R7 - Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/repository/repository_has_too_many_admins.html) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/limitWorkflowWritePermissions.mdx b/docs/checks/limitWorkflowWritePermissions.mdx index 16e37da0..a455adb9 100644 --- a/docs/checks/limitWorkflowWritePermissions.mdx +++ b/docs/checks/limitWorkflowWritePermissions.mdx @@ -24,6 +24,6 @@ slug: /checks/limitWorkflowWritePermissions - Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) - How To: [Github Docs](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/machineReadableDependencies.mdx b/docs/checks/machineReadableDependencies.mdx index 41bdb531..621d61bd 100644 --- a/docs/checks/machineReadableDependencies.mdx +++ b/docs/checks/machineReadableDependencies.mdx @@ -23,6 +23,6 @@ slug: /checks/machineReadableDependencies - Priority Group: P14 - Sources: [OWASP SCVS L1 1.3](https://scvs.owasp.org/scvs/v1-inventory/#verification-requirements) - How To: [Github Docs](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-is-the-dependency-graph) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/noArbitraryCodeInPipeline.mdx b/docs/checks/noArbitraryCodeInPipeline.mdx index f59c2bf8..00958130 100644 --- a/docs/checks/noArbitraryCodeInPipeline.mdx +++ b/docs/checks/noArbitraryCodeInPipeline.mdx @@ -23,6 +23,6 @@ slug: /checks/noArbitraryCodeInPipeline - Priority Group: P11 - Mitre: [CWE-94](https://cwe.mitre.org/data/definitions/94.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/noForcePushDefaultBranch.mdx b/docs/checks/noForcePushDefaultBranch.mdx index 8182ce92..96b90c07 100644 --- a/docs/checks/noForcePushDefaultBranch.mdx +++ b/docs/checks/noForcePushDefaultBranch.mdx @@ -23,6 +23,6 @@ slug: /checks/noForcePushDefaultBranch - Priority Group: P9 - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/noSelfHostedRunners.mdx b/docs/checks/noSelfHostedRunners.mdx index bd152954..ac9c6f6d 100644 --- a/docs/checks/noSelfHostedRunners.mdx +++ b/docs/checks/noSelfHostedRunners.mdx @@ -24,6 +24,6 @@ slug: /checks/noSelfHostedRunners - Mitre: [CAPEC-439](https://capec.mitre.org/data/definitions/439.html) - Sources: [Github Action Hardening Docs](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#limiting-the-use-of-self-hosted-runners) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/noSensitiveInfoInRepositories.mdx b/docs/checks/noSensitiveInfoInRepositories.mdx index 1de4a819..c10ad2d4 100644 --- a/docs/checks/noSensitiveInfoInRepositories.mdx +++ b/docs/checks/noSensitiveInfoInRepositories.mdx @@ -24,6 +24,6 @@ slug: /checks/noSensitiveInfoInRepositories - Mitre: [CWE-540](https://cwe.mitre.org/data/definitions/540.html) - Sources: [OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]](https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials) - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/npmOrgMFA.mdx b/docs/checks/npmOrgMFA.mdx index d0310962..29470f6a 100644 --- a/docs/checks/npmOrgMFA.mdx +++ b/docs/checks/npmOrgMFA.mdx @@ -24,6 +24,6 @@ slug: /checks/npmOrgMFA - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [OpenSSF npm Best Practices](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md) - How To: [npm Docs](https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/npmPublicationMFA.mdx b/docs/checks/npmPublicationMFA.mdx index 0ff37ed6..e2a245a1 100644 --- a/docs/checks/npmPublicationMFA.mdx +++ b/docs/checks/npmPublicationMFA.mdx @@ -23,6 +23,6 @@ slug: /checks/npmPublicationMFA - Priority Group: P3 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [npm Docs](https://docs.npmjs.com/creating-and-viewing-access-tokens) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/orgToolingMFA.mdx b/docs/checks/orgToolingMFA.mdx index 1f7af86e..dc92f4ae 100644 --- a/docs/checks/orgToolingMFA.mdx +++ b/docs/checks/orgToolingMFA.mdx @@ -23,6 +23,6 @@ slug: /checks/orgToolingMFA - Priority Group: P1 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [CNCF CNSWP v1.0](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/owaspTop10Training.mdx b/docs/checks/owaspTop10Training.mdx index 3637b37a..e2087cef 100644 --- a/docs/checks/owaspTop10Training.mdx +++ b/docs/checks/owaspTop10Training.mdx @@ -23,6 +23,6 @@ slug: /checks/owaspTop10Training - Priority Group: P0 - Mitre: [M1013](https://attack.mitre.org/mitigations/M1013/) - Sources: [OpenSSF Best Practices Badge Passing Level [know_common_errors]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_common_errors) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/patchCriticalVulns30Days.mdx b/docs/checks/patchCriticalVulns30Days.mdx index a0dd9619..0fa5b7f9 100644 --- a/docs/checks/patchCriticalVulns30Days.mdx +++ b/docs/checks/patchCriticalVulns30Days.mdx @@ -22,6 +22,6 @@ slug: /checks/patchCriticalVulns30Days - C-SCRM: false - Priority Group: P5 - Sources: [OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]](https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/patchExploitableHighVulns14Days.mdx b/docs/checks/patchExploitableHighVulns14Days.mdx index 5c525efd..c21f778a 100644 --- a/docs/checks/patchExploitableHighVulns14Days.mdx +++ b/docs/checks/patchExploitableHighVulns14Days.mdx @@ -22,6 +22,6 @@ slug: /checks/patchExploitableHighVulns14Days - C-SCRM: false - Priority Group: R8 - Sources: [OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]](https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/patchExploitableNoncCriticalVulns60Days.mdx b/docs/checks/patchExploitableNoncCriticalVulns60Days.mdx index f55d2e62..c740c2ab 100644 --- a/docs/checks/patchExploitableNoncCriticalVulns60Days.mdx +++ b/docs/checks/patchExploitableNoncCriticalVulns60Days.mdx @@ -22,6 +22,6 @@ slug: /checks/patchExploitableNoncCriticalVulns60Days - C-SCRM: false - Priority Group: R8 - Sources: [OpenSSF Best Practices Badge Silver Level [vulnerabilities_fixed_60_days]](https://www.bestpractices.dev/en/criteria#0.vulnerabilities_fixed_60_days) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/patchNonCriticalVulns90Days.mdx b/docs/checks/patchNonCriticalVulns90Days.mdx index 524cfc52..7a3897c9 100644 --- a/docs/checks/patchNonCriticalVulns90Days.mdx +++ b/docs/checks/patchNonCriticalVulns90Days.mdx @@ -22,6 +22,6 @@ slug: /checks/patchNonCriticalVulns90Days - C-SCRM: false - Priority Group: P5 - Sources: [Google Project Zero Vulnerability Disclosure Policy](https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/pinActionsToSHA.mdx b/docs/checks/pinActionsToSHA.mdx index 5d00b29d..5acc8642 100644 --- a/docs/checks/pinActionsToSHA.mdx +++ b/docs/checks/pinActionsToSHA.mdx @@ -23,6 +23,6 @@ slug: /checks/pinActionsToSHA - Priority Group: P13 - Mitre: [CWE-1357](https://cwe.mitre.org/data/definitions/1357.html) - Sources: [Github Docs](https://securitylab.github.com/research/github-actions-building-blocks/) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/preventBranchProtectionBypass.mdx b/docs/checks/preventBranchProtectionBypass.mdx index 31f2feff..34cbe8e1 100644 --- a/docs/checks/preventBranchProtectionBypass.mdx +++ b/docs/checks/preventBranchProtectionBypass.mdx @@ -24,6 +24,6 @@ slug: /checks/preventBranchProtectionBypass - Mitre: [CAPEC-122](https://capec.mitre.org/data/definitions/122.html) - Sources: [Github Supply Chain Security Best Practices](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/preventDeletionDefaultBranch.mdx b/docs/checks/preventDeletionDefaultBranch.mdx index 37c118e6..b0e3c226 100644 --- a/docs/checks/preventDeletionDefaultBranch.mdx +++ b/docs/checks/preventDeletionDefaultBranch.mdx @@ -24,6 +24,6 @@ slug: /checks/preventDeletionDefaultBranch - Mitre: [CWE-267](https://cwe.mitre.org/data/definitions/267.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/preventLandingSensitiveCommits.mdx b/docs/checks/preventLandingSensitiveCommits.mdx index 9ae0fa8c..a8778f64 100644 --- a/docs/checks/preventLandingSensitiveCommits.mdx +++ b/docs/checks/preventLandingSensitiveCommits.mdx @@ -24,6 +24,6 @@ slug: /checks/preventLandingSensitiveCommits - Mitre: [CWE-358](https://cwe.mitre.org/data/definitions/358.html) - Sources: [OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]](https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials) - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/preventScriptInjection.mdx b/docs/checks/preventScriptInjection.mdx index ac05a1d2..04359147 100644 --- a/docs/checks/preventScriptInjection.mdx +++ b/docs/checks/preventScriptInjection.mdx @@ -24,6 +24,6 @@ slug: /checks/preventScriptInjection - Mitre: [CWE-454](https://cwe.mitre.org/data/definitions/454.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) - How To: [Github Docs](https://securitylab.github.com/research/github-actions-untrusted-input/) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/regressionTestsForVulns.mdx b/docs/checks/regressionTestsForVulns.mdx index d3141e5d..4e5309a2 100644 --- a/docs/checks/regressionTestsForVulns.mdx +++ b/docs/checks/regressionTestsForVulns.mdx @@ -22,6 +22,6 @@ slug: /checks/regressionTestsForVulns - C-SCRM: false - Priority Group: P8 - Sources: [OpenSSF Best Practices Badge Silver Level [regression_tests_added50]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.regression_tests_added50) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/requireCodeOwnersReviewForLargeTeams.mdx b/docs/checks/requireCodeOwnersReviewForLargeTeams.mdx index 134adade..08eb1b7d 100644 --- a/docs/checks/requireCodeOwnersReviewForLargeTeams.mdx +++ b/docs/checks/requireCodeOwnersReviewForLargeTeams.mdx @@ -24,6 +24,6 @@ slug: /checks/requireCodeOwnersReviewForLargeTeams - Mitre: [CAPEC-670](https://capec.mitre.org/data/definitions/670.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review) - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/requirePRApprovalForMainline.mdx b/docs/checks/requirePRApprovalForMainline.mdx index 9481eeae..dd1c661e 100644 --- a/docs/checks/requirePRApprovalForMainline.mdx +++ b/docs/checks/requirePRApprovalForMainline.mdx @@ -24,6 +24,6 @@ slug: /checks/requirePRApprovalForMainline - Mitre: [CAPEC-670](https://capec.mitre.org/data/definitions/670.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/requireSignedCommits.mdx b/docs/checks/requireSignedCommits.mdx index dabd6861..5c0f1aa3 100644 --- a/docs/checks/requireSignedCommits.mdx +++ b/docs/checks/requireSignedCommits.mdx @@ -23,6 +23,6 @@ slug: /checks/requireSignedCommits - Priority Group: R4 - Sources: [CNCF SSCP 1.0 #325](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-signed-commits) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/requireTwoPartyReview.mdx b/docs/checks/requireTwoPartyReview.mdx index a099af59..708d4502 100644 --- a/docs/checks/requireTwoPartyReview.mdx +++ b/docs/checks/requireTwoPartyReview.mdx @@ -24,6 +24,6 @@ slug: /checks/requireTwoPartyReview - Mitre: [CAPEC-670](https://capec.mitre.org/data/definitions/670.html) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/resolveLinterWarnings.mdx b/docs/checks/resolveLinterWarnings.mdx index e0b9f432..eb3e48fd 100644 --- a/docs/checks/resolveLinterWarnings.mdx +++ b/docs/checks/resolveLinterWarnings.mdx @@ -24,6 +24,6 @@ slug: /checks/resolveLinterWarnings - Mitre: [CWE-1127](https://cwe.mitre.org/data/definitions/1127.html) - Sources: [OpenSSF Best Practices Badge Silver Level [warnings_strict]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.warnings_strict) - How To: [ESLint Docs](https://eslint.org/docs/latest/use/getting-started#installation-and-usage) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/restrictOrgSecrets.mdx b/docs/checks/restrictOrgSecrets.mdx index cee3b66b..e541a076 100644 --- a/docs/checks/restrictOrgSecrets.mdx +++ b/docs/checks/restrictOrgSecrets.mdx @@ -24,6 +24,6 @@ slug: /checks/restrictOrgSecrets - Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/actions/all_repositories_can_run_github_actions.html) - How To: [Github Docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/restrictedOrgPermissions.mdx b/docs/checks/restrictedOrgPermissions.mdx index 67dcbe06..0c61377b 100644 --- a/docs/checks/restrictedOrgPermissions.mdx +++ b/docs/checks/restrictedOrgPermissions.mdx @@ -24,6 +24,6 @@ slug: /checks/restrictedOrgPermissions - Mitre: [CAPEC-180](https://capec.mitre.org/data/definitions/180.html) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/organization/default_repository_permission_is_not_none.html) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/runnerSecurityScanner.mdx b/docs/checks/runnerSecurityScanner.mdx index e9221a3c..90505d8f 100644 --- a/docs/checks/runnerSecurityScanner.mdx +++ b/docs/checks/runnerSecurityScanner.mdx @@ -24,6 +24,6 @@ slug: /checks/runnerSecurityScanner - Mitre: [M1047](https://attack.mitre.org/mitigations/M1047/) - Sources: [Github Action Hardening Docs](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners) - How To: [Step Security harden-runner](https://github.com/step-security/harden-runner) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/scanCommitsForSensitiveInfo.mdx b/docs/checks/scanCommitsForSensitiveInfo.mdx index a490930f..34de5d18 100644 --- a/docs/checks/scanCommitsForSensitiveInfo.mdx +++ b/docs/checks/scanCommitsForSensitiveInfo.mdx @@ -24,6 +24,6 @@ slug: /checks/scanCommitsForSensitiveInfo - Mitre: [CWE-540](https://cwe.mitre.org/data/definitions/540.html) - Sources: [CNCF SSCP v1.0 #184](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#user-content-fnref-21-4e56305414bd02da4843ec1d7d856144) - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/securityMdMeetsOpenJSCVD.mdx b/docs/checks/securityMdMeetsOpenJSCVD.mdx index 4d14d531..54bcfc29 100644 --- a/docs/checks/securityMdMeetsOpenJSCVD.mdx +++ b/docs/checks/securityMdMeetsOpenJSCVD.mdx @@ -22,6 +22,6 @@ slug: /checks/securityMdMeetsOpenJSCVD - C-SCRM: false - Priority Group: P7 - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/softwareArchitectureDocs.mdx b/docs/checks/softwareArchitectureDocs.mdx index debe382f..24221893 100644 --- a/docs/checks/softwareArchitectureDocs.mdx +++ b/docs/checks/softwareArchitectureDocs.mdx @@ -23,6 +23,6 @@ slug: /checks/softwareArchitectureDocs - Priority Group: P12 - Mitre: [CWE-1053](https://cwe.mitre.org/data/definitions/1053.html) - Sources: [OpenSSF Best Practices Badge Silver Level [documentation_architecture]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.documentation_architecture) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/softwareDesignTraining.mdx b/docs/checks/softwareDesignTraining.mdx index 606af59f..cf5c593a 100644 --- a/docs/checks/softwareDesignTraining.mdx +++ b/docs/checks/softwareDesignTraining.mdx @@ -28,6 +28,6 @@ It is considered `passed` if there is a record for the organization in the `soft - Priority Group: P0 - Mitre: [M1013](https://attack.mitre.org/mitigations/M1013/) - Sources: [OpenSSF Best Practices Badge Passing Level [know_secure_design]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_secure_design) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/staticAppSecTesting.mdx b/docs/checks/staticAppSecTesting.mdx index 70d6722d..6c79174b 100644 --- a/docs/checks/staticAppSecTesting.mdx +++ b/docs/checks/staticAppSecTesting.mdx @@ -24,6 +24,6 @@ slug: /checks/staticAppSecTesting - Mitre: [CWE-1076](https://cwe.mitre.org/data/definitions/1076.html) - Sources: [OWASP SCVS L1 6.6OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast) - How To: [CodeQL Docs](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/staticCodeAnalysis.mdx b/docs/checks/staticCodeAnalysis.mdx index c95b9729..afbdb381 100644 --- a/docs/checks/staticCodeAnalysis.mdx +++ b/docs/checks/staticCodeAnalysis.mdx @@ -24,6 +24,6 @@ slug: /checks/staticCodeAnalysis - Mitre: [CWE-1076](https://cwe.mitre.org/data/definitions/1076.html) - Sources: [OWASP SCVS L1 5.1](https://scvs.owasp.org/scvs/v5-component-analysis/) - How To: [ESLint Docs](https://eslint.org/docs/latest/use/getting-started#installation-and-usage) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/twoOrMoreOwnersForAccess.mdx b/docs/checks/twoOrMoreOwnersForAccess.mdx index 022c95fb..ee3fc714 100644 --- a/docs/checks/twoOrMoreOwnersForAccess.mdx +++ b/docs/checks/twoOrMoreOwnersForAccess.mdx @@ -24,6 +24,6 @@ slug: /checks/twoOrMoreOwnersForAccess - Mitre: [M1026](https://attack.mitre.org/mitigations/M1026/) - Sources: [OpenSSF Best Practices Badge Silver Level [access_continuity]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.access_continuity) - How To: [Github Docs](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/maintaining-ownership-continuity-for-your-organization) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/upToDateDefaultBranchBeforeMerge.mdx b/docs/checks/upToDateDefaultBranchBeforeMerge.mdx index 03da3d29..8bdb86f2 100644 --- a/docs/checks/upToDateDefaultBranchBeforeMerge.mdx +++ b/docs/checks/upToDateDefaultBranchBeforeMerge.mdx @@ -23,6 +23,6 @@ slug: /checks/upToDateDefaultBranchBeforeMerge - Priority Group: P9 - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/upgradePathDocs.mdx b/docs/checks/upgradePathDocs.mdx index fdccbb37..e57fc0d3 100644 --- a/docs/checks/upgradePathDocs.mdx +++ b/docs/checks/upgradePathDocs.mdx @@ -22,6 +22,6 @@ slug: /checks/upgradePathDocs - C-SCRM: true - Priority Group: P12 - Sources: [OpenSSF Best Practices Badge Silver Level [maintenance_or_update]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.maintenance_or_update) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/useCVDToolForVulns.mdx b/docs/checks/useCVDToolForVulns.mdx index 101cf882..956ba63e 100644 --- a/docs/checks/useCVDToolForVulns.mdx +++ b/docs/checks/useCVDToolForVulns.mdx @@ -23,6 +23,6 @@ slug: /checks/useCVDToolForVulns - Priority Group: P7 - Sources: [OpenSSF Best Practices Badge Passing Level [vulnerability_report_private]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.vulnerability_report_private) - How To: [Github Docs](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/useHwKeyGithubAccess.mdx b/docs/checks/useHwKeyGithubAccess.mdx index 707f9be5..5591d192 100644 --- a/docs/checks/useHwKeyGithubAccess.mdx +++ b/docs/checks/useHwKeyGithubAccess.mdx @@ -24,6 +24,6 @@ slug: /checks/useHwKeyGithubAccess - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [OpenSSF Great MFA Project Security Rationale](https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md) - How To: [Github Docs](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-passkey) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/useHwKeyGithubNonInteractive.mdx b/docs/checks/useHwKeyGithubNonInteractive.mdx index 0b239ac1..a17c7fbc 100644 --- a/docs/checks/useHwKeyGithubNonInteractive.mdx +++ b/docs/checks/useHwKeyGithubNonInteractive.mdx @@ -24,6 +24,6 @@ slug: /checks/useHwKeyGithubNonInteractive - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [OpenSSF Great MFA Project Security Rationale](https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md) - How To: [Github Docs](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/useHwKeyOtherContexts.mdx b/docs/checks/useHwKeyOtherContexts.mdx index 4a71c8a3..599c908e 100644 --- a/docs/checks/useHwKeyOtherContexts.mdx +++ b/docs/checks/useHwKeyOtherContexts.mdx @@ -23,6 +23,6 @@ slug: /checks/useHwKeyOtherContexts - Priority Group: R1 - Mitre: [CWE-308](https://cwe.mitre.org/data/definitions/308.html) - Sources: [OpenSSF Great MFA Project Security Rationale](https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/verifiedActionsOnly.mdx b/docs/checks/verifiedActionsOnly.mdx index f3967056..2f5bbb57 100644 --- a/docs/checks/verifiedActionsOnly.mdx +++ b/docs/checks/verifiedActionsOnly.mdx @@ -24,6 +24,6 @@ slug: /checks/verifiedActionsOnly - Mitre: [CWE-1357](https://cwe.mitre.org/data/definitions/1357.html) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/actions/all_github_actions_are_allowed.html) - How To: [Github Docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/vulnResponse14Days.mdx b/docs/checks/vulnResponse14Days.mdx index cc482883..250a1ca3 100644 --- a/docs/checks/vulnResponse14Days.mdx +++ b/docs/checks/vulnResponse14Days.mdx @@ -22,6 +22,6 @@ slug: /checks/vulnResponse14Days - C-SCRM: false - Priority Group: P7 - Sources: [OpenSSF Best Practices Badge Passing Level [vulnerability_report_response]](https://www.bestpractices.dev/en/criteria#0.vulnerability_report_response) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z diff --git a/docs/checks/workflowSecurityScanner.mdx b/docs/checks/workflowSecurityScanner.mdx index 11727ad3..38c54179 100644 --- a/docs/checks/workflowSecurityScanner.mdx +++ b/docs/checks/workflowSecurityScanner.mdx @@ -24,6 +24,6 @@ slug: /checks/workflowSecurityScanner - Mitre: [M1047](https://attack.mitre.org/mitigations/M1047/) - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) - How To: [Step Security secure-repo](https://github.com/step-security/secure-repo) -- Created at 2024-12-18T20:19:27.410Z -- Updated at 2024-12-18T20:19:27.410Z +- Created at 2024-12-22T04:04:30.161Z +- Updated at 2024-12-22T04:04:30.161Z