feat: add control OSPS-BR-07 for secrets management (#373)

trumant · evankanderson · web-flow · commit 82af0141816d · 2025-09-15T16:51:34.000-04:00
* feat: add control OSPS-QA-08 for secrets management This change adds a new control to the Build & Release control family that focuses on secure handling and storage of project secrets. This change closes #352 Signed-off-by: Travis Truman <trumant@gmail.com> * Update OSPS-BR.yaml Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com> Signed-off-by: Travis Truman <trumant@gmail.com> * Update OSPS-BR.yaml Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com> Signed-off-by: Travis Truman <trumant@gmail.com> * chore: resequence controls Signed-off-by: Travis Truman <trumant@gmail.com> --------- Signed-off-by: Travis Truman <trumant@gmail.com> Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com>
diff --git a/baseline/OSPS-BR.yaml b/baseline/OSPS-BR.yaml
@@ -465,3 +465,36 @@ controls:
           signature or attestations, such as GPG or PGP signature, Sigstore
           signatures, SLSA provenance, or SLSA VSAs. Include the cryptographic
           hashes of each asset in a signed manifest or metadata file.
+  - id: OSPS-BR-07
+    title: |
+      The project MUST store and manage all secrets and credentials used by the project in a secure manner.
+    objective: |
+      Ensure that sensitive data is not disclosed, compromised or misused leading to security vulnerabilities or supply chain compromise.
+    guideline-mappings:
+      - reference-id: BPB
+        identifiers:
+          - S-B-5 # TODO: is this the right numbering for https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials
+      - reference-id: SSDF
+        identifiers:
+          - PO.1.1
+          - P0.3.1
+          - P0.4.2
+          - PO.5.1
+          - PW.1.2
+          - PW.1.3
+          - PW.5.1
+    assessment-requirements:
+      - id: OSPS-BR-07.01
+        text: |
+          The project MUST prevent the unintentional storage of unencrypted sensitive data, such as secrets and credentials, in the version control system.
+        applicability:
+          - Maturity Level 1
+        recommendation: |
+          Configure .gitignore or equivalent to exclude files that may contain sensitive information. Use pre-commit hooks and automated scanning tools to detect and prevent the inclusion of sensitive data in commits.
+      - id: OSPS-BR-07.02
+        text: |
+          The project MUST define a policy for managing secrets and credentials used by the project. The policy should include guidelines for storing, accessing, and rotating secrets and credentials.
+        applicability:
+          - Maturity Level 3
+        recommendation: |
+          Document how secrets and credentials are managed and used within the project. This should include details on how secrets are stored (e.g., using a secrets management tool), how access is controlled, and how secrets are rotated or updated. Ensure that sensitive information is not hard-coded in the source code or stored in version control systems.
