| A | B | C | D | E | F | G | H | L | M | N | O | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Priority Group | Incubating | Active | Retiring | Slug | Title | Section | Description | How To | C-SCRM | MITRE | Sources |
2 | P0 | Expected | Expected | Expected | softwareDesignTraining | Training on Secure Software Design | 7. Code Quality | At least One Primary Maintainer has taken TBD Training on Secure Software Design | M1013 | |||
3 | P0 | Expected | Expected | Expected | owaspTop10Training | Training on OWASP Top 10 or Equivalent | 7. Code Quality | At least One Primary Maintainer has taken TBD Training on OWASP Top 10 or Equivalent | M1013 | |||
4 | P1 | Expected | Expected | Expected | githubOrgMFA | Enforce MFA in GitHub Organization(s) | 1. User Authentication | Multi Factor Authentication (MFA) Enforced Across the Github Organization | Github Docs | Y | CWE-308 M1032 | |
5 | P1 | Expected | Expected | Expected | npmOrgMFA | Enforce MFA in npm Organization(s) | 1. User Authentication | Multi Factor Authentication (MFA) Enforced Across the npm Organization | npm Docs | Y | CWE-308 M1032 | |
6 | P1 | Expected | Expected | Expected | orgToolingMFA | Enforce MFA in all the tools | 1. User Authentication | Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible | CWE-308 M1032 | |||
7 | P1 | Expected | Expected | Expected | MFAImpersonationDefense | Use MFA against impersonation | 1. User Authentication | Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available | Github Docs | Y | CWE-290 CAPEC-151 T1621 M1032 | |
8 | P2 | Expected | Expected | Expected | noSensitiveInfoInRepositories | Check sensitive information | 3. Service Authentication | No Secrets and Credentials in Source Code | Github Docs | Y | CWE-540 | |
9 | P2 | Expected | Expected | Expected | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | 3. Service Authentication | Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets) | Github Docs | Y | CWE-538 | |
10 | P2 | Expected | Expected | N/A | scanCommitsForSensitiveInfo | Ensure that all the commits are scanned | 7. Code Quality | All Commits are Scanned for Secrets and Credentials | Github Docs | Y | CWE-540 CAPEC-150 | |
11 | P2 | Expected | Expected | N/A | preventLandingSensitiveCommits | Block New Commits with Secrets or Credentials | 7. Code Quality | New Commits Containing Secrets or Credentials are Blocked from Merging | Github Docs | Y | CWE-358 | |
12 | P3 | Expected | Expected | Expected | SSHKeysRequired | Use SSH Keys with Passphrases for Repository Access | 1. User Authentication | Use SSH keys for developer access to source code repositories and use a passphrase | Github Docs | Y | CWE-309 | |
13 | P3 | Expected | Expected | Expected | npmPublicationMFA | Publish to npm Using MFA-Enabled Accounts | 3. Service Authentication | Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens | Y | CWE-308 | npm Docs | |
14 | P3 | Expected | Expected | Expected | githubWebhookSecrets | Secure GitHub Webhooks with Secrets | 3. Service Authentication | Github Webhooks Use Secrets | Github Docs | Y | CWE-306 | |
15 | P4 | Expected | Expected | Expected | restrictedOrgPermissions | Restrict Default GitHub Org Member Permissions | 2. User Account Permissions | Default Github Org Member Permissions Should Be Restricted | Github Docs | Y | CAPEC-180 M1026 | |
16 | P4 | Expected | Expected | Expected | adminRepoCreationOnly | Allow Only Admins to Create Public Repositories | 2. User Account Permissions | Only Admins Should Be Able To Create Public Repositories | Github Docs | Y | CAPEC-122 | |
17 | P4 | Expected | Expected | Expected | preventBranchProtectionBypass | Prevent Admins from Bypassing Branch Protection | 2. User Account Permissions | [For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings | Github Docs | Y | CAPEC-122 | |
18 | P4 | Expected | Expected | Expected | defineFunctionalRoles | Define Roles Aligned to Functional Responsibilities | 2. User Account Permissions | Define roles aligned to functional responsibilities | Github Docs | Y | CAPEC-122 M1018 | |
19 | P4 | Expected | Expected | Expected | githubWriteAccessRoles | Define Teams/Individuals with Write Access to Repositories | 2. User Account Permissions | Define Individuals/Teams who Write Access to a Github Repo | Github Docs | Y | CAPEC-180 M1026 | |
20 | P4 | Expected | Expected | Expected | twoOrMoreOwnersForAccess | Configure Two or more Owners for Access Continuity | 2. User Account Permissions | [For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity | Github Docs | Y | M1026 | |
21 | P5 | Expected | Expected | N/A | patchCriticalVulns30Days | Patch Actively Exploited Critical Vulnerabilities within 30 Days | 5. Vulnerability Management | Actively Exploited Critical Vulnerabilities Patched within 30 Days | ||||
22 | P5 | Expected | Expected | N/A | patchNonCriticalVulns90Days | Patch Non-Critical Vulnerabilities within 90 Days | 5. Vulnerability Management | Non-Critical Exploitable Vulnerabilities Patched within 90 Days | ||||
23 | P6 | Expected | Expected | Expected | automateVulnDetection | Automate Dependency Vulnerability Identification | 11. Dependency Management | An automated process to identify dependencies with publicly disclosed vulnerabilities | Github Docs | Y | CWE-1395 M1016 | |
24 | P6 | Expected | Expected | N/A | staticCodeAnalysis | Use Automated Static Code Analysis Tools | 7. Code Quality | Use an Automated Static Code Analysis Tool (eg: ESLInt) | ESLint Docs | CWE-1076 CWE-1078 M1016 | ||
25 | P6 | Expected | Expected | N/A | resolveLinterWarnings | Address Compiler/Linter Warnings Before Merging | 7. Code Quality | Compilers/Linter Warnings Addressed in order to Merge | ESLint Docs | CWE-1127 | ||
26 | P6 | Expected | Expected | N/A | staticAppSecTesting | Use Static Application Security Testing for All Commits | 7. Code Quality | All Commits are Scanned by a Static Application Security Testing Tool | CodeQL Docs | CWE-1076 CWE-1078 M1016 | ||
27 | P6 | Expected | Expected | N/A | commitStatusChecks | Require Commit Status Checks to Pass Before Merging | 7. Code Quality | All Required Commit Status Checks must pass before Merging | Github Docs | Y | CWE-358 | |
28 | P7 | Expected | Expected | Expected | securityMdMeetsOpenJSCVD | Ensure Security.md Meets OpenJS CVD Guidelines | 6. Coordinated Vulnerability Disclosure | Security.md Meets OpenJS CVD Guidelines | OpenJS CVD Guidance | |||
29 | P7 | Expected | Expected | Expected | useCVDToolForVulns | Use CVD Tools to Manage Vulnerability Reports | 6. Coordinated Vulnerability Disclosure | Project Leverages a CVD Tool to Privately Receive/Manage External Vulnerability Reports (eg: H1/GH PVR) | Github Docs | |||
30 | P7 | Expected | Expected | N/A | vulnResponse14Days | Respond to External Vulnerability Reports in Under 14 Days | 6. Coordinated Vulnerability Disclosure | All External Vulnerability Reports Responded to <14 Days | ||||
31 | P7 | Expected | Expected | Expected | incidentResponsePlan | Define Clear Communication and Incident Response Plans | 6. Coordinated Vulnerability Disclosure | Establish a Clear Communication and Incident Response Plan | ||||
32 | P7 | Expected | Expected | Expected | assignCVEForKnownVulns | Assign CVEs to All Known Security Vulnerabilities | 6. Coordinated Vulnerability Disclosure | All Known Security Vulnerabilities are Issued a CVE | Y | |||
33 | P7 | Expected | Expected | Expected | includeCVEInReleaseNotes | Include CVE IDs in Release Notes for Security Fixes | 6. Coordinated Vulnerability Disclosure | Release Notes must Include the CVE ID of Patched Security Vulnerabilities | ||||
34 | P8 | Deferrable | Expected | N/A | regressionTestsForVulns | Create Regression Tests for Bugs and Security Vulnerabilities | 7. Code Quality | Regression Tests for => 50% of Bugs and 100% of Security Vulns | ||||
35 | P9 | Expected | Expected | N/A | defaultTokenPermissionsReadOnly | Set Default GitHub Workflow Token Permissions to Read Only | 4. Github Workflow Permissions | Github Org Default Workflow Token Permissions are Set to Read Only | Y | CWE-250 CAPEC-69 | ||
36 | P9 | Expected | Expected | Expected | blockWorkflowPRApproval | Prevent Workflows from Creating or Approving PRs | 4. Github Workflow Permissions | Workflows are not Allowed To Create or Approve Pull Requests | Github Docs | Y | CWE-250 CAPEC-69 | |
37 | P9 | Expected | Expected | Expected | noForcePushDefaultBranch | Disable Force Push on Default Branch | 9. Source Control | Prevent Force Push on Default Branch | Github Docs | Y | ||
38 | P9 | Expected | Expected | Expected | preventDeletionDefaultBranch | Prevent Deletion of Default Branch | 9. Source Control | Prevent Default Branch Deletion | Github Docs | Y | CWE-267 | |
39 | P9 | Expected | Expected | Expected | upToDateDefaultBranchBeforeMerge | Require Default Branch Updates Before Merging | 9. Source Control | Default Branch must be Up to Date before Merging | Github Docs | Y | ||
40 | P10 | Expected | Expected | N/A | restrictOrgSecrets | Restrict GitHub Org Secrets to Specific Repositories | 4. Github Workflows | GitHub Organization Secrets are Restricted to Selected Repositories | Github Docs | Y | CWE-250 CAPEC-69 | |
41 | P10 | Expected | Expected | N/A | verifiedActionsOnly | Limit GitHub Actions to Verified or Trusted Actions | 4. Github Workflows | GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions | Github Docs | Y | CWE-1357 CAPEC-17 CAPEC-538 CAPEC-446 | |
42 | P10 | Expected | Expected | Expected | noSelfHostedRunners | Disable Self-Hosted Runners in GitHub Org | 4. Github Workflows | Disable use of Self-Hosted Runners in Github Org | Github Docs | Y | CAPEC-439 | |
43 | P11 | Expected | Expected | N/A | noArbitraryCodeInPipeline | Restrict Build Pipeline Code Execution to Build Scripts | 4. Github Workflows | Build Pipeline Cannot Execute Arbitrary Code from Outside of a Build Script | Y | CWE-94 CAPEC-19 | ||
44 | P11 | Expected | Expected | Expected | limitWorkflowWritePermissions | Limit Workflow Write Permissions to Job-Level | 4. Github Workflows | Only Allow Workflows Write Permissions at the Job-Level | Github Docs | Y | CWE-250 CAPEC-69 | |
45 | P11 | Expected | Expected | N/A | preventScriptInjection | Avoid Script Injection from Untrusted Variables | 4. Github Workflows | Avoid Script Injection from Untrusted Context Variables | Github Docs | Y | CWE-454 CAPEC-242 | |
46 | P12 | Expected | Expected | N/A | consistentBuildProcessDocs | Document Consistent and Automated Build Processes | 4. Github Workflows | Consistent and Automated Build Process is Documented and Used | Y | CWE-1068 | ||
47 | P12 | Expected | Expected | N/A | upgradePathDocs | Support Older Versions or Provide Upgrade Paths | 5. Vulnerability Management | Commonly Used Older Versions Supported or Upgrade Path Provided/Documented | Y | |||
48 | P12 | Deferrable | Expected | N/A | softwareArchitectureDocs | Document Software Architecture | 8. Code Review | [For Projects with Two or more Maintainers] Document Software Architecture | CWE-1053 | |||
49 | P12 | Deferrable | Expected | N/A | ciAndCdPipelineAsCode | Automate CI/CD Steps in Code-Based Pipelines | 9. Source Control | CI/CD steps should all be automated through a pipeline defined as code | Github Docs | Y | ||
50 | P13 | Deferrable | Expected | N/A | pinActionsToSHA | Pin Actions with Secrets to Full-Length Commit SHAs | 4. Github Workflows | Pin Actions with Access to Secrets to a Full Length Commit SHA | Y | CWE-1357 CAPEC-17 CAPEC-538 CAPEC-446 CAPEC-186 | Github Docs | |
51 | P14 | Expected | Expected | Expected | automateDependencyManagement | Automate Monitoring of Outdated Dependencies | 10. Dependency Inventory | Automated Process is Used to Monitor for and Maintain a List of Out of Date Dependencies | Socket.Dev | Y | ||
52 | P14 | Expected | Expected | Expected | machineReadableDependencies | Provide Machine-Readable Dependency Lists | 10. Dependency Inventory | [Freestanding Applications Only] A Machine Readable List of all Direct and Transitive Dependencies is Available for the Software | Github Docs | Y | ||
53 | P14 | Expected | Expected | Expected | identifyModifiedDependencies | Uniquely Identify Modified Dependencies | 10. Dependency Inventory | Modified dependencies are uniquely identified and distinct from origin dependency | Y | |||
54 | P14 | Expected | Expected | N/A | annualDependencyRefresh | Refresh Dependencies with Annual Releases | 5. Vulnerability Management | A new release to refresh dependencies occurs at least annually | Y | |||
55 | R1 | Recommended | Recommended | Recommended | useHwKeyGithubAccess | Use AAL2/3 Passkeys for GitHub Access | 1. User Authentication | Github.com: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics | Github Docs | Y | CWE-308 M1032 | |
56 | R1 | Recommended | Recommended | Recommended | useHwKeyGithubNonInteractive | Use AAL2/3 Passkeys for Non-Interactive GitHub Access | 1. User Authentication | Non-Interactive Github: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics | Github Docs | Y | CWE-308 M1032 | |
57 | R1 | Recommended | Recommended | Recommended | useHwKeyOtherContexts | Use AAL2/3 Passkeys in All Other Contexts | 1. User Authentication | All Other Contexts: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics | Y | CWE-308 M1032 | ||
58 | R2 | Recommended | Recommended | Recommended | forkWorkflowApproval | Require Approval for Forked Workflow Changes | 4. Github Workflows | Limit changes from forks to workflows by requiring approval for all outside collaborators | Y | CAPEC-180 | Github Docs | |
59 | R2 | Recommended | Recommended | Recommended | workflowSecurityScanner | Use Workflow Security Scanners | 4. Github Workflows | Use a Workflow Security Scanner | Y | M1047 | ||
60 | R2 | Recommended | Recommended | Recommended | runnerSecurityScanner | Use GitHub Runner Security Scanners | 4. Github Workflows | Use a Github Runner Security Scanner | Y | M1047 | ||
61 | R3 | Recommended | Recommended | N/A | activeAdminsSixMonths | Require Active Admins in GitHub Org (Activity in 6 Months) | 2. User Account Permissions | Github Organization Admins Should Have Activity In The Last 6 Months | Y | M1026 | ||
62 | R3 | Recommended | Recommended | N/A | activeWritersSixMonths | Require Active Members with Write Access (Activity in 6 Months) | 2. User Account Permissions | Github Organization Members with Write Permissions Should Have Activity In The Last 6 Months | Y | M1026 | ||
63 | R4 | Recommended | Recommended | Recommended | PRsBeforeMerge | Require Pull Requests Before Merging | 9. Source Control | Require Pull Requests before Merging | Github Docs | Y | CWE-778 | |
64 | R4 | Recommended | Recommended | Recommended | commitSignoffForWeb | Enforce Commit Signoff for Web-Based Commits | 9. Source Control | Github Org Requires Commit Signoff for Web-Based Commits | Github Docs | Y | ||
65 | R4 | Recommended | Recommended | Recommended | requireSignedCommits | Require Signed Commits | 9. Source Control | Require Signed Commits | Github Docs | Y | ||
66 | R5 | Recommended | Recommended | Recommended | includePackageLock | Include package-lock.json in Releases (Freestanding Apps) | 10. Dependency Inventory | [Freestanding Applications Only] Commit a package-lock.json file with each release | Y | |||
67 | R6 | Recommended | Recommended | N/A | requireTwoPartyReview | Require Two-Party Review (Two+ Maintainers) | 8. Code Review | [For Projects with Two or more Maintainers] Require Two Party Review | Github Docs | Y | CAPEC-670 CAPEC-443 CAPEC-438 | |
68 | R6 | Recommended | Recommended | N/A | requireCodeOwnersReviewForLargeTeams | Require Code Owners Review (Four+ Maintainers) | 8. Code Review | [For Projects with Four or more Maintainers] Require Code Owners Review | Github Docs | Y | CAPEC-670 CAPEC-443 CAPEC-438 | |
69 | R6 | Recommended | Recommended | Recommended | requirePRApprovalForMainline | Require Approved PRs for Mainline Commits (Two+ Maintainers) | 9. Source Control | [For Projects with Two or more Maintainers] Require Approved PRs for all commits to mainline branches | Github Docs | Y | CAPEC-670 CAPEC-443 CAPEC-438 | |
70 | R7 | Recommended | Recommended | Recommended | limitOrgOwners | Limit GitHub Org Owners to Fewer Than Three | 2. User Account Permissions | Limit Number of Github Org Owners (ideally Fewer Than Three) | Y | M1026 | ||
71 | R7 | Recommended | Recommended | Recommended | limitRepoAdmins | Limit GitHub Repo Admins to Fewer Than Three | 2. User Account Permissions | Limit Number of Github Repository Admins (ideally Fewer Than Three) | Y | CAPEC-180 M1026 | ||
72 | R8 | Recommended | Recommended | N/A | patchExploitableHighVulns14Days | Patch Critical/High Vulnerabilities in 14 Days | 5. Vulnerability Management | Actively Exploited Critical and High Vulnerabilities Patched within 14 Days | ||||
73 | R8 | Recommended | Recommended | N/A | patchExploitableNoncCriticalVulns60Days | Patch Non-Critical Vulnerabilities in 60 Days | 5. Vulnerability Management | Non-Critical Expoitable Vulnerabilities Patched within 60 Days |