From b9389444d8ceccb609dc95e393d84a9b0d660c9d Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Sun, 8 Dec 2024 01:48:37 +0100 Subject: [PATCH 1/2] chore: remove legacy data sources that are not used anymore --- data/standards.html | 2 - data/standards.json | 1577 ------------------------------------------- 2 files changed, 1579 deletions(-) delete mode 100644 data/standards.html delete mode 100644 data/standards.json diff --git a/data/standards.html b/data/standards.html deleted file mode 100644 index c9eaa98..0000000 --- a/data/standards.html +++ /dev/null @@ -1,2 +0,0 @@ - -
ABCDEFGHLMNO
1
Priority GroupIncubatingActiveRetiringSlugTitleSectionDescriptionHow ToC-SCRMMITRESources
2
P0ExpectedExpectedExpectedsoftwareDesignTrainingTraining on Secure Software Design7. Code QualityAt least One Primary Maintainer has taken TBD Training on Secure Software DesignM1013
OpenSSF Best Practices Badge Passing Level [know_secure_design]
3
P0ExpectedExpectedExpectedowaspTop10TrainingTraining on OWASP Top 10 or Equivalent7. Code QualityAt least One Primary Maintainer has taken TBD Training on OWASP Top 10 or EquivalentM1013
OpenSSF Best Practices Badge Passing Level [know_common_errors]
4
P1ExpectedExpectedExpectedgithubOrgMFAEnforce MFA in GitHub Organization(s)1. User AuthenticationMulti Factor Authentication (MFA) Enforced Across the Github OrganizationGithub DocsYCWE-308
M1032
OpenSSF SCM Best Practices
OpenSSF Best Practices Badge Gold Level [require_2FA]
5
P1ExpectedExpectedExpectednpmOrgMFAEnforce MFA in npm Organization(s)1. User AuthenticationMulti Factor Authentication (MFA) Enforced Across the npm Organizationnpm DocsYCWE-308
M1032
OpenSSF npm Best Practices
6
P1ExpectedExpectedExpectedorgToolingMFAEnforce MFA in all the tools1. User AuthenticationMulti Factor Authentication (MFA) Enforced in All Tools Wherever Techncially FeasibleCWE-308
M1032
CNCF CNSWP v1.0
7
P1ExpectedExpectedExpectedMFAImpersonationDefenseUse MFA against impersonation1. User Authentication
Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available
Github DocsYCWE-290
CAPEC-151
T1621
M1032
OpenSSF Best Practices Badge Gold Level [secure_2FA]
8
P2ExpectedExpectedExpectednoSensitiveInfoInRepositoriesCheck sensitive information3. Service AuthenticationNo Secrets and Credentials in Source CodeGithub DocsYCWE-540
OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]
9
P2ExpectedExpectedExpectedinjectedSecretsAtRuntimeEnsure that the secrets are injected at runtime3. Service Authentication
Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets)
Github DocsYCWE-538
CNCF CNSWP 2.0 #195
10
P2ExpectedExpectedN/AscanCommitsForSensitiveInfoEnsure that all the commits are scanned7. Code QualityAll Commits are Scanned for Secrets and Credentials Github DocsYCWE-540
CAPEC-150
CNCF SSCP v1.0 #184
11
P2ExpectedExpectedN/ApreventLandingSensitiveCommitsBlock New Commits with Secrets or Credentials7. Code QualityNew Commits Containing Secrets or Credentials are Blocked from MergingGithub DocsYCWE-358
OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]
12
P3ExpectedExpectedExpectedSSHKeysRequiredUse SSH Keys with Passphrases for Repository Access1. User AuthenticationUse SSH keys for developer access to source code repositories and use a passphraseGithub DocsYCWE-309
CNCF SSCP v1.0 #192
13
P3ExpectedExpectedExpectednpmPublicationMFAPublish to npm Using MFA-Enabled Accounts3. Service Authentication
Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens
YCWE-308npm Docs
14
P3ExpectedExpectedExpectedgithubWebhookSecretsSecure GitHub Webhooks with Secrets3. Service AuthenticationGithub Webhooks Use SecretsGithub DocsYCWE-306
OpenSSF Scorecard
OpenSSF SCM Best Practices
15
P4ExpectedExpectedExpectedrestrictedOrgPermissionsRestrict Default GitHub Org Member Permissions2. User Account PermissionsDefault Github Org Member Permissions Should Be RestrictedGithub DocsYCAPEC-180
M1026
OpenSSF SCM Best Practices
16
P4ExpectedExpectedExpectedadminRepoCreationOnlyAllow Only Admins to Create Public Repositories2. User Account PermissionsOnly Admins Should Be Able To Create Public RepositoriesGithub DocsYCAPEC-122
OpenSSF SCM Best Practices
17
P4ExpectedExpectedExpectedpreventBranchProtectionBypassPrevent Admins from Bypassing Branch Protection2. User Account Permissions
[For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings
Github DocsYCAPEC-122
Github Supply Chain Security Best Practices
18
P4ExpectedExpectedExpecteddefineFunctionalRolesDefine Roles Aligned to Functional Responsibilities2. User Account PermissionsDefine roles aligned to functional responsibilitiesGithub DocsYCAPEC-122
M1018
CNCF SSCP v1.0 #188
OpenSSF Best Practices Badge Silver Level [roles_responsibilities]
19
P4ExpectedExpectedExpectedgithubWriteAccessRolesDefine Teams/Individuals with Write Access to Repositories2. User Account PermissionsDefine Individuals/Teams who Write Access to a Github RepoGithub DocsYCAPEC-180
M1026
CNCF SSCP v1.0 #185
20
P4ExpectedExpectedExpectedtwoOrMoreOwnersForAccessConfigure Two or more Owners for Access Continuity2. User Account Permissions
[For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity
Github DocsYM1026
OpenSSF Best Practices Badge Silver Level [access_continuity]
21
P5ExpectedExpectedN/ApatchCriticalVulns30DaysPatch Actively Exploited Critical Vulnerabilities within 30 Days5. Vulnerability ManagementActively Exploited Critical Vulnerabilities Patched within 30 Days
OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]
Google Project Zero Vulnerability Disclosure Policy
22
P5ExpectedExpectedN/ApatchNonCriticalVulns90DaysPatch Non-Critical Vulnerabilities within 90 Days5. Vulnerability ManagementNon-Critical Exploitable Vulnerabilities Patched within 90 Days
Google Project Zero Vulnerability Disclosure Policy
23
P6ExpectedExpectedExpectedautomateVulnDetectionAutomate Dependency Vulnerability Identification11. Dependency ManagementAn automated process to identify dependencies with publicly disclosed vulnerabilitiesGithub DocsYCWE-1395
M1016
OWASP SCVS L1 5.4
OpenSSF Scorecard
OpenSSF Best Practices Badge Passing Level [dependency_monitoring]
24
P6ExpectedExpectedN/AstaticCodeAnalysisUse Automated Static Code Analysis Tools7. Code QualityUse an Automated Static Code Analysis Tool (eg: ESLInt)ESLint DocsCWE-1076
CWE-1078
M1016
OWASP SCVS L1 5.1
OpenSSF Best Practices Badge Silver Level [coding_standards_enforced]
25
P6ExpectedExpectedN/AresolveLinterWarningsAddress Compiler/Linter Warnings Before Merging7. Code QualityCompilers/Linter Warnings Addressed in order to MergeESLint DocsCWE-1127
OpenSSF Best Practices Badge Silver Level [warnings_strict]
26
P6ExpectedExpectedN/AstaticAppSecTestingUse Static Application Security Testing for All Commits7. Code QualityAll Commits are Scanned by a Static Application Security Testing ToolCodeQL DocsCWE-1076
CWE-1078
M1016
OWASP SCVS L1 6.6
OpenSSF Scorecard
OpenSSF Best Practices Badge Gold Level [static_analysis_common_vulnerabilities]
OpenSSF Best Practices Badge Gold Level [test_continuous_integration]
27
P6ExpectedExpectedN/AcommitStatusChecksRequire Commit Status Checks to Pass Before Merging7. Code QualityAll Required Commit Status Checks must pass before MergingGithub DocsYCWE-358
OpenSSF Scorecard
OpenSSF SCM Best Practices
28
P7ExpectedExpectedExpectedsecurityMdMeetsOpenJSCVDEnsure Security.md Meets OpenJS CVD Guidelines6. Coordinated Vulnerability DisclosureSecurity.md Meets OpenJS CVD Guidelines OpenJS CVD Guidance
OpenSSF Scorecard
OpenSSF Best Practices Badge Silver Level [vulnerability_response_process]
29
P7ExpectedExpectedExpecteduseCVDToolForVulnsUse CVD Tools to Manage Vulnerability Reports6. Coordinated Vulnerability Disclosure
Project Leverages a CVD Tool to Privately Receive/Manage External Vulnerability Reports (eg: H1/GH PVR)
Github Docs
OpenSSF Best Practices Badge Passing Level [vulnerability_report_private]
30
P7ExpectedExpectedN/AvulnResponse14DaysRespond to External Vulnerability Reports in Under 14 Days6. Coordinated Vulnerability DisclosureAll External Vulnerability Reports Responded to <14 Days
OpenSSF Best Practices Badge Passing Level [vulnerability_report_response]
31
P7ExpectedExpectedExpectedincidentResponsePlanDefine Clear Communication and Incident Response Plans6. Coordinated Vulnerability DisclosureEstablish a Clear Communication and Incident Response Plan
OpenSSF SCM Best Practices
32
P7ExpectedExpectedExpectedassignCVEForKnownVulnsAssign CVEs to All Known Security Vulnerabilities6. Coordinated Vulnerability DisclosureAll Known Security Vulnerabilities are Issued a CVEY
OpenSSF Best Practices Badge Passing Level [release_notes_vulns]
33
P7ExpectedExpectedExpectedincludeCVEInReleaseNotesInclude CVE IDs in Release Notes for Security Fixes6. Coordinated Vulnerability DisclosureRelease Notes must Include the CVE ID of Patched Security Vulnerabilities
OpenSSF Best Practices Badge Passing Level [release_notes_vulns]
34
P8DeferrableExpectedN/AregressionTestsForVulnsCreate Regression Tests for Bugs and Security Vulnerabilities7. Code QualityRegression Tests for => 50% of Bugs and 100% of Security Vulns
OpenSSF Best Practices Badge Silver Level [regression_tests_added50]
35
P9ExpectedExpectedN/AdefaultTokenPermissionsReadOnlySet Default GitHub Workflow Token Permissions to Read Only4. Github Workflow PermissionsGithub Org Default Workflow Token Permissions are Set to Read OnlyYCWE-250
CAPEC-69
36
P9ExpectedExpectedExpectedblockWorkflowPRApprovalPrevent Workflows from Creating or Approving PRs4. Github Workflow PermissionsWorkflows are not Allowed To Create or Approve Pull RequestsGithub DocsYCWE-250
CAPEC-69
OpenSSF Scorecard
OpenSSF SCM Best Practices
37
P9ExpectedExpectedExpectednoForcePushDefaultBranchDisable Force Push on Default Branch9. Source ControlPrevent Force Push on Default BranchGithub DocsY
OpenSSF Scorecard
OpenSSF SCM Best Practices
38
P9ExpectedExpectedExpectedpreventDeletionDefaultBranchPrevent Deletion of Default Branch9. Source ControlPrevent Default Branch DeletionGithub DocsYCWE-267
OpenSSF Scorecard
OpenSSF SCM Best Practices
39
P9ExpectedExpectedExpectedupToDateDefaultBranchBeforeMergeRequire Default Branch Updates Before Merging9. Source ControlDefault Branch must be Up to Date before MergingGithub DocsY
OpenSSF Scorecard
OpenSSF SCM Best Practices
40
P10ExpectedExpectedN/ArestrictOrgSecretsRestrict GitHub Org Secrets to Specific Repositories4. Github WorkflowsGitHub Organization Secrets are Restricted to Selected RepositoriesGithub DocsYCWE-250
CAPEC-69
OpenSSF SCM Best Practices
41
P10ExpectedExpectedN/AverifiedActionsOnlyLimit GitHub Actions to Verified or Trusted Actions4. Github WorkflowsGitHub Actions Should Be Limited To Verified or Explicitly Trusted ActionsGithub DocsYCWE-1357
CAPEC-17
CAPEC-538
CAPEC-446
OpenSSF SCM Best Practices
42
P10ExpectedExpectedExpectednoSelfHostedRunnersDisable Self-Hosted Runners in GitHub Org4. Github WorkflowsDisable use of Self-Hosted Runners in Github OrgGithub DocsYCAPEC-439
Github Action Hardening Docs
43
P11ExpectedExpectedN/AnoArbitraryCodeInPipelineRestrict Build Pipeline Code Execution to Build Scripts4. Github WorkflowsBuild Pipeline Cannot Execute Arbitrary Code from Outside of a Build ScriptYCWE-94
CAPEC-19
OpenSSF Scorecard
44
P11ExpectedExpectedExpectedlimitWorkflowWritePermissionsLimit Workflow Write Permissions to Job-Level4. Github WorkflowsOnly Allow Workflows Write Permissions at the Job-LevelGithub DocsYCWE-250
CAPEC-69
OpenSSF Scorecard
OpenSSF SCM Best Practices
45
P11ExpectedExpectedN/ApreventScriptInjectionAvoid Script Injection from Untrusted Variables4. Github WorkflowsAvoid Script Injection from Untrusted Context VariablesGithub DocsYCWE-454
CAPEC-242
OpenSSF Scorecard
46
P12ExpectedExpectedN/AconsistentBuildProcessDocsDocument Consistent and Automated Build Processes4. Github WorkflowsConsistent and Automated Build Process is Documented and UsedYCWE-1068
47
P12ExpectedExpectedN/AupgradePathDocsSupport Older Versions or Provide Upgrade Paths5. Vulnerability ManagementCommonly Used Older Versions Supported or Upgrade Path Provided/DocumentedY
OpenSSF Best Practices Badge Silver Level [maintenance_or_update]
48
P12DeferrableExpectedN/AsoftwareArchitectureDocsDocument Software Architecture8. Code Review[For Projects with Two or more Maintainers] Document Software ArchitectureCWE-1053
OpenSSF Best Practices Badge Silver Level [documentation_architecture]
49
P12DeferrableExpectedN/AciAndCdPipelineAsCodeAutomate CI/CD Steps in Code-Based Pipelines9. Source ControlCI/CD steps should all be automated through a pipeline defined as codeGithub DocsY
CNCF SSCP 1.0 #158
50
P13DeferrableExpectedN/ApinActionsToSHAPin Actions with Secrets to Full-Length Commit SHAs4. Github WorkflowsPin Actions with Access to Secrets to a Full Length Commit SHAYCWE-1357
CAPEC-17
CAPEC-538
CAPEC-446
CAPEC-186		Github Docs
51
P14ExpectedExpectedExpectedautomateDependencyManagementAutomate Monitoring of Outdated Dependencies10. Dependency InventoryAutomated Process is Used to Monitor for and Maintain a List of Out of Date DependenciesSocket.DevY
OWASP SCVS L1 5.7
52
P14ExpectedExpectedExpectedmachineReadableDependenciesProvide Machine-Readable Dependency Lists10. Dependency Inventory
[Freestanding Applications Only] A Machine Readable List of all Direct and Transitive Dependencies is Available for the Software
Github DocsY
OWASP SCVS L1 1.3
OpenSSF Best Practices Badge Silver Level [external_dependencies]
53
P14ExpectedExpectedExpectedidentifyModifiedDependenciesUniquely Identify Modified Dependencies10. Dependency InventoryModified dependencies are uniquely identified and distinct from origin dependencyY
OWASP SCVS L2 6.5
54
P14ExpectedExpectedN/AannualDependencyRefreshRefresh Dependencies with Annual Releases5. Vulnerability ManagementA new release to refresh dependencies occurs at least annuallyY
OpenSSF Best Practices Badge Passing Level [maintained]
55
R1RecommendedRecommendedRecommendeduseHwKeyGithubAccessUse AAL2/3 Passkeys for GitHub Access1. User Authentication
Github.com: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics
Github DocsYCWE-308
M1032
OpenSSF Great MFA Project Security Rationale
NIST SP 800-63Bsup1
56
R1RecommendedRecommendedRecommendeduseHwKeyGithubNonInteractiveUse AAL2/3 Passkeys for Non-Interactive GitHub Access1. User Authentication
Non-Interactive Github: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics
Github DocsYCWE-308
M1032
OpenSSF Great MFA Project Security Rationale
NIST SP 800-63Bsup1
57
R1RecommendedRecommendedRecommendeduseHwKeyOtherContextsUse AAL2/3 Passkeys in All Other Contexts1. User Authentication
All Other Contexts: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics
YCWE-308
M1032
OpenSSF Great MFA Project Security Rationale
NIST SP 800-63Bsup1
58
R2RecommendedRecommendedRecommendedforkWorkflowApprovalRequire Approval for Forked Workflow Changes4. Github WorkflowsLimit changes from forks to workflows by requiring approval for all outside collaboratorsYCAPEC-180Github Docs
59
R2RecommendedRecommendedRecommendedworkflowSecurityScannerUse Workflow Security Scanners4. Github WorkflowsUse a Workflow Security Scanner
Step Security secure-repo
YM1047
OpenSSF Scorecard
OpenSSF SCM Best Practices
60
R2RecommendedRecommendedRecommendedrunnerSecurityScannerUse GitHub Runner Security Scanners4. Github WorkflowsUse a Github Runner Security Scanner
Step Security harden-runner
YM1047
Github Action Hardening Docs
61
R3RecommendedRecommendedN/AactiveAdminsSixMonthsRequire Active Admins in GitHub Org (Activity in 6 Months)2. User Account PermissionsGithub Organization Admins Should Have Activity In The Last 6 MonthsYM1026
OpenSSF SCM Best Practices
62
R3RecommendedRecommendedN/AactiveWritersSixMonthsRequire Active Members with Write Access (Activity in 6 Months)2. User Account Permissions
Github Organization Members with Write Permissions Should Have Activity In The Last 6 Months
YM1026
OpenSSF SCM Best Practices
63
R4RecommendedRecommendedRecommendedPRsBeforeMergeRequire Pull Requests Before Merging9. Source ControlRequire Pull Requests before MergingGithub DocsYCWE-778
OpenSSF Scorecard
OpenSSF Best Practices Badge Passing Level [repo_track]
64
R4RecommendedRecommendedRecommendedcommitSignoffForWebEnforce Commit Signoff for Web-Based Commits9. Source ControlGithub Org Requires Commit Signoff for Web-Based CommitsGithub DocsY
CNCF SSCP 1.0 #325
OpenSSF SCM Best Practices
65
R4RecommendedRecommendedRecommendedrequireSignedCommitsRequire Signed Commits9. Source ControlRequire Signed CommitsGithub DocsY
CNCF SSCP 1.0 #325
OpenSSF SCM Best Practices
66
R5RecommendedRecommendedRecommendedincludePackageLockInclude package-lock.json in Releases (Freestanding Apps)10. Dependency Inventory[Freestanding Applications Only] Commit a package-lock.json file with each release
npm Docs
OpenSSF SBOM Naming Conventions
Y
OpenSSF Scorecard
67
R6RecommendedRecommendedN/ArequireTwoPartyReviewRequire Two-Party Review (Two+ Maintainers)8. Code Review[For Projects with Two or more Maintainers] Require Two Party ReviewGithub DocsYCAPEC-670
CAPEC-443
CAPEC-438
OpenSSF Scorecard
OpenSSF Best Practices Badge Gold Level [two_person_review]
68
R6RecommendedRecommendedN/ArequireCodeOwnersReviewForLargeTeamsRequire Code Owners Review (Four+ Maintainers)8. Code Review[For Projects with Four or more Maintainers] Require Code Owners ReviewGithub DocsYCAPEC-670
CAPEC-443
CAPEC-438
OpenSSF Scorecard
69
R6RecommendedRecommendedRecommendedrequirePRApprovalForMainlineRequire Approved PRs for Mainline Commits (Two+ Maintainers)9. Source Control
[For Projects with Two or more Maintainers] Require Approved PRs for all commits to mainline branches
Github DocsYCAPEC-670
CAPEC-443
CAPEC-438
OpenSSF Scorecard
CNCF SSCP v1.0 #190
70
R7RecommendedRecommendedRecommendedlimitOrgOwnersLimit GitHub Org Owners to Fewer Than Three2. User Account PermissionsLimit Number of Github Org Owners (ideally Fewer Than Three)YM1026
OpenSSF SCM Best Practices
71
R7RecommendedRecommendedRecommendedlimitRepoAdminsLimit GitHub Repo Admins to Fewer Than Three2. User Account PermissionsLimit Number of Github Repository Admins (ideally Fewer Than Three)YCAPEC-180
M1026
OpenSSF SCM Best Practices
72
R8RecommendedRecommendedN/ApatchExploitableHighVulns14DaysPatch Critical/High Vulnerabilities in 14 Days5. Vulnerability ManagementActively Exploited Critical and High Vulnerabilities Patched within 14 Days
OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]
Google Project Zero Vulnerability Disclosure Policy
73
R8RecommendedRecommendedN/ApatchExploitableNoncCriticalVulns60DaysPatch Non-Critical Vulnerabilities in 60 Days5. Vulnerability ManagementNon-Critical Expoitable Vulnerabilities Patched within 60 Days
OpenSSF Best Practices Badge Silver Level [vulnerabilities_fixed_60_days]
OpenSSF Best Practices Badge Passing Level [static_analysis_fixed]
\ No newline at end of file diff --git a/data/standards.json b/data/standards.json deleted file mode 100644 index 134cf25..0000000 --- a/data/standards.json +++ /dev/null @@ -1,1577 +0,0 @@ -[ - { - "priority group": "P0", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "softwareDesignTraining", - "title": "Training on Secure Software Design", - "section": "7. Code Quality", - "description": "At least One Primary Maintainer has taken TBD Training on Secure Software Design", - "how to": "", - "c-scrm": "", - "mitre": { - "url": "https://attack.mitre.org/mitigations/M1013/", - "description": "M1013" - }, - "sources": { - "url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_secure_design", - "description": "OpenSSF Best Practices Badge Passing Level [know_secure_design]" - }, - "id": "item-0" - }, - { - "priority group": "P0", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "owaspTop10Training", - "title": "Training on OWASP Top 10 or Equivalent", - "section": "7. Code Quality", - "description": "At least One Primary Maintainer has taken TBD Training on OWASP Top 10 or Equivalent", - "how to": "", - "c-scrm": "", - "mitre": { - "url": "https://attack.mitre.org/mitigations/M1013/", - "description": "M1013" - }, - "sources": { - "url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_common_errors", - "description": "OpenSSF Best Practices Badge Passing Level [know_common_errors]" - }, - "id": "item-1" - }, - { - "priority group": "P1", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "githubOrgMFA", - "title": "Enforce MFA in GitHub Organization(s)", - "section": "1. User Authentication", - "description": "Multi Factor Authentication (MFA) Enforced Across the Github Organization", - "how to": { - "url": "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/308.html", - "description": "CWE-308" - }, - "sources": { - "url": "https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html", - "description": "OpenSSF SCM Best PracticesOpenSSF Best Practices Badge Gold Level [require_2FA]" - }, - "id": "item-2" - }, - { - "priority group": "P1", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "npmOrgMFA", - "title": "Enforce MFA in npm Organization(s)", - "section": "1. User Authentication", - "description": "Multi Factor Authentication (MFA) Enforced Across the npm Organization", - "how to": { - "url": "https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization", - "description": "npm Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/308.html", - "description": "CWE-308" - }, - "sources": { - "url": "https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md", - "description": "OpenSSF npm Best Practices" - }, - "id": "item-3" - }, - { - "priority group": "P1", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "orgToolingMFA", - "title": "Enforce MFA in all the tools", - "section": "1. User Authentication", - "description": "Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible", - "how to": "", - "c-scrm": "", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/308.html", - "description": "CWE-308" - }, - "sources": { - "url": "https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md", - "description": "CNCF CNSWP v1.0" - }, - "id": "item-4" - }, - { - "priority group": "P1", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "MFAImpersonationDefense", - "title": "Use MFA against impersonation", - "section": "1. User Authentication", - "description": "Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available ", - "how to": { - "url": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/290.html", - "description": "CWE-290" - }, - "sources": { - "url": "https://www.bestpractices.dev/en/criteria/2#2.secure_2FA", - "description": "OpenSSF Best Practices Badge Gold Level [secure_2FA]" - }, - "id": "item-5" - }, - { - "priority group": "P2", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "noSensitiveInfoInRepositories", - "title": "Check sensitive information", - "section": "3. Service Authentication", - "description": "No Secrets and Credentials in Source Code", - "how to": { - "url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/540.html", - "description": "CWE-540" - }, - "sources": { - "url": "https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials", - "description": "OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]" - }, - "id": "item-6" - }, - { - "priority group": "P2", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "injectedSecretsAtRuntime", - "title": "Ensure that the secrets are injected at runtime", - "section": "3. Service Authentication", - "description": "Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets)", - "how to": { - "url": "https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/538.html", - "description": "CWE-538" - }, - "sources": { - "url": "https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#secrets-encryption", - "description": "CNCF CNSWP 2.0 #195" - }, - "id": "item-7" - }, - { - "priority group": "P2", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "scanCommitsForSensitiveInfo", - "title": "Ensure that all the commits are scanned", - "section": "7. Code Quality", - "description": "All Commits are Scanned for Secrets and Credentials ", - "how to": { - "url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/540.html", - "description": "CWE-540" - }, - "sources": { - "url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#user-content-fnref-21-4e56305414bd02da4843ec1d7d856144", - "description": "CNCF SSCP v1.0 #184" - }, - "id": "item-8" - }, - { - "priority group": "P2", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "preventLandingSensitiveCommits", - "title": "Block New Commits with Secrets or Credentials", - "section": "7. Code Quality", - "description": "New Commits Containing Secrets or Credentials are Blocked from Merging", - "how to": { - "url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/358.html", - "description": "CWE-358" - }, - "sources": { - "url": "https://www.bestpractices.dev/en/criteria#0.no_leaked_credentials", - "description": "OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]" - }, - "id": "item-9" - }, - { - "priority group": "P3", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "SSHKeysRequired", - "title": "Use SSH Keys with Passphrases for Repository Access", - "section": "1. User Authentication", - "description": "Use SSH keys for developer access to source code repositories and use a passphrase", - "how to": { - "url": "https://docs.github.com/en/authentication/connecting-to-github-with-ssh/about-ssh", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/309.html", - "description": "CWE-309" - }, - "sources": { - "url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#use-ssh-keys-to-provide-developers-access-to-source-code-repositories", - "description": "CNCF SSCP v1.0 #192" - }, - "id": "item-10" - }, - { - "priority group": "P3", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "npmPublicationMFA", - "title": "Publish to npm Using MFA-Enabled Accounts", - "section": "3. Service Authentication", - "description": "Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens", - "how to": "", - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/308.html", - "description": "CWE-308" - }, - "sources": { - "url": "https://docs.npmjs.com/creating-and-viewing-access-tokens", - "description": "npm Docs" - }, - "id": "item-11" - }, - { - "priority group": "P3", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "githubWebhookSecrets", - "title": "Secure GitHub Webhooks with Secrets", - "section": "3. Service Authentication", - "description": "Github Webhooks Use Secrets", - "how to": { - "url": "https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/306", - "description": "CWE-306" - }, - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#webhooks", - "description": "OpenSSF Scorecard" - }, - "id": "item-12" - }, - { - "priority group": "P4", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "restrictedOrgPermissions", - "title": "Restrict Default GitHub Org Member Permissions", - "section": "2. User Account Permissions", - "description": "Default Github Org Member Permissions Should Be Restricted", - "how to": { - "url": "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://capec.mitre.org/data/definitions/180.html", - "description": "CAPEC-180" - }, - "sources": { - "url": "https://best.openssf.org/SCM-BestPractices/github/organization/default_repository_permission_is_not_none.html", - "description": "OpenSSF SCM Best Practices" - }, - "id": "item-13" - }, - { - "priority group": "P4", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "adminRepoCreationOnly", - "title": "Allow Only Admins to Create Public Repositories", - "section": "2. User Account Permissions", - "description": "Only Admins Should Be Able To Create Public Repositories", - "how to": { - "url": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://capec.mitre.org/data/definitions/122.html", - "description": "CAPEC-122" - }, - "sources": { - "url": "https://best.openssf.org/SCM-BestPractices/github/organization/non_admins_can_create_public_repositories.html", - "description": "OpenSSF SCM Best Practices" - }, - "id": "item-14" - }, - { - "priority group": "P4", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "preventBranchProtectionBypass", - "title": "Prevent Admins from Bypassing Branch Protection", - "section": "2. User Account Permissions", - "description": "[For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings", - "how to": { - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://capec.mitre.org/data/definitions/122.html", - "description": "CAPEC-122" - }, - "sources": { - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", - "description": "Github Supply Chain Security Best Practices" - }, - "id": "item-15" - }, - { - "priority group": "P4", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "defineFunctionalRoles", - "title": "Define Roles Aligned to Functional Responsibilities", - "section": "2. User Account Permissions", - "description": "Define roles aligned to functional responsibilities", - "how to": { - "url": "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://capec.mitre.org/data/definitions/122.html", - "description": "CAPEC-122" - }, - "sources": { - "url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-roles-aligned-to-functional-responsibilities", - "description": "CNCF SSCP v1.0 #188" - }, - "id": "item-16" - }, - { - "priority group": "P4", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "githubWriteAccessRoles", - "title": "Define Teams/Individuals with Write Access to Repositories", - "section": "2. User Account Permissions", - "description": "Define Individuals/Teams who Write Access to a Github Repo", - "how to": { - "url": "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://capec.mitre.org/data/definitions/180.html", - "description": "CAPEC-180" - }, - "sources": { - "url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#define-individualsteams-that-are-responsible-for-code-in-a-repository-and-associated-coding-conventions", - "description": "CNCF SSCP v1.0 #185" - }, - "id": "item-17" - }, - { - "priority group": "P4", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "twoOrMoreOwnersForAccess", - "title": "Configure Two or more Owners for Access Continuity", - "section": "2. User Account Permissions", - "description": "[For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity", - "how to": { - "url": "https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/maintaining-ownership-continuity-for-your-organization", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://attack.mitre.org/mitigations/M1026/", - "description": "M1026" - }, - "sources": { - "url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.access_continuity", - "description": "OpenSSF Best Practices Badge Silver Level [access_continuity]" - }, - "id": "item-18" - }, - { - "priority group": "P5", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "patchCriticalVulns30Days", - "title": "Patch Actively Exploited Critical Vulnerabilities within 30 Days", - "section": "5. Vulnerability Management", - "description": "Actively Exploited Critical Vulnerabilities Patched within 30 Days", - "how to": "", - "c-scrm": "", - "mitre": "", - "sources": { - "url": "https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed", - "description": "OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]" - }, - "id": "item-19" - }, - { - "priority group": "P5", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "patchNonCriticalVulns90Days", - "title": "Patch Non-Critical Vulnerabilities within 90 Days", - "section": "5. Vulnerability Management", - "description": "Non-Critical Exploitable Vulnerabilities Patched within 90 Days", - "how to": "", - "c-scrm": "", - "mitre": "", - "sources": { - "url": "https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html", - "description": "Google Project Zero Vulnerability Disclosure Policy" - }, - "id": "item-20" - }, - { - "priority group": "P6", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "automateVulnDetection", - "title": "Automate Dependency Vulnerability Identification", - "section": "11. Dependency Management", - "description": "An automated process to identify dependencies with publicly disclosed vulnerabilities", - "how to": { - "url": "https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/1395.html", - "description": "CWE-1395" - }, - "sources": { - "url": "https://scvs.owasp.org/scvs/v5-component-analysis/", - "description": "OWASP SCVS L1 5.4" - }, - "id": "item-21" - }, - { - "priority group": "P6", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "staticCodeAnalysis", - "title": "Use Automated Static Code Analysis Tools", - "section": "7. Code Quality", - "description": "Use an Automated Static Code Analysis Tool (eg: ESLInt)", - "how to": { - "url": "https://eslint.org/docs/latest/use/getting-started#installation-and-usage", - "description": "ESLint Docs" - }, - "c-scrm": "", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/1076.html", - "description": "CWE-1076" - }, - "sources": { - "url": "https://scvs.owasp.org/scvs/v5-component-analysis/", - "description": "OWASP SCVS L1 5.1" - }, - "id": "item-22" - }, - { - "priority group": "P6", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "resolveLinterWarnings", - "title": "Address Compiler/Linter Warnings Before Merging", - "section": "7. Code Quality", - "description": "Compilers/Linter Warnings Addressed in order to Merge", - "how to": { - "url": "https://eslint.org/docs/latest/use/getting-started#installation-and-usage", - "description": "ESLint Docs" - }, - "c-scrm": "", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/1127.html", - "description": "CWE-1127" - }, - "sources": { - "url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.warnings_strict", - "description": "OpenSSF Best Practices Badge Silver Level [warnings_strict]" - }, - "id": "item-23" - }, - { - "priority group": "P6", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "staticAppSecTesting", - "title": "Use Static Application Security Testing for All Commits", - "section": "7. Code Quality", - "description": "All Commits are Scanned by a Static Application Security Testing Tool", - "how to": { - "url": "https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql", - "description": "CodeQL Docs" - }, - "c-scrm": "", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/1076.html", - "description": "CWE-1076" - }, - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast", - "description": "OWASP SCVS L1 6.6OpenSSF Scorecard" - }, - "id": "item-24" - }, - { - "priority group": "P6", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "commitStatusChecks", - "title": "Require Commit Status Checks to Pass Before Merging", - "section": "7. Code Quality", - "description": "All Required Commit Status Checks must pass before Merging", - "how to": { - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/358.html", - "description": "CWE-358" - }, - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", - "description": "OpenSSF Scorecard" - }, - "id": "item-25" - }, - { - "priority group": "P7", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "securityMdMeetsOpenJSCVD", - "title": "Ensure Security.md Meets OpenJS CVD Guidelines", - "section": "6. Coordinated Vulnerability Disclosure", - "description": "Security.md Meets OpenJS CVD Guidelines ", - "how to": "OpenJS CVD Guidance", - "c-scrm": "", - "mitre": "", - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy", - "description": "OpenSSF Scorecard" - }, - "id": "item-26" - }, - { - "priority group": "P7", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "useCVDToolForVulns", - "title": "Use CVD Tools to Manage Vulnerability Reports", - "section": "6. Coordinated Vulnerability Disclosure", - "description": "Project Leverages a CVD Tool to Privately Receive/Manage External Vulnerability Reports (eg: H1/GH PVR)", - "how to": { - "url": "https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization", - "description": "Github Docs" - }, - "c-scrm": "", - "mitre": "", - "sources": { - "url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.vulnerability_report_private", - "description": "OpenSSF Best Practices Badge Passing Level [vulnerability_report_private]" - }, - "id": "item-27" - }, - { - "priority group": "P7", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "vulnResponse14Days", - "title": "Respond to External Vulnerability Reports in Under 14 Days", - "section": "6. Coordinated Vulnerability Disclosure", - "description": "All External Vulnerability Reports Responded to <14 Days", - "how to": "", - "c-scrm": "", - "mitre": "", - "sources": { - "url": "https://www.bestpractices.dev/en/criteria#0.vulnerability_report_response", - "description": "OpenSSF Best Practices Badge Passing Level [vulnerability_report_response]" - }, - "id": "item-28" - }, - { - "priority group": "P7", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "incidentResponsePlan", - "title": "Define Clear Communication and Incident Response Plans", - "section": "6. Coordinated Vulnerability Disclosure", - "description": "Establish a Clear Communication and Incident Response Plan", - "how to": "", - "c-scrm": "", - "mitre": "", - "sources": { - "url": "https://best.openssf.org/SCM-BestPractices/#operations", - "description": "OpenSSF SCM Best Practices" - }, - "id": "item-29" - }, - { - "priority group": "P7", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "assignCVEForKnownVulns", - "title": "Assign CVEs to All Known Security Vulnerabilities", - "section": "6. Coordinated Vulnerability Disclosure", - "description": "All Known Security Vulnerabilities are Issued a CVE", - "how to": "", - "c-scrm": "Y", - "mitre": "", - "sources": { - "url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns", - "description": "OpenSSF Best Practices Badge Passing Level [release_notes_vulns]" - }, - "id": "item-30" - }, - { - "priority group": "P7", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "includeCVEInReleaseNotes", - "title": "Include CVE IDs in Release Notes for Security Fixes", - "section": "6. Coordinated Vulnerability Disclosure", - "description": "Release Notes must Include the CVE ID of Patched Security Vulnerabilities", - "how to": "", - "c-scrm": "", - "mitre": "", - "sources": { - "url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns", - "description": "OpenSSF Best Practices Badge Passing Level [release_notes_vulns]" - }, - "id": "item-31" - }, - { - "priority group": "P8", - "incubating": "Deferrable", - "active": "Expected", - "retiring": "N/A", - "slug": "regressionTestsForVulns", - "title": "Create Regression Tests for Bugs and Security Vulnerabilities", - "section": "7. Code Quality", - "description": "Regression Tests for => 50% of Bugs and 100% of Security Vulns", - "how to": "", - "c-scrm": "", - "mitre": "", - "sources": { - "url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.regression_tests_added50", - "description": "OpenSSF Best Practices Badge Silver Level [regression_tests_added50]" - }, - "id": "item-32" - }, - { - "priority group": "P9", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "defaultTokenPermissionsReadOnly", - "title": "Set Default GitHub Workflow Token Permissions to Read Only", - "section": "4. Github Workflow Permissions", - "description": "Github Org Default Workflow Token Permissions are Set to Read Only", - "how to": "", - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/250.html", - "description": "CWE-250" - }, - "sources": "", - "id": "item-33" - }, - { - "priority group": "P9", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "blockWorkflowPRApproval", - "title": "Prevent Workflows from Creating or Approving PRs", - "section": "4. Github Workflow Permissions", - "description": "Workflows are not Allowed To Create or Approve Pull Requests", - "how to": { - "url": "https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/250.html", - "description": "CWE-250" - }, - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions", - "description": "OpenSSF Scorecard" - }, - "id": "item-34" - }, - { - "priority group": "P9", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "noForcePushDefaultBranch", - "title": "Disable Force Push on Default Branch", - "section": "9. Source Control", - "description": "Prevent Force Push on Default Branch", - "how to": { - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": "", - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", - "description": "OpenSSF Scorecard" - }, - "id": "item-35" - }, - { - "priority group": "P9", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "preventDeletionDefaultBranch", - "title": "Prevent Deletion of Default Branch", - "section": "9. Source Control", - "description": "Prevent Default Branch Deletion", - "how to": { - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/267.html", - "description": "CWE-267" - }, - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", - "description": "OpenSSF Scorecard" - }, - "id": "item-36" - }, - { - "priority group": "P9", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "upToDateDefaultBranchBeforeMerge", - "title": "Require Default Branch Updates Before Merging", - "section": "9. Source Control", - "description": "Default Branch must be Up to Date before Merging", - "how to": { - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": "", - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", - "description": "OpenSSF Scorecard" - }, - "id": "item-37" - }, - { - "priority group": "P10", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "restrictOrgSecrets", - "title": "Restrict GitHub Org Secrets to Specific Repositories", - "section": "4. Github Workflows", - "description": "GitHub Organization Secrets are Restricted to Selected Repositories", - "how to": { - "url": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/250.html", - "description": "CWE-250" - }, - "sources": { - "url": "https://best.openssf.org/SCM-BestPractices/github/actions/all_repositories_can_run_github_actions.html", - "description": "OpenSSF SCM Best Practices" - }, - "id": "item-38" - }, - { - "priority group": "P10", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "verifiedActionsOnly", - "title": "Limit GitHub Actions to Verified or Trusted Actions", - "section": "4. Github Workflows", - "description": "GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions", - "how to": { - "url": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/1357.html", - "description": "CWE-1357" - }, - "sources": { - "url": "https://best.openssf.org/SCM-BestPractices/github/actions/all_github_actions_are_allowed.html", - "description": "OpenSSF SCM Best Practices" - }, - "id": "item-39" - }, - { - "priority group": "P10", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "noSelfHostedRunners", - "title": "Disable Self-Hosted Runners in GitHub Org", - "section": "4. Github Workflows", - "description": "Disable use of Self-Hosted Runners in Github Org", - "how to": { - "url": "https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#limiting-the-use-of-self-hosted-runners", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://capec.mitre.org/data/definitions/439.html", - "description": "CAPEC-439" - }, - "sources": { - "url": "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners", - "description": "Github Action Hardening Docs" - }, - "id": "item-40" - }, - { - "priority group": "P11", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "noArbitraryCodeInPipeline", - "title": "Restrict Build Pipeline Code Execution to Build Scripts", - "section": "4. Github Workflows", - "description": "Build Pipeline Cannot Execute Arbitrary Code from Outside of a Build Script", - "how to": "", - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/94.html", - "description": "CWE-94" - }, - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow", - "description": "OpenSSF Scorecard" - }, - "id": "item-41" - }, - { - "priority group": "P11", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "limitWorkflowWritePermissions", - "title": "Limit Workflow Write Permissions to Job-Level", - "section": "4. Github Workflows", - "description": "Only Allow Workflows Write Permissions at the Job-Level", - "how to": { - "url": "https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/250.html", - "description": "CWE-250" - }, - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions", - "description": "OpenSSF Scorecard" - }, - "id": "item-42" - }, - { - "priority group": "P11", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "preventScriptInjection", - "title": "Avoid Script Injection from Untrusted Variables", - "section": "4. Github Workflows", - "description": "Avoid Script Injection from Untrusted Context Variables", - "how to": { - "url": "https://securitylab.github.com/research/github-actions-untrusted-input/", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/454.html", - "description": "CWE-454" - }, - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow", - "description": "OpenSSF Scorecard" - }, - "id": "item-43" - }, - { - "priority group": "P12", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "consistentBuildProcessDocs", - "title": "Document Consistent and Automated Build Processes", - "section": "4. Github Workflows", - "description": "Consistent and Automated Build Process is Documented and Used", - "how to": "", - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/1068.html", - "description": "CWE-1068" - }, - "sources": "", - "id": "item-44" - }, - { - "priority group": "P12", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "upgradePathDocs", - "title": "Support Older Versions or Provide Upgrade Paths", - "section": "5. Vulnerability Management", - "description": "Commonly Used Older Versions Supported or Upgrade Path Provided/Documented", - "how to": "", - "c-scrm": "Y", - "mitre": "", - "sources": { - "url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.maintenance_or_update", - "description": "OpenSSF Best Practices Badge Silver Level [maintenance_or_update]" - }, - "id": "item-45" - }, - { - "priority group": "P12", - "incubating": "Deferrable", - "active": "Expected", - "retiring": "N/A", - "slug": "softwareArchitectureDocs", - "title": "Document Software Architecture", - "section": "8. Code Review", - "description": "[For Projects with Two or more Maintainers] Document Software Architecture", - "how to": "", - "c-scrm": "", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/1053.html", - "description": "CWE-1053" - }, - "sources": { - "url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.documentation_architecture", - "description": "OpenSSF Best Practices Badge Silver Level [documentation_architecture]" - }, - "id": "item-46" - }, - { - "priority group": "P12", - "incubating": "Deferrable", - "active": "Expected", - "retiring": "N/A", - "slug": "ciAndCdPipelineAsCode", - "title": "Automate CI/CD Steps in Code-Based Pipelines", - "section": "9. Source Control", - "description": "CI/CD steps should all be automated through a pipeline defined as code", - "how to": { - "url": "https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": "", - "sources": { - "url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#build-and-related-continuous-integrationcontinuous-delivery-steps-should-all-be-automated-through-a-pipeline-defined-as-code", - "description": "CNCF SSCP 1.0 #158" - }, - "id": "item-47" - }, - { - "priority group": "P13", - "incubating": "Deferrable", - "active": "Expected", - "retiring": "N/A", - "slug": "pinActionsToSHA", - "title": "Pin Actions with Secrets to Full-Length Commit SHAs", - "section": "4. Github Workflows", - "description": "Pin Actions with Access to Secrets to a Full Length Commit SHA", - "how to": "", - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/1357.html", - "description": "CWE-1357" - }, - "sources": { - "url": "https://securitylab.github.com/research/github-actions-building-blocks/", - "description": "Github Docs" - }, - "id": "item-48" - }, - { - "priority group": "P14", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "automateDependencyManagement", - "title": "Automate Monitoring of Outdated Dependencies", - "section": "10. Dependency Inventory", - "description": "Automated Process is Used to Monitor for and Maintain a List of Out of Date Dependencies", - "how to": { - "url": "https://socket.dev/", - "description": "Socket.Dev" - }, - "c-scrm": "Y", - "mitre": "", - "sources": { - "url": "https://scvs.owasp.org/scvs/v5-component-analysis/", - "description": "OWASP SCVS L1 5.7" - }, - "id": "item-49" - }, - { - "priority group": "P14", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "machineReadableDependencies", - "title": "Provide Machine-Readable Dependency Lists", - "section": "10. Dependency Inventory", - "description": "[Freestanding Applications Only] A Machine Readable List of all Direct and Transitive Dependencies is Available for the Software", - "how to": { - "url": "https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-is-the-dependency-graph", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": "", - "sources": { - "url": "https://scvs.owasp.org/scvs/v1-inventory/#verification-requirements", - "description": "OWASP SCVS L1 1.3" - }, - "id": "item-50" - }, - { - "priority group": "P14", - "incubating": "Expected", - "active": "Expected", - "retiring": "Expected", - "slug": "identifyModifiedDependencies", - "title": "Uniquely Identify Modified Dependencies", - "section": "10. Dependency Inventory", - "description": "Modified dependencies are uniquely identified and distinct from origin dependency", - "how to": "", - "c-scrm": "Y", - "mitre": "", - "sources": { - "url": "https://scvs.owasp.org/scvs/v6-pedigree-and-provenance/", - "description": "OWASP SCVS L2 6.5" - }, - "id": "item-51" - }, - { - "priority group": "P14", - "incubating": "Expected", - "active": "Expected", - "retiring": "N/A", - "slug": "annualDependencyRefresh", - "title": "Refresh Dependencies with Annual Releases", - "section": "5. Vulnerability Management", - "description": "A new release to refresh dependencies occurs at least annually", - "how to": "", - "c-scrm": "Y", - "mitre": "", - "sources": { - "url": "https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.maintained", - "description": "OpenSSF Best Practices Badge Passing Level [maintained]" - }, - "id": "item-52" - }, - { - "priority group": "R1", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "Recommended", - "slug": "useHwKeyGithubAccess", - "title": "Use AAL2/3 Passkeys for GitHub Access", - "section": "1. User Authentication", - "description": { - "url": "http://github.com/", - "description": "Github.com" - }, - "how to": { - "url": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-passkey", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/308.html", - "description": "CWE-308" - }, - "sources": { - "url": "https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md", - "description": "OpenSSF Great MFA Project Security Rationale" - }, - "id": "item-53" - }, - { - "priority group": "R1", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "Recommended", - "slug": "useHwKeyGithubNonInteractive", - "title": "Use AAL2/3 Passkeys for Non-Interactive GitHub Access", - "section": "1. User Authentication", - "description": "Non-Interactive Github: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics", - "how to": { - "url": "https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/308.html", - "description": "CWE-308" - }, - "sources": { - "url": "https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md", - "description": "OpenSSF Great MFA Project Security Rationale" - }, - "id": "item-54" - }, - { - "priority group": "R1", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "Recommended", - "slug": "useHwKeyOtherContexts", - "title": "Use AAL2/3 Passkeys in All Other Contexts", - "section": "1. User Authentication", - "description": "All Other Contexts: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics", - "how to": "", - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/308.html", - "description": "CWE-308" - }, - "sources": { - "url": "https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md", - "description": "OpenSSF Great MFA Project Security Rationale" - }, - "id": "item-55" - }, - { - "priority group": "R2", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "Recommended", - "slug": "forkWorkflowApproval", - "title": "Require Approval for Forked Workflow Changes", - "section": "4. Github Workflows", - "description": "Limit changes from forks to workflows by requiring approval for all outside collaborators", - "how to": "", - "c-scrm": "Y", - "mitre": { - "url": "https://capec.mitre.org/data/definitions/180.html", - "description": "CAPEC-180" - }, - "sources": { - "url": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories", - "description": "Github Docs" - }, - "id": "item-56" - }, - { - "priority group": "R2", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "Recommended", - "slug": "workflowSecurityScanner", - "title": "Use Workflow Security Scanners", - "section": "4. Github Workflows", - "description": "Use a Workflow Security Scanner", - "how to": { - "url": "https://github.com/step-security/secure-repo", - "description": "Step Security secure-repo" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://attack.mitre.org/mitigations/M1047/", - "description": "M1047" - }, - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions", - "description": "OpenSSF Scorecard" - }, - "id": "item-57" - }, - { - "priority group": "R2", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "Recommended", - "slug": "runnerSecurityScanner", - "title": "Use GitHub Runner Security Scanners", - "section": "4. Github Workflows", - "description": "Use a Github Runner Security Scanner", - "how to": { - "url": "https://github.com/step-security/harden-runner", - "description": "Step Security harden-runner" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://attack.mitre.org/mitigations/M1047/", - "description": "M1047" - }, - "sources": { - "url": "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners", - "description": "Github Action Hardening Docs" - }, - "id": "item-58" - }, - { - "priority group": "R3", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "N/A", - "slug": "activeAdminsSixMonths", - "title": "Require Active Admins in GitHub Org (Activity in 6 Months)", - "section": "2. User Account Permissions", - "description": "Github Organization Admins Should Have Activity In The Last 6 Months", - "how to": "", - "c-scrm": "Y", - "mitre": { - "url": "https://attack.mitre.org/mitigations/M1026/", - "description": "M1026" - }, - "sources": { - "url": "https://best.openssf.org/SCM-BestPractices/github/member/stale_admin_found.html", - "description": "OpenSSF SCM Best Practices" - }, - "id": "item-59" - }, - { - "priority group": "R3", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "N/A", - "slug": "activeWritersSixMonths", - "title": "Require Active Members with Write Access (Activity in 6 Months)", - "section": "2. User Account Permissions", - "description": "Github Organization Members with Write Permissions Should Have Activity In The Last 6 Months", - "how to": "", - "c-scrm": "Y", - "mitre": { - "url": "https://attack.mitre.org/mitigations/M1026/", - "description": "M1026" - }, - "sources": { - "url": "https://best.openssf.org/SCM-BestPractices/github/member/stale_member_found.html", - "description": "OpenSSF SCM Best Practices" - }, - "id": "item-60" - }, - { - "priority group": "R4", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "Recommended", - "slug": "PRsBeforeMerge", - "title": "Require Pull Requests Before Merging", - "section": "9. Source Control", - "description": "Require Pull Requests before Merging", - "how to": { - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://cwe.mitre.org/data/definitions/778.html", - "description": "CWE-778" - }, - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", - "description": "OpenSSF Scorecard" - }, - "id": "item-61" - }, - { - "priority group": "R4", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "Recommended", - "slug": "commitSignoffForWeb", - "title": "Enforce Commit Signoff for Web-Based Commits", - "section": "9. Source Control", - "description": "Github Org Requires Commit Signoff for Web-Based Commits", - "how to": { - "url": "https://docs.github.com/en/organizations/managing-organization-settings/managing-the-commit-signoff-policy-for-your-organization#managing-compulsory-commit-signoffs-for-your-organization", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": "", - "sources": { - "url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits", - "description": "CNCF SSCP 1.0 #325" - }, - "id": "item-62" - }, - { - "priority group": "R4", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "Recommended", - "slug": "requireSignedCommits", - "title": "Require Signed Commits", - "section": "9. Source Control", - "description": "Require Signed Commits", - "how to": { - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-signed-commits", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": "", - "sources": { - "url": "https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#require-signed-commits", - "description": "CNCF SSCP 1.0 #325" - }, - "id": "item-63" - }, - { - "priority group": "R5", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "Recommended", - "slug": "includePackageLock", - "title": "Include package-lock.json in Releases (Freestanding Apps)", - "section": "10. Dependency Inventory", - "description": "[Freestanding Applications Only] Commit a package-lock.json file with each release", - "how to": { - "url": "https://docs.npmjs.com/cli/v10/commands/npm-sbom", - "description": "npm Docs" - }, - "c-scrm": "Y", - "mitre": "", - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sbom", - "description": "OpenSSF Scorecard" - }, - "id": "item-64" - }, - { - "priority group": "R6", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "N/A", - "slug": "requireTwoPartyReview", - "title": "Require Two-Party Review (Two+ Maintainers)", - "section": "8. Code Review", - "description": "[For Projects with Two or more Maintainers] Require Two Party Review", - "how to": { - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://capec.mitre.org/data/definitions/670.html", - "description": "CAPEC-670" - }, - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review", - "description": "OpenSSF Scorecard" - }, - "id": "item-65" - }, - { - "priority group": "R6", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "N/A", - "slug": "requireCodeOwnersReviewForLargeTeams", - "title": "Require Code Owners Review (Four+ Maintainers)", - "section": "8. Code Review", - "description": "[For Projects with Four or more Maintainers] Require Code Owners Review", - "how to": { - "url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://capec.mitre.org/data/definitions/670.html", - "description": "CAPEC-670" - }, - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review", - "description": "OpenSSF Scorecard" - }, - "id": "item-66" - }, - { - "priority group": "R6", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "Recommended", - "slug": "requirePRApprovalForMainline", - "title": "Require Approved PRs for Mainline Commits (Two+ Maintainers)", - "section": "9. Source Control", - "description": "[For Projects with Two or more Maintainers] Require Approved PRs for all commits to mainline branches", - "how to": { - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", - "description": "Github Docs" - }, - "c-scrm": "Y", - "mitre": { - "url": "https://capec.mitre.org/data/definitions/670.html", - "description": "CAPEC-670" - }, - "sources": { - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection", - "description": "OpenSSF Scorecard" - }, - "id": "item-67" - }, - { - "priority group": "R7", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "Recommended", - "slug": "limitOrgOwners", - "title": "Limit GitHub Org Owners to Fewer Than Three", - "section": "2. User Account Permissions", - "description": "Limit Number of Github Org Owners (ideally Fewer Than Three)", - "how to": "", - "c-scrm": "Y", - "mitre": { - "url": "https://attack.mitre.org/mitigations/M1026/", - "description": "M1026" - }, - "sources": { - "url": "https://best.openssf.org/SCM-BestPractices/github/member/organization_has_too_many_admins.html", - "description": "OpenSSF SCM Best Practices" - }, - "id": "item-68" - }, - { - "priority group": "R7", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "Recommended", - "slug": "limitRepoAdmins", - "title": "Limit GitHub Repo Admins to Fewer Than Three", - "section": "2. User Account Permissions", - "description": "Limit Number of Github Repository Admins (ideally Fewer Than Three)", - "how to": "", - "c-scrm": "Y", - "mitre": { - "url": "https://capec.mitre.org/data/definitions/180.html", - "description": "CAPEC-180" - }, - "sources": { - "url": "https://best.openssf.org/SCM-BestPractices/github/repository/repository_has_too_many_admins.html", - "description": "OpenSSF SCM Best Practices" - }, - "id": "item-69" - }, - { - "priority group": "R8", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "N/A", - "slug": "patchExploitableHighVulns14Days", - "title": "Patch Critical/High Vulnerabilities in 14 Days", - "section": "5. Vulnerability Management", - "description": "Actively Exploited Critical and High Vulnerabilities Patched within 14 Days", - "how to": "", - "c-scrm": "", - "mitre": "", - "sources": { - "url": "https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed", - "description": "OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]" - }, - "id": "item-70" - }, - { - "priority group": "R8", - "incubating": "Recommended", - "active": "Recommended", - "retiring": "N/A", - "slug": "patchExploitableNoncCriticalVulns60Days", - "title": "Patch Non-Critical Vulnerabilities in 60 Days", - "section": "5. Vulnerability Management", - "description": "Non-Critical Expoitable Vulnerabilities Patched within 60 Days", - "how to": "", - "c-scrm": "", - "mitre": "", - "sources": { - "url": "https://www.bestpractices.dev/en/criteria#0.vulnerabilities_fixed_60_days", - "description": "OpenSSF Best Practices Badge Silver Level [vulnerabilities_fixed_60_days]" - }, - "id": "item-71" - } -] \ No newline at end of file From 8187ece7ec630d1847ce13c959747461788492c2 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Sun, 8 Dec 2024 01:54:14 +0100 Subject: [PATCH 2/2] docs: update documentation with the new workflows --- README.md | 10 ++++++---- docs/details/githubOrgMFA.mdx | 4 ++++ 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index d913b67..fcf99f1 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # OpenJS Security Program Standards -This Standard is designed to serve as an achievable minimum security baseline for OpenJS Foundation Project maintainers. More plainly said, this is intended to be used as an easily digested and actioned security checklist. +This repo contains the source code and infra used to build and the deploy the website: https://openjs-security-program-standards.netlify.app/. ## Website @@ -38,20 +38,22 @@ This command generates static content into the `build` directory and can be serv ## Manage Changes +Most of the content of this website is autogenerated with Github Actions, this include the content from [docs/implementations](/docs/implementations) and [docs/details](/docs/details) files. + ### Update the compliance checks 1. Go to [Actions: Sync and update Compliance Checks](https://github.com/secure-dashboards/openjs-security-program-standards/actions/workflows/sync_checks.yml) and run the action manually from the `main` branch. [how-to](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/manually-running-a-workflow) 2. This will generate a PR with the title `[AUTO] Sync with dashboard database` and it will assign it to you ([direct access](https://github.com/secure-dashboards/openjs-security-program-standards/pulls?q=sort%3Aupdated-desc+is%3Apr+is%3Aopen++%5BAUTO%5D+Sync+with+dashboard+database+)). Please review the content and merge it when you feel ready. -### Update the website +### Manual update -Once you have updated the items, you can update the website by running the following commands: +Once you have updated the [data/checks.json](/data/checks.json) file, you can update the website by running the following commands: ```bash npm run populate-details npm run populate-implementations ``` -This will autopolulate the details and implementations sections of the website, respectively. Note that this will modify the folders `docs/details` and `docs/implementations` so make sure to commit the changes. +This will autopolulate the details and implementations sections of the website, respectively. So make sure to commit the changes. diff --git a/docs/details/githubOrgMFA.mdx b/docs/details/githubOrgMFA.mdx index 5cc649c..74a9f77 100644 --- a/docs/details/githubOrgMFA.mdx +++ b/docs/details/githubOrgMFA.mdx @@ -16,6 +16,10 @@ slug: /details/githubOrgMFA Multi Factor Authentication (MFA) Enforced Across the Github Organization +## Dashboard Inclusion + +We use the field `two_factor_requirement_enabled` from the GitHub Organization API to check if the project has enforced this policy. [More information](https://github.com/secure-dashboards/openjs-foundation-dashboard/issues/43) + ## Details - Implementation Status: completed - Implementation Details: It is computed ([details](https://github.com/secure-dashboards/openjs-foundation-dashboard/issues/43)).