diff --git a/README.md b/README.md index fcf99f1..e95c288 100644 --- a/README.md +++ b/README.md @@ -57,3 +57,17 @@ npm run populate-implementations This will autopolulate the details and implementations sections of the website, respectively. So make sure to commit the changes. +### Improve the content via PR(s) + +If you want to enhance any page, you can do so as you would in any other project (via a Pull Request, [example](https://github.com/secure-dashboards/openjs-security-program-standards/pull/9)). However, please note certain rules, as some parts of the files are dynamically generated, and your changes could be overwritten. + +**Rules** +1. Metadata is added automatically. Manual additions or modifications to metadata are not allowed. +2. You can contribute any content to any file, but avoid making changes within the sections enclosed by specific tags, as these sections are dynamically generated. For example: + ```plaintext + OK + + AVOID (AUTOMATED) + + OK + ``` \ No newline at end of file diff --git a/docs/details/MFAImpersonationDefense.mdx b/docs/details/MFAImpersonationDefense.mdx index d5decac..887cd88 100644 --- a/docs/details/MFAImpersonationDefense.mdx +++ b/docs/details/MFAImpersonationDefense.mdx @@ -5,17 +5,19 @@ title: Use MFA against impersonation slug: /details/MFAImpersonationDefense --- -# Use MFA against impersonation - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description +Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available + -Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available - + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation - How To: [Github Docs](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/PRsBeforeMerge.mdx b/docs/details/PRsBeforeMerge.mdx index 8f655bb..af3cd1f 100644 --- a/docs/details/PRsBeforeMerge.mdx +++ b/docs/details/PRsBeforeMerge.mdx @@ -5,17 +5,19 @@ title: Require Pull Requests Before Merging slug: /details/PRsBeforeMerge --- -# Require Pull Requests Before Merging - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: recommended + + ## Description - Require Pull Requests before Merging + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Require Pull Requests before Merging - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/SSHKeysRequired.mdx b/docs/details/SSHKeysRequired.mdx index df37c69..58e66b9 100644 --- a/docs/details/SSHKeysRequired.mdx +++ b/docs/details/SSHKeysRequired.mdx @@ -5,17 +5,19 @@ title: Use SSH Keys with Passphrases for Repository Access slug: /details/SSHKeysRequired --- -# Use SSH Keys with Passphrases for Repository Access - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Use SSH keys for developer access to source code repositories and use a passphrase + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Use SSH keys for developer access to source code repositories and use a passphra - How To: [Github Docs](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/about-ssh) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/activeAdminsSixMonths.mdx b/docs/details/activeAdminsSixMonths.mdx index fdc6f9c..4afce06 100644 --- a/docs/details/activeAdminsSixMonths.mdx +++ b/docs/details/activeAdminsSixMonths.mdx @@ -5,17 +5,19 @@ title: Require Active Admins in GitHub Org (Activity in 6 Months) slug: /details/activeAdminsSixMonths --- -# Require Active Admins in GitHub Org (Activity in 6 Months) - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: n/a + + ## Description - Github Organization Admins Should Have Activity In The Last 6 Months + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ Github Organization Admins Should Have Activity In The Last 6 Months - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/member/stale_admin_found.html) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/activeWritersSixMonths.mdx b/docs/details/activeWritersSixMonths.mdx index fafa499..ecaefe2 100644 --- a/docs/details/activeWritersSixMonths.mdx +++ b/docs/details/activeWritersSixMonths.mdx @@ -5,17 +5,19 @@ title: Require Active Members with Write Access (Activity in 6 Months) slug: /details/activeWritersSixMonths --- -# Require Active Members with Write Access (Activity in 6 Months) - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: n/a + + ## Description - Github Organization Members with Write Permissions Should Have Activity In The Last 6 Months + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ Github Organization Members with Write Permissions Should Have Activity In The L - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/member/stale_member_found.html) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/adminRepoCreationOnly.mdx b/docs/details/adminRepoCreationOnly.mdx index d17a0ff..1327b29 100644 --- a/docs/details/adminRepoCreationOnly.mdx +++ b/docs/details/adminRepoCreationOnly.mdx @@ -5,17 +5,19 @@ title: Allow Only Admins to Create Public Repositories slug: /details/adminRepoCreationOnly --- -# Allow Only Admins to Create Public Repositories - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Only Admins Should Be Able To Create Public Repositories + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Only Admins Should Be Able To Create Public Repositories - How To: [Github Docs](https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/annualDependencyRefresh.mdx b/docs/details/annualDependencyRefresh.mdx index 2921cb9..6e38d10 100644 --- a/docs/details/annualDependencyRefresh.mdx +++ b/docs/details/annualDependencyRefresh.mdx @@ -5,17 +5,19 @@ title: Refresh Dependencies with Annual Releases slug: /details/annualDependencyRefresh --- -# Refresh Dependencies with Annual Releases - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - A new release to refresh dependencies occurs at least annually + + ## Details - Implementation Status: pending - C-SCRM: true @@ -23,4 +25,4 @@ A new release to refresh dependencies occurs at least annually - Sources: [OpenSSF Best Practices Badge Passing Level [maintained]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.maintained) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/assignCVEForKnownVulns.mdx b/docs/details/assignCVEForKnownVulns.mdx index a4bec15..9610b20 100644 --- a/docs/details/assignCVEForKnownVulns.mdx +++ b/docs/details/assignCVEForKnownVulns.mdx @@ -5,17 +5,19 @@ title: Assign CVEs to All Known Security Vulnerabilities slug: /details/assignCVEForKnownVulns --- -# Assign CVEs to All Known Security Vulnerabilities - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - All Known Security Vulnerabilities are Issued a CVE + + ## Details - Implementation Status: pending - C-SCRM: true @@ -23,4 +25,4 @@ All Known Security Vulnerabilities are Issued a CVE - Sources: [OpenSSF Best Practices Badge Passing Level [release_notes_vulns]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/automateDependencyManagement.mdx b/docs/details/automateDependencyManagement.mdx index bfb944d..4b13130 100644 --- a/docs/details/automateDependencyManagement.mdx +++ b/docs/details/automateDependencyManagement.mdx @@ -5,17 +5,19 @@ title: Automate Monitoring of Outdated Dependencies slug: /details/automateDependencyManagement --- -# Automate Monitoring of Outdated Dependencies - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Automated Process is Used to Monitor for and Maintain a List of Out of Date Dependencies + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ Automated Process is Used to Monitor for and Maintain a List of Out of Date Depe - How To: [Socket.Dev](https://socket.dev/) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/automateVulnDetection.mdx b/docs/details/automateVulnDetection.mdx index 57b0472..619af20 100644 --- a/docs/details/automateVulnDetection.mdx +++ b/docs/details/automateVulnDetection.mdx @@ -5,17 +5,19 @@ title: Automate Dependency Vulnerability Identification slug: /details/automateVulnDetection --- -# Automate Dependency Vulnerability Identification - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - An automated process to identify dependencies with publicly disclosed vulnerabilities + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ An automated process to identify dependencies with publicly disclosed vulnerabil - How To: [Github Docs](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/blockWorkflowPRApproval.mdx b/docs/details/blockWorkflowPRApproval.mdx index 7329a31..08b2406 100644 --- a/docs/details/blockWorkflowPRApproval.mdx +++ b/docs/details/blockWorkflowPRApproval.mdx @@ -5,17 +5,19 @@ title: Prevent Workflows from Creating or Approving PRs slug: /details/blockWorkflowPRApproval --- -# Prevent Workflows from Creating or Approving PRs - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Workflows are not Allowed To Create or Approve Pull Requests + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Workflows are not Allowed To Create or Approve Pull Requests - How To: [Github Docs](https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/ciAndCdPipelineAsCode.mdx b/docs/details/ciAndCdPipelineAsCode.mdx index afa55c0..50917e4 100644 --- a/docs/details/ciAndCdPipelineAsCode.mdx +++ b/docs/details/ciAndCdPipelineAsCode.mdx @@ -5,17 +5,19 @@ title: Automate CI/CD Steps in Code-Based Pipelines slug: /details/ciAndCdPipelineAsCode --- -# Automate CI/CD Steps in Code-Based Pipelines - ## Use Case + - Incubating: deferrable - Active: expected - Retiring: n/a + + ## Description - CI/CD steps should all be automated through a pipeline defined as code + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ CI/CD steps should all be automated through a pipeline defined as code - How To: [Github Docs](https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/commitSignoffForWeb.mdx b/docs/details/commitSignoffForWeb.mdx index 8f14976..4d7a0fc 100644 --- a/docs/details/commitSignoffForWeb.mdx +++ b/docs/details/commitSignoffForWeb.mdx @@ -5,17 +5,19 @@ title: Enforce Commit Signoff for Web-Based Commits slug: /details/commitSignoffForWeb --- -# Enforce Commit Signoff for Web-Based Commits - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: recommended + + ## Description - Github Org Requires Commit Signoff for Web-Based Commits + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ Github Org Requires Commit Signoff for Web-Based Commits - How To: [Github Docs](https://docs.github.com/en/organizations/managing-organization-settings/managing-the-commit-signoff-policy-for-your-organization#managing-compulsory-commit-signoffs-for-your-organization) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/commitStatusChecks.mdx b/docs/details/commitStatusChecks.mdx index bf604ee..2c5c36d 100644 --- a/docs/details/commitStatusChecks.mdx +++ b/docs/details/commitStatusChecks.mdx @@ -5,17 +5,19 @@ title: Require Commit Status Checks to Pass Before Merging slug: /details/commitStatusChecks --- -# Require Commit Status Checks to Pass Before Merging - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - All Required Commit Status Checks must pass before Merging + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ All Required Commit Status Checks must pass before Merging - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/consistentBuildProcessDocs.mdx b/docs/details/consistentBuildProcessDocs.mdx index d5147c9..e453b76 100644 --- a/docs/details/consistentBuildProcessDocs.mdx +++ b/docs/details/consistentBuildProcessDocs.mdx @@ -5,17 +5,19 @@ title: Document Consistent and Automated Build Processes slug: /details/consistentBuildProcessDocs --- -# Document Consistent and Automated Build Processes - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - Consistent and Automated Build Process is Documented and Used + + ## Details - Implementation Status: pending - C-SCRM: true @@ -23,4 +25,4 @@ Consistent and Automated Build Process is Documented and Used - Mitre: [CWE-1068](https://cwe.mitre.org/data/definitions/1068.html) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/defaultTokenPermissionsReadOnly.mdx b/docs/details/defaultTokenPermissionsReadOnly.mdx index 60a2fe1..928a364 100644 --- a/docs/details/defaultTokenPermissionsReadOnly.mdx +++ b/docs/details/defaultTokenPermissionsReadOnly.mdx @@ -5,17 +5,19 @@ title: Set Default GitHub Workflow Token Permissions to Read Only slug: /details/defaultTokenPermissionsReadOnly --- -# Set Default GitHub Workflow Token Permissions to Read Only - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - Github Org Default Workflow Token Permissions are Set to Read Only + + ## Details - Implementation Status: pending - C-SCRM: true @@ -23,4 +25,4 @@ Github Org Default Workflow Token Permissions are Set to Read Only - Mitre: [CWE-250](https://cwe.mitre.org/data/definitions/250.html) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/defineFunctionalRoles.mdx b/docs/details/defineFunctionalRoles.mdx index dba399c..6e8c498 100644 --- a/docs/details/defineFunctionalRoles.mdx +++ b/docs/details/defineFunctionalRoles.mdx @@ -5,17 +5,19 @@ title: Define Roles Aligned to Functional Responsibilities slug: /details/defineFunctionalRoles --- -# Define Roles Aligned to Functional Responsibilities - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Define roles aligned to functional responsibilities + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Define roles aligned to functional responsibilities - How To: [Github Docs](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/forkWorkflowApproval.mdx b/docs/details/forkWorkflowApproval.mdx index 92d9970..71b5714 100644 --- a/docs/details/forkWorkflowApproval.mdx +++ b/docs/details/forkWorkflowApproval.mdx @@ -5,17 +5,19 @@ title: Require Approval for Forked Workflow Changes slug: /details/forkWorkflowApproval --- -# Require Approval for Forked Workflow Changes - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: recommended + + ## Description - Limit changes from forks to workflows by requiring approval for all outside collaborators + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ Limit changes from forks to workflows by requiring approval for all outside coll - Sources: [Github Docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/githubOrgMFA.mdx b/docs/details/githubOrgMFA.mdx index 74a9f77..f9fcc9a 100644 --- a/docs/details/githubOrgMFA.mdx +++ b/docs/details/githubOrgMFA.mdx @@ -5,21 +5,23 @@ title: Enforce MFA in GitHub Organization(s) slug: /details/githubOrgMFA --- -# Enforce MFA in GitHub Organization(s) - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Multi Factor Authentication (MFA) Enforced Across the Github Organization + ## Dashboard Inclusion We use the field `two_factor_requirement_enabled` from the GitHub Organization API to check if the project has enforced this policy. [More information](https://github.com/secure-dashboards/openjs-foundation-dashboard/issues/43) + ## Details - Implementation Status: completed - Implementation Details: It is computed ([details](https://github.com/secure-dashboards/openjs-foundation-dashboard/issues/43)). @@ -30,4 +32,4 @@ We use the field `two_factor_requirement_enabled` from the GitHub Organization A - How To: [Github Docs](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/githubWebhookSecrets.mdx b/docs/details/githubWebhookSecrets.mdx index 82033de..dd5acec 100644 --- a/docs/details/githubWebhookSecrets.mdx +++ b/docs/details/githubWebhookSecrets.mdx @@ -5,17 +5,19 @@ title: Secure GitHub Webhooks with Secrets slug: /details/githubWebhookSecrets --- -# Secure GitHub Webhooks with Secrets - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Github Webhooks Use Secrets + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Github Webhooks Use Secrets - How To: [Github Docs](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/githubWriteAccessRoles.mdx b/docs/details/githubWriteAccessRoles.mdx index 1b03f89..7963a63 100644 --- a/docs/details/githubWriteAccessRoles.mdx +++ b/docs/details/githubWriteAccessRoles.mdx @@ -5,17 +5,19 @@ title: Define Teams/Individuals with Write Access to Repositories slug: /details/githubWriteAccessRoles --- -# Define Teams/Individuals with Write Access to Repositories - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Define Individuals/Teams who Write Access to a Github Repo + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Define Individuals/Teams who Write Access to a Github Repo - How To: [Github Docs](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/identifyModifiedDependencies.mdx b/docs/details/identifyModifiedDependencies.mdx index e0b706b..041fab9 100644 --- a/docs/details/identifyModifiedDependencies.mdx +++ b/docs/details/identifyModifiedDependencies.mdx @@ -5,17 +5,19 @@ title: Uniquely Identify Modified Dependencies slug: /details/identifyModifiedDependencies --- -# Uniquely Identify Modified Dependencies - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Modified dependencies are uniquely identified and distinct from origin dependency + + ## Details - Implementation Status: pending - C-SCRM: true @@ -23,4 +25,4 @@ Modified dependencies are uniquely identified and distinct from origin dependenc - Sources: [OWASP SCVS L2 6.5](https://scvs.owasp.org/scvs/v6-pedigree-and-provenance/) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/incidentResponsePlan.mdx b/docs/details/incidentResponsePlan.mdx index 16f4447..76a33cb 100644 --- a/docs/details/incidentResponsePlan.mdx +++ b/docs/details/incidentResponsePlan.mdx @@ -5,17 +5,19 @@ title: Define Clear Communication and Incident Response Plans slug: /details/incidentResponsePlan --- -# Define Clear Communication and Incident Response Plans - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Establish a Clear Communication and Incident Response Plan + + ## Details - Implementation Status: pending - C-SCRM: false @@ -23,4 +25,4 @@ Establish a Clear Communication and Incident Response Plan - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/#operations) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/includeCVEInReleaseNotes.mdx b/docs/details/includeCVEInReleaseNotes.mdx index 8c1bd17..b8c31c7 100644 --- a/docs/details/includeCVEInReleaseNotes.mdx +++ b/docs/details/includeCVEInReleaseNotes.mdx @@ -5,17 +5,19 @@ title: Include CVE IDs in Release Notes for Security Fixes slug: /details/includeCVEInReleaseNotes --- -# Include CVE IDs in Release Notes for Security Fixes - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Release Notes must Include the CVE ID of Patched Security Vulnerabilities + + ## Details - Implementation Status: pending - C-SCRM: false @@ -23,4 +25,4 @@ Release Notes must Include the CVE ID of Patched Security Vulnerabilities - Sources: [OpenSSF Best Practices Badge Passing Level [release_notes_vulns]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.release_notes_vulns) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/includePackageLock.mdx b/docs/details/includePackageLock.mdx index 6aec405..a4fbead 100644 --- a/docs/details/includePackageLock.mdx +++ b/docs/details/includePackageLock.mdx @@ -5,17 +5,19 @@ title: Include package-lock.json in Releases (Freestanding Apps) slug: /details/includePackageLock --- -# Include package-lock.json in Releases (Freestanding Apps) - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: recommended + + ## Description - [Freestanding Applications Only] Commit a package-lock.json file with each release + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ slug: /details/includePackageLock - How To: [npm Docs](https://docs.npmjs.com/cli/v10/commands/npm-sbom) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/injectedSecretsAtRuntime.mdx b/docs/details/injectedSecretsAtRuntime.mdx index 9a05c0e..e6002f8 100644 --- a/docs/details/injectedSecretsAtRuntime.mdx +++ b/docs/details/injectedSecretsAtRuntime.mdx @@ -5,17 +5,19 @@ title: Ensure that the secrets are injected at runtime slug: /details/injectedSecretsAtRuntime --- -# Ensure that the secrets are injected at runtime - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets) + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Secrets are injected at runtime, such as environment variables or as a file (eg: - How To: [Github Docs](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/limitOrgOwners.mdx b/docs/details/limitOrgOwners.mdx index 8138e56..5d4c8c5 100644 --- a/docs/details/limitOrgOwners.mdx +++ b/docs/details/limitOrgOwners.mdx @@ -5,17 +5,19 @@ title: Limit GitHub Org Owners to Fewer Than Three slug: /details/limitOrgOwners --- -# Limit GitHub Org Owners to Fewer Than Three - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: recommended + + ## Description - Limit Number of Github Org Owners (ideally Fewer Than Three) + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ Limit Number of Github Org Owners (ideally Fewer Than Three) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/member/organization_has_too_many_admins.html) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/limitRepoAdmins.mdx b/docs/details/limitRepoAdmins.mdx index ff85257..ca36cd7 100644 --- a/docs/details/limitRepoAdmins.mdx +++ b/docs/details/limitRepoAdmins.mdx @@ -5,17 +5,19 @@ title: Limit GitHub Repo Admins to Fewer Than Three slug: /details/limitRepoAdmins --- -# Limit GitHub Repo Admins to Fewer Than Three - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: recommended + + ## Description - Limit Number of Github Repository Admins (ideally Fewer Than Three) + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ Limit Number of Github Repository Admins (ideally Fewer Than Three) - Sources: [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/repository/repository_has_too_many_admins.html) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/limitWorkflowWritePermissions.mdx b/docs/details/limitWorkflowWritePermissions.mdx index e40377f..8217ff8 100644 --- a/docs/details/limitWorkflowWritePermissions.mdx +++ b/docs/details/limitWorkflowWritePermissions.mdx @@ -5,17 +5,19 @@ title: Limit Workflow Write Permissions to Job-Level slug: /details/limitWorkflowWritePermissions --- -# Limit Workflow Write Permissions to Job-Level - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Only Allow Workflows Write Permissions at the Job-Level + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Only Allow Workflows Write Permissions at the Job-Level - How To: [Github Docs](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/machineReadableDependencies.mdx b/docs/details/machineReadableDependencies.mdx index 74ade2b..27b3455 100644 --- a/docs/details/machineReadableDependencies.mdx +++ b/docs/details/machineReadableDependencies.mdx @@ -5,17 +5,19 @@ title: Provide Machine-Readable Dependency Lists slug: /details/machineReadableDependencies --- -# Provide Machine-Readable Dependency Lists - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - [Freestanding Applications Only] A Machine Readable List of all Direct and Transitive Dependencies is Available for the Software + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ slug: /details/machineReadableDependencies - How To: [Github Docs](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-is-the-dependency-graph) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/noArbitraryCodeInPipeline.mdx b/docs/details/noArbitraryCodeInPipeline.mdx index 01de762..10c0d10 100644 --- a/docs/details/noArbitraryCodeInPipeline.mdx +++ b/docs/details/noArbitraryCodeInPipeline.mdx @@ -5,17 +5,19 @@ title: Restrict Build Pipeline Code Execution to Build Scripts slug: /details/noArbitraryCodeInPipeline --- -# Restrict Build Pipeline Code Execution to Build Scripts - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - Build Pipeline Cannot Execute Arbitrary Code from Outside of a Build Script + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ Build Pipeline Cannot Execute Arbitrary Code from Outside of a Build Script - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/noForcePushDefaultBranch.mdx b/docs/details/noForcePushDefaultBranch.mdx index 53ba4d9..d01ee8e 100644 --- a/docs/details/noForcePushDefaultBranch.mdx +++ b/docs/details/noForcePushDefaultBranch.mdx @@ -5,17 +5,19 @@ title: Disable Force Push on Default Branch slug: /details/noForcePushDefaultBranch --- -# Disable Force Push on Default Branch - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Prevent Force Push on Default Branch + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ Prevent Force Push on Default Branch - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/noSelfHostedRunners.mdx b/docs/details/noSelfHostedRunners.mdx index 3671f34..ce10c5d 100644 --- a/docs/details/noSelfHostedRunners.mdx +++ b/docs/details/noSelfHostedRunners.mdx @@ -5,17 +5,19 @@ title: Disable Self-Hosted Runners in GitHub Org slug: /details/noSelfHostedRunners --- -# Disable Self-Hosted Runners in GitHub Org - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Disable use of Self-Hosted Runners in Github Org + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Disable use of Self-Hosted Runners in Github Org - How To: [Github Docs](https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#limiting-the-use-of-self-hosted-runners) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/noSensitiveInfoInRepositories.mdx b/docs/details/noSensitiveInfoInRepositories.mdx index 1e3ff3d..77249c2 100644 --- a/docs/details/noSensitiveInfoInRepositories.mdx +++ b/docs/details/noSensitiveInfoInRepositories.mdx @@ -5,17 +5,19 @@ title: Check sensitive information slug: /details/noSensitiveInfoInRepositories --- -# Check sensitive information - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - No Secrets and Credentials in Source Code + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ No Secrets and Credentials in Source Code - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/npmOrgMFA.mdx b/docs/details/npmOrgMFA.mdx index 64b8981..1756f33 100644 --- a/docs/details/npmOrgMFA.mdx +++ b/docs/details/npmOrgMFA.mdx @@ -5,17 +5,19 @@ title: Enforce MFA in npm Organization(s) slug: /details/npmOrgMFA --- -# Enforce MFA in npm Organization(s) - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Multi Factor Authentication (MFA) Enforced Across the npm Organization + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Multi Factor Authentication (MFA) Enforced Across the npm Organization - How To: [npm Docs](https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/npmPublicationMFA.mdx b/docs/details/npmPublicationMFA.mdx index 00e93a0..817d22c 100644 --- a/docs/details/npmPublicationMFA.mdx +++ b/docs/details/npmPublicationMFA.mdx @@ -5,17 +5,19 @@ title: Publish to npm Using MFA-Enabled Accounts slug: /details/npmPublicationMFA --- -# Publish to npm Using MFA-Enabled Accounts - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ Publish to npm using an MFA-enabled account rather than single factor legacy or - Sources: [npm Docs](https://docs.npmjs.com/creating-and-viewing-access-tokens) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/orgToolingMFA.mdx b/docs/details/orgToolingMFA.mdx index af31709..591c0ba 100644 --- a/docs/details/orgToolingMFA.mdx +++ b/docs/details/orgToolingMFA.mdx @@ -5,17 +5,19 @@ title: Enforce MFA in all the tools slug: /details/orgToolingMFA --- -# Enforce MFA in all the tools - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible + + ## Details - Implementation Status: pending - C-SCRM: false @@ -24,4 +26,4 @@ Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Fea - Sources: [CNCF CNSWP v1.0](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/owaspTop10Training.mdx b/docs/details/owaspTop10Training.mdx index 2a93fae..2410f71 100644 --- a/docs/details/owaspTop10Training.mdx +++ b/docs/details/owaspTop10Training.mdx @@ -5,17 +5,19 @@ title: Training on OWASP Top 10 or Equivalent slug: /details/owaspTop10Training --- -# Training on OWASP Top 10 or Equivalent - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - At least One Primary Maintainer has taken TBD Training on OWASP Top 10 or Equivalent + + ## Details - Implementation Status: pending - C-SCRM: false @@ -24,4 +26,4 @@ At least One Primary Maintainer has taken TBD Training on OWASP Top 10 or Equiva - Sources: [OpenSSF Best Practices Badge Passing Level [know_common_errors]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_common_errors) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/patchCriticalVulns30Days.mdx b/docs/details/patchCriticalVulns30Days.mdx index 7ed73ed..d02c70e 100644 --- a/docs/details/patchCriticalVulns30Days.mdx +++ b/docs/details/patchCriticalVulns30Days.mdx @@ -5,17 +5,19 @@ title: Patch Actively Exploited Critical Vulnerabilities within 30 Days slug: /details/patchCriticalVulns30Days --- -# Patch Actively Exploited Critical Vulnerabilities within 30 Days - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - Actively Exploited Critical Vulnerabilities Patched within 30 Days + + ## Details - Implementation Status: pending - C-SCRM: false @@ -23,4 +25,4 @@ Actively Exploited Critical Vulnerabilities Patched within 30 Days - Sources: [OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]](https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/patchExploitableHighVulns14Days.mdx b/docs/details/patchExploitableHighVulns14Days.mdx index b070762..7e024e6 100644 --- a/docs/details/patchExploitableHighVulns14Days.mdx +++ b/docs/details/patchExploitableHighVulns14Days.mdx @@ -5,17 +5,19 @@ title: Patch Critical/High Vulnerabilities in 14 Days slug: /details/patchExploitableHighVulns14Days --- -# Patch Critical/High Vulnerabilities in 14 Days - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: n/a + + ## Description - Actively Exploited Critical and High Vulnerabilities Patched within 14 Days + + ## Details - Implementation Status: pending - C-SCRM: false @@ -23,4 +25,4 @@ Actively Exploited Critical and High Vulnerabilities Patched within 14 Days - Sources: [OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]](https://www.bestpractices.dev/en/criteria#0.vulnerabilities_critical_fixed) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/patchExploitableNoncCriticalVulns60Days.mdx b/docs/details/patchExploitableNoncCriticalVulns60Days.mdx index 953f3fa..b579a11 100644 --- a/docs/details/patchExploitableNoncCriticalVulns60Days.mdx +++ b/docs/details/patchExploitableNoncCriticalVulns60Days.mdx @@ -5,17 +5,19 @@ title: Patch Non-Critical Vulnerabilities in 60 Days slug: /details/patchExploitableNoncCriticalVulns60Days --- -# Patch Non-Critical Vulnerabilities in 60 Days - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: n/a + + ## Description - Non-Critical Expoitable Vulnerabilities Patched within 60 Days + + ## Details - Implementation Status: pending - C-SCRM: false @@ -23,4 +25,4 @@ Non-Critical Expoitable Vulnerabilities Patched within 60 Days - Sources: [OpenSSF Best Practices Badge Silver Level [vulnerabilities_fixed_60_days]](https://www.bestpractices.dev/en/criteria#0.vulnerabilities_fixed_60_days) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/patchNonCriticalVulns90Days.mdx b/docs/details/patchNonCriticalVulns90Days.mdx index f2c108f..7fd1632 100644 --- a/docs/details/patchNonCriticalVulns90Days.mdx +++ b/docs/details/patchNonCriticalVulns90Days.mdx @@ -5,17 +5,19 @@ title: Patch Non-Critical Vulnerabilities within 90 Days slug: /details/patchNonCriticalVulns90Days --- -# Patch Non-Critical Vulnerabilities within 90 Days - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - Non-Critical Exploitable Vulnerabilities Patched within 90 Days + + ## Details - Implementation Status: pending - C-SCRM: false @@ -23,4 +25,4 @@ Non-Critical Exploitable Vulnerabilities Patched within 90 Days - Sources: [Google Project Zero Vulnerability Disclosure Policy](https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/pinActionsToSHA.mdx b/docs/details/pinActionsToSHA.mdx index bc99515..3636c5c 100644 --- a/docs/details/pinActionsToSHA.mdx +++ b/docs/details/pinActionsToSHA.mdx @@ -5,17 +5,19 @@ title: Pin Actions with Secrets to Full-Length Commit SHAs slug: /details/pinActionsToSHA --- -# Pin Actions with Secrets to Full-Length Commit SHAs - ## Use Case + - Incubating: deferrable - Active: expected - Retiring: n/a + + ## Description - Pin Actions with Access to Secrets to a Full Length Commit SHA + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ Pin Actions with Access to Secrets to a Full Length Commit SHA - Sources: [Github Docs](https://securitylab.github.com/research/github-actions-building-blocks/) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/preventBranchProtectionBypass.mdx b/docs/details/preventBranchProtectionBypass.mdx index 72722bf..0f75082 100644 --- a/docs/details/preventBranchProtectionBypass.mdx +++ b/docs/details/preventBranchProtectionBypass.mdx @@ -5,17 +5,19 @@ title: Prevent Admins from Bypassing Branch Protection slug: /details/preventBranchProtectionBypass --- -# Prevent Admins from Bypassing Branch Protection - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - [For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ slug: /details/preventBranchProtectionBypass - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/preventDeletionDefaultBranch.mdx b/docs/details/preventDeletionDefaultBranch.mdx index 685000f..02c06f1 100644 --- a/docs/details/preventDeletionDefaultBranch.mdx +++ b/docs/details/preventDeletionDefaultBranch.mdx @@ -5,17 +5,19 @@ title: Prevent Deletion of Default Branch slug: /details/preventDeletionDefaultBranch --- -# Prevent Deletion of Default Branch - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Prevent Default Branch Deletion + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Prevent Default Branch Deletion - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/preventLandingSensitiveCommits.mdx b/docs/details/preventLandingSensitiveCommits.mdx index 49b45af..ce89ef0 100644 --- a/docs/details/preventLandingSensitiveCommits.mdx +++ b/docs/details/preventLandingSensitiveCommits.mdx @@ -5,17 +5,19 @@ title: Block New Commits with Secrets or Credentials slug: /details/preventLandingSensitiveCommits --- -# Block New Commits with Secrets or Credentials - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - New Commits Containing Secrets or Credentials are Blocked from Merging + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ New Commits Containing Secrets or Credentials are Blocked from Merging - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/preventScriptInjection.mdx b/docs/details/preventScriptInjection.mdx index 1d16b6f..599c8d3 100644 --- a/docs/details/preventScriptInjection.mdx +++ b/docs/details/preventScriptInjection.mdx @@ -5,17 +5,19 @@ title: Avoid Script Injection from Untrusted Variables slug: /details/preventScriptInjection --- -# Avoid Script Injection from Untrusted Variables - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - Avoid Script Injection from Untrusted Context Variables + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Avoid Script Injection from Untrusted Context Variables - How To: [Github Docs](https://securitylab.github.com/research/github-actions-untrusted-input/) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/regressionTestsForVulns.mdx b/docs/details/regressionTestsForVulns.mdx index b2901d7..6e15f41 100644 --- a/docs/details/regressionTestsForVulns.mdx +++ b/docs/details/regressionTestsForVulns.mdx @@ -5,17 +5,19 @@ title: Create Regression Tests for Bugs and Security Vulnerabilities slug: /details/regressionTestsForVulns --- -# Create Regression Tests for Bugs and Security Vulnerabilities - ## Use Case + - Incubating: deferrable - Active: expected - Retiring: n/a + + ## Description - Regression Tests for => 50% of Bugs and 100% of Security Vulns + + ## Details - Implementation Status: pending - C-SCRM: false @@ -23,4 +25,4 @@ Regression Tests for => 50% of Bugs and 100% of Security Vulns - Sources: [OpenSSF Best Practices Badge Silver Level [regression_tests_added50]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.regression_tests_added50) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/requireCodeOwnersReviewForLargeTeams.mdx b/docs/details/requireCodeOwnersReviewForLargeTeams.mdx index 2adf613..6c44be8 100644 --- a/docs/details/requireCodeOwnersReviewForLargeTeams.mdx +++ b/docs/details/requireCodeOwnersReviewForLargeTeams.mdx @@ -5,17 +5,19 @@ title: Require Code Owners Review (Four+ Maintainers) slug: /details/requireCodeOwnersReviewForLargeTeams --- -# Require Code Owners Review (Four+ Maintainers) - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: n/a + + ## Description - [For Projects with Four or more Maintainers] Require Code Owners Review + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ slug: /details/requireCodeOwnersReviewForLargeTeams - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/requirePRApprovalForMainline.mdx b/docs/details/requirePRApprovalForMainline.mdx index 5aba532..53c746f 100644 --- a/docs/details/requirePRApprovalForMainline.mdx +++ b/docs/details/requirePRApprovalForMainline.mdx @@ -5,17 +5,19 @@ title: Require Approved PRs for Mainline Commits (Two+ Maintainers) slug: /details/requirePRApprovalForMainline --- -# Require Approved PRs for Mainline Commits (Two+ Maintainers) - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: recommended + + ## Description - [For Projects with Two or more Maintainers] Require Approved PRs for all commits to mainline branches + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ slug: /details/requirePRApprovalForMainline - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/requireSignedCommits.mdx b/docs/details/requireSignedCommits.mdx index 2fc8552..fd018f7 100644 --- a/docs/details/requireSignedCommits.mdx +++ b/docs/details/requireSignedCommits.mdx @@ -5,17 +5,19 @@ title: Require Signed Commits slug: /details/requireSignedCommits --- -# Require Signed Commits - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: recommended + + ## Description - Require Signed Commits + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ Require Signed Commits - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-signed-commits) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/requireTwoPartyReview.mdx b/docs/details/requireTwoPartyReview.mdx index 1cf94ca..6a32a8e 100644 --- a/docs/details/requireTwoPartyReview.mdx +++ b/docs/details/requireTwoPartyReview.mdx @@ -5,17 +5,19 @@ title: Require Two-Party Review (Two+ Maintainers) slug: /details/requireTwoPartyReview --- -# Require Two-Party Review (Two+ Maintainers) - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: n/a + + ## Description - [For Projects with Two or more Maintainers] Require Two Party Review + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ slug: /details/requireTwoPartyReview - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/resolveLinterWarnings.mdx b/docs/details/resolveLinterWarnings.mdx index cef40ae..8809b01 100644 --- a/docs/details/resolveLinterWarnings.mdx +++ b/docs/details/resolveLinterWarnings.mdx @@ -5,17 +5,19 @@ title: Address Compiler/Linter Warnings Before Merging slug: /details/resolveLinterWarnings --- -# Address Compiler/Linter Warnings Before Merging - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - Compilers/Linter Warnings Addressed in order to Merge + + ## Details - Implementation Status: pending - C-SCRM: false @@ -25,4 +27,4 @@ Compilers/Linter Warnings Addressed in order to Merge - How To: [ESLint Docs](https://eslint.org/docs/latest/use/getting-started#installation-and-usage) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/restrictOrgSecrets.mdx b/docs/details/restrictOrgSecrets.mdx index 9bfed8e..a2b3543 100644 --- a/docs/details/restrictOrgSecrets.mdx +++ b/docs/details/restrictOrgSecrets.mdx @@ -5,17 +5,19 @@ title: Restrict GitHub Org Secrets to Specific Repositories slug: /details/restrictOrgSecrets --- -# Restrict GitHub Org Secrets to Specific Repositories - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - GitHub Organization Secrets are Restricted to Selected Repositories + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ GitHub Organization Secrets are Restricted to Selected Repositories - How To: [Github Docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/restrictedOrgPermissions.mdx b/docs/details/restrictedOrgPermissions.mdx index f7be807..da715ab 100644 --- a/docs/details/restrictedOrgPermissions.mdx +++ b/docs/details/restrictedOrgPermissions.mdx @@ -5,17 +5,19 @@ title: Restrict Default GitHub Org Member Permissions slug: /details/restrictedOrgPermissions --- -# Restrict Default GitHub Org Member Permissions - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Default Github Org Member Permissions Should Be Restricted + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Default Github Org Member Permissions Should Be Restricted - How To: [Github Docs](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/runnerSecurityScanner.mdx b/docs/details/runnerSecurityScanner.mdx index 7d5e82f..aaa0f5b 100644 --- a/docs/details/runnerSecurityScanner.mdx +++ b/docs/details/runnerSecurityScanner.mdx @@ -5,17 +5,19 @@ title: Use GitHub Runner Security Scanners slug: /details/runnerSecurityScanner --- -# Use GitHub Runner Security Scanners - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: recommended + + ## Description - Use a Github Runner Security Scanner + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Use a Github Runner Security Scanner - How To: [Step Security harden-runner](https://github.com/step-security/harden-runner) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/scanCommitsForSensitiveInfo.mdx b/docs/details/scanCommitsForSensitiveInfo.mdx index 4c87661..0ba41c4 100644 --- a/docs/details/scanCommitsForSensitiveInfo.mdx +++ b/docs/details/scanCommitsForSensitiveInfo.mdx @@ -5,17 +5,19 @@ title: Ensure that all the commits are scanned slug: /details/scanCommitsForSensitiveInfo --- -# Ensure that all the commits are scanned - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description +All Commits are Scanned for Secrets and Credentials + -All Commits are Scanned for Secrets and Credentials - + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ All Commits are Scanned for Secrets and Credentials - How To: [Github Docs](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/securityMdMeetsOpenJSCVD.mdx b/docs/details/securityMdMeetsOpenJSCVD.mdx index b7557f9..b34325a 100644 --- a/docs/details/securityMdMeetsOpenJSCVD.mdx +++ b/docs/details/securityMdMeetsOpenJSCVD.mdx @@ -5,17 +5,19 @@ title: Ensure Security.md Meets OpenJS CVD Guidelines slug: /details/securityMdMeetsOpenJSCVD --- -# Ensure Security.md Meets OpenJS CVD Guidelines - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description +Security.md Meets OpenJS CVD Guidelines + -Security.md Meets OpenJS CVD Guidelines - + ## Details - Implementation Status: pending - C-SCRM: false @@ -23,4 +25,4 @@ Security.md Meets OpenJS CVD Guidelines - Sources: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/softwareArchitectureDocs.mdx b/docs/details/softwareArchitectureDocs.mdx index 3eda4d8..e11aebb 100644 --- a/docs/details/softwareArchitectureDocs.mdx +++ b/docs/details/softwareArchitectureDocs.mdx @@ -5,17 +5,19 @@ title: Document Software Architecture slug: /details/softwareArchitectureDocs --- -# Document Software Architecture - ## Use Case + - Incubating: deferrable - Active: expected - Retiring: n/a + + ## Description - [For Projects with Two or more Maintainers] Document Software Architecture + + ## Details - Implementation Status: pending - C-SCRM: false @@ -24,4 +26,4 @@ slug: /details/softwareArchitectureDocs - Sources: [OpenSSF Best Practices Badge Silver Level [documentation_architecture]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.documentation_architecture) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/softwareDesignTraining.mdx b/docs/details/softwareDesignTraining.mdx index c6581dd..b0ba181 100644 --- a/docs/details/softwareDesignTraining.mdx +++ b/docs/details/softwareDesignTraining.mdx @@ -5,17 +5,19 @@ title: Training on Secure Software Design slug: /details/softwareDesignTraining --- -# Training on Secure Software Design - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - At least One Primary Maintainer has taken TBD Training on Secure Software Design + + ## Details - Implementation Status: pending - C-SCRM: false @@ -24,4 +26,4 @@ At least One Primary Maintainer has taken TBD Training on Secure Software Design - Sources: [OpenSSF Best Practices Badge Passing Level [know_secure_design]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#0.know_secure_design) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/staticAppSecTesting.mdx b/docs/details/staticAppSecTesting.mdx index 8636785..cde9980 100644 --- a/docs/details/staticAppSecTesting.mdx +++ b/docs/details/staticAppSecTesting.mdx @@ -5,17 +5,19 @@ title: Use Static Application Security Testing for All Commits slug: /details/staticAppSecTesting --- -# Use Static Application Security Testing for All Commits - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - All Commits are Scanned by a Static Application Security Testing Tool + + ## Details - Implementation Status: pending - C-SCRM: false @@ -25,4 +27,4 @@ All Commits are Scanned by a Static Application Security Testing Tool - How To: [CodeQL Docs](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/staticCodeAnalysis.mdx b/docs/details/staticCodeAnalysis.mdx index 45ac327..32b8d5c 100644 --- a/docs/details/staticCodeAnalysis.mdx +++ b/docs/details/staticCodeAnalysis.mdx @@ -5,17 +5,19 @@ title: Use Automated Static Code Analysis Tools slug: /details/staticCodeAnalysis --- -# Use Automated Static Code Analysis Tools - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - Use an Automated Static Code Analysis Tool (eg: ESLInt) + + ## Details - Implementation Status: pending - C-SCRM: false @@ -25,4 +27,4 @@ Use an Automated Static Code Analysis Tool (eg: ESLInt) - How To: [ESLint Docs](https://eslint.org/docs/latest/use/getting-started#installation-and-usage) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/twoOrMoreOwnersForAccess.mdx b/docs/details/twoOrMoreOwnersForAccess.mdx index 4741086..d06ffc7 100644 --- a/docs/details/twoOrMoreOwnersForAccess.mdx +++ b/docs/details/twoOrMoreOwnersForAccess.mdx @@ -5,17 +5,19 @@ title: Configure Two or more Owners for Access Continuity slug: /details/twoOrMoreOwnersForAccess --- -# Configure Two or more Owners for Access Continuity - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - [For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ slug: /details/twoOrMoreOwnersForAccess - How To: [Github Docs](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/maintaining-ownership-continuity-for-your-organization) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/upToDateDefaultBranchBeforeMerge.mdx b/docs/details/upToDateDefaultBranchBeforeMerge.mdx index 3c1f50c..e057a4d 100644 --- a/docs/details/upToDateDefaultBranchBeforeMerge.mdx +++ b/docs/details/upToDateDefaultBranchBeforeMerge.mdx @@ -5,17 +5,19 @@ title: Require Default Branch Updates Before Merging slug: /details/upToDateDefaultBranchBeforeMerge --- -# Require Default Branch Updates Before Merging - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Default Branch must be Up to Date before Merging + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ Default Branch must be Up to Date before Merging - How To: [Github Docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/upgradePathDocs.mdx b/docs/details/upgradePathDocs.mdx index 740bf3c..342f7ed 100644 --- a/docs/details/upgradePathDocs.mdx +++ b/docs/details/upgradePathDocs.mdx @@ -5,17 +5,19 @@ title: Support Older Versions or Provide Upgrade Paths slug: /details/upgradePathDocs --- -# Support Older Versions or Provide Upgrade Paths - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - Commonly Used Older Versions Supported or Upgrade Path Provided/Documented + + ## Details - Implementation Status: pending - C-SCRM: true @@ -23,4 +25,4 @@ Commonly Used Older Versions Supported or Upgrade Path Provided/Documented - Sources: [OpenSSF Best Practices Badge Silver Level [maintenance_or_update]](https://www.bestpractices.dev/en/criteria?details=true&rationale=true#1.maintenance_or_update) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/useCVDToolForVulns.mdx b/docs/details/useCVDToolForVulns.mdx index 4239e70..4b2ebe5 100644 --- a/docs/details/useCVDToolForVulns.mdx +++ b/docs/details/useCVDToolForVulns.mdx @@ -5,17 +5,19 @@ title: Use CVD Tools to Manage Vulnerability Reports slug: /details/useCVDToolForVulns --- -# Use CVD Tools to Manage Vulnerability Reports - ## Use Case + - Incubating: expected - Active: expected - Retiring: expected + + ## Description - Project Leverages a CVD Tool to Privately Receive/Manage External Vulnerability Reports (eg: H1/GH PVR) + + ## Details - Implementation Status: pending - C-SCRM: false @@ -24,4 +26,4 @@ Project Leverages a CVD Tool to Privately Receive/Manage External Vulnerability - How To: [Github Docs](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/useHwKeyGithubAccess.mdx b/docs/details/useHwKeyGithubAccess.mdx index 3cf799f..f696223 100644 --- a/docs/details/useHwKeyGithubAccess.mdx +++ b/docs/details/useHwKeyGithubAccess.mdx @@ -5,17 +5,19 @@ title: Use AAL2/3 Passkeys for GitHub Access slug: /details/useHwKeyGithubAccess --- -# Use AAL2/3 Passkeys for GitHub Access - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: recommended + + ## Description - {"url":"http://github.com/","description":"Github.com"} + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ slug: /details/useHwKeyGithubAccess - How To: [Github Docs](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-passkey) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/useHwKeyGithubNonInteractive.mdx b/docs/details/useHwKeyGithubNonInteractive.mdx index 1c4a1c6..6a4b2aa 100644 --- a/docs/details/useHwKeyGithubNonInteractive.mdx +++ b/docs/details/useHwKeyGithubNonInteractive.mdx @@ -5,17 +5,19 @@ title: Use AAL2/3 Passkeys for Non-Interactive GitHub Access slug: /details/useHwKeyGithubNonInteractive --- -# Use AAL2/3 Passkeys for Non-Interactive GitHub Access - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: recommended + + ## Description - Non-Interactive Github: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Non-Interactive Github: Use a passkey (AAL2) or hardware key (AAL3) that activat - How To: [Github Docs](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/useHwKeyOtherContexts.mdx b/docs/details/useHwKeyOtherContexts.mdx index f1258c7..e68d1e8 100644 --- a/docs/details/useHwKeyOtherContexts.mdx +++ b/docs/details/useHwKeyOtherContexts.mdx @@ -5,17 +5,19 @@ title: Use AAL2/3 Passkeys in All Other Contexts slug: /details/useHwKeyOtherContexts --- -# Use AAL2/3 Passkeys in All Other Contexts - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: recommended + + ## Description - All Other Contexts: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics + + ## Details - Implementation Status: pending - C-SCRM: true @@ -24,4 +26,4 @@ All Other Contexts: Use a passkey (AAL2) or hardware key (AAL3) that activates u - Sources: [OpenSSF Great MFA Project Security Rationale](https://github.com/ossf/great-mfa-project/blob/main/security-rationale.md) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/verifiedActionsOnly.mdx b/docs/details/verifiedActionsOnly.mdx index e98a8f5..b894959 100644 --- a/docs/details/verifiedActionsOnly.mdx +++ b/docs/details/verifiedActionsOnly.mdx @@ -5,17 +5,19 @@ title: Limit GitHub Actions to Verified or Trusted Actions slug: /details/verifiedActionsOnly --- -# Limit GitHub Actions to Verified or Trusted Actions - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions - How To: [Github Docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/vulnResponse14Days.mdx b/docs/details/vulnResponse14Days.mdx index 6e04d5a..bbdfef0 100644 --- a/docs/details/vulnResponse14Days.mdx +++ b/docs/details/vulnResponse14Days.mdx @@ -5,17 +5,19 @@ title: Respond to External Vulnerability Reports in Under 14 Days slug: /details/vulnResponse14Days --- -# Respond to External Vulnerability Reports in Under 14 Days - ## Use Case + - Incubating: expected - Active: expected - Retiring: n/a + + ## Description - All External Vulnerability Reports Responded to <14 Days + + ## Details - Implementation Status: pending - C-SCRM: false @@ -23,4 +25,4 @@ All External Vulnerability Reports Responded to <14 Days - Sources: [OpenSSF Best Practices Badge Passing Level [vulnerability_report_response]](https://www.bestpractices.dev/en/criteria#0.vulnerability_report_response) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/details/workflowSecurityScanner.mdx b/docs/details/workflowSecurityScanner.mdx index a7ebade..03885bf 100644 --- a/docs/details/workflowSecurityScanner.mdx +++ b/docs/details/workflowSecurityScanner.mdx @@ -5,17 +5,19 @@ title: Use Workflow Security Scanners slug: /details/workflowSecurityScanner --- -# Use Workflow Security Scanners - ## Use Case + - Incubating: recommended - Active: recommended - Retiring: recommended + + ## Description - Use a Workflow Security Scanner + + ## Details - Implementation Status: pending - C-SCRM: true @@ -25,4 +27,4 @@ Use a Workflow Security Scanner - How To: [Step Security secure-repo](https://github.com/step-security/secure-repo) - Created at 2024-12-07T23:06:38.197Z - Updated at 2024-12-07T23:06:38.197Z - + diff --git a/docs/implementation/active.mdx b/docs/implementation/active.mdx index ab516a8..5a50e69 100644 --- a/docs/implementation/active.mdx +++ b/docs/implementation/active.mdx @@ -5,6 +5,7 @@ title: Active slug: /implementations/active --- + ## Expected @@ -63,7 +64,7 @@ slug: /implementations/active | 10. Dependency Inventory | Provide Machine-Readable Dependency Lists | P14 | [details](/details/machineReadableDependencies) | | 10. Dependency Inventory | Uniquely Identify Modified Dependencies | P14 | [details](/details/identifyModifiedDependencies) | | 5. Vulnerability Management | Refresh Dependencies with Annual Releases | P14 | [details](/details/annualDependencyRefresh) | - + ## Recommended @@ -89,4 +90,5 @@ slug: /implementations/active | 2. User Account Permissions | Limit GitHub Repo Admins to Fewer Than Three | R7 | [details](/details/limitRepoAdmins) | | 5. Vulnerability Management | Patch Critical/High Vulnerabilities in 14 Days | R8 | [details](/details/patchExploitableHighVulns14Days) | | 5. Vulnerability Management | Patch Non-Critical Vulnerabilities in 60 Days | R8 | [details](/details/patchExploitableNoncCriticalVulns60Days) | - \ No newline at end of file + + diff --git a/docs/implementation/incubating.mdx b/docs/implementation/incubating.mdx index 765d56c..9b9fe74 100644 --- a/docs/implementation/incubating.mdx +++ b/docs/implementation/incubating.mdx @@ -5,6 +5,7 @@ title: Incubating slug: /implementations/incubating --- + ## Expected @@ -59,7 +60,7 @@ slug: /implementations/incubating | 10. Dependency Inventory | Provide Machine-Readable Dependency Lists | P14 | [details](/details/machineReadableDependencies) | | 10. Dependency Inventory | Uniquely Identify Modified Dependencies | P14 | [details](/details/identifyModifiedDependencies) | | 5. Vulnerability Management | Refresh Dependencies with Annual Releases | P14 | [details](/details/annualDependencyRefresh) | - + ## Deferrable @@ -69,7 +70,7 @@ slug: /implementations/incubating | 8. Code Review | Document Software Architecture | P12 | [details](/details/softwareArchitectureDocs) | | 9. Source Control | Automate CI/CD Steps in Code-Based Pipelines | P12 | [details](/details/ciAndCdPipelineAsCode) | | 4. Github Workflows | Pin Actions with Secrets to Full-Length Commit SHAs | P13 | [details](/details/pinActionsToSHA) | - + ## Recommended @@ -94,4 +95,5 @@ slug: /implementations/incubating | 2. User Account Permissions | Limit GitHub Repo Admins to Fewer Than Three | R7 | [details](/details/limitRepoAdmins) | | 5. Vulnerability Management | Patch Critical/High Vulnerabilities in 14 Days | R8 | [details](/details/patchExploitableHighVulns14Days) | | 5. Vulnerability Management | Patch Non-Critical Vulnerabilities in 60 Days | R8 | [details](/details/patchExploitableNoncCriticalVulns60Days) | - \ No newline at end of file + + diff --git a/docs/implementation/retiring.mdx b/docs/implementation/retiring.mdx index 3ae9923..ea89a9e 100644 --- a/docs/implementation/retiring.mdx +++ b/docs/implementation/retiring.mdx @@ -5,6 +5,7 @@ title: Retiring slug: /implementations/retiring --- + ## Expected @@ -42,7 +43,7 @@ slug: /implementations/retiring | 10. Dependency Inventory | Automate Monitoring of Outdated Dependencies | P14 | [details](/details/automateDependencyManagement) | | 10. Dependency Inventory | Provide Machine-Readable Dependency Lists | P14 | [details](/details/machineReadableDependencies) | | 10. Dependency Inventory | Uniquely Identify Modified Dependencies | P14 | [details](/details/identifyModifiedDependencies) | - + ## Recommended @@ -62,4 +63,5 @@ slug: /implementations/retiring | 9. Source Control | Require Approved PRs for Mainline Commits (Two+ Maintainers) | R6 | [details](/details/requirePRApprovalForMainline) | | 2. User Account Permissions | Limit GitHub Org Owners to Fewer Than Three | R7 | [details](/details/limitOrgOwners) | | 2. User Account Permissions | Limit GitHub Repo Admins to Fewer Than Three | R7 | [details](/details/limitRepoAdmins) | - \ No newline at end of file + + diff --git a/package-lock.json b/package-lock.json index e5e0167..947ccf6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14,6 +14,7 @@ "@docusaurus/preset-classic": "2.0.0-beta.14", "@mdx-js/react": "1.6.21", "@snyk/protect": "1.893.0", + "@ulisesgascon/text-tags-manager": "2.0.0", "clsx": "1.1.1", "husky": "7.0.4", "jest": "27.5.1", @@ -4178,6 +4179,14 @@ "resolved": "https://registry.npmjs.org/@types/yargs-parser/-/yargs-parser-21.0.3.tgz", "integrity": "sha512-I4q9QU9MQv4oEOz4tAHJtNz1cwuLxn2F3xcc2iV5WdqLPpUnj30aUuxt1mAxYTG+oe8CZMV/+6rU4S4gRDzqtQ==" }, + "node_modules/@ulisesgascon/text-tags-manager": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@ulisesgascon/text-tags-manager/-/text-tags-manager-2.0.0.tgz", + "integrity": "sha512-H0x8ut2O//hFYDaalfXA3wYobBXXeY+jq2z5Hj4xvhcOY7gB+yFVI+2OBR8wehpcOWoHytGCO6YhBKgfEfr1WQ==", + "engines": { + "node": ">=18.0.0" + } + }, "node_modules/@webassemblyjs/ast": { "version": "1.12.1", "resolved": "https://registry.npmjs.org/@webassemblyjs/ast/-/ast-1.12.1.tgz", diff --git a/package.json b/package.json index 0f2d070..0da2570 100644 --- a/package.json +++ b/package.json @@ -29,6 +29,7 @@ "@docusaurus/preset-classic": "2.0.0-beta.14", "@mdx-js/react": "1.6.21", "@snyk/protect": "1.893.0", + "@ulisesgascon/text-tags-manager": "2.0.0", "clsx": "1.1.1", "husky": "7.0.4", "jest": "27.5.1", diff --git a/scripts/populate-details.js b/scripts/populate-details.js index 6f1b616..a3132a1 100644 --- a/scripts/populate-details.js +++ b/scripts/populate-details.js @@ -1,7 +1,18 @@ -const { writeFileSync } = require('fs') +const { writeFileSync, existsSync, readFileSync } = require('fs') +const { updateOrCreateSegment } = require('@ulisesgascon/text-tags-manager') const path = require('path') const checks = require('../data/checks.json') +const levelsStartTag = '' +const levelsEndTag = '' +const descriptionStartTag = '' +const descriptionEndTag = '' +const detailsStartTag = '' +const detailsEndTag = '' +// @TODO: Move this function to a shared file +const replaceMetadata = (fileContent, metadata) => { + return fileContent.replace(/---[^]*?---/, metadata) +} const addImplementationDetails = (check) => { if (!check.implementation_type) { @@ -48,32 +59,70 @@ const renderDetails = (check) => { content += `${howToDetails}\n` } content += `- Created at ${check.created_at}\n` - content += `- Updated at ${check.updated_at}\n` + content += `- Updated at ${check.updated_at}` return content } // Prepare the markdown files checks.forEach((check, index) => { - const fileContent = `--- + const metadata = `--- sidebar_position: ${index + 1} id: ${check.id} title: ${check.title} slug: /details/${check.code_name} ---- - -# ${check.title} - -## Use Case +---`.trim() + const levelsContent = ` - Incubating: ${check.level_incubating_status} - Active: ${check.level_active_status} - Retiring: ${check.level_retiring_status} +`.trim() + const descriptionContent = `## Description +${check.description}`.trim() + const detailsContent = renderDetails(check) -## Description + let fileContent = `${metadata} -${check.description} +## Use Case +${levelsStartTag} +${levelsContent} +${levelsEndTag} -${renderDetails(check)} +${descriptionStartTag} +${descriptionContent} +${descriptionEndTag} + +${detailsStartTag} +${detailsContent} +${detailsContent} ` - const detination = path.join(process.cwd(), `docs/details/${check.code_name}.mdx`) - writeFileSync(detination, fileContent) + const updateContent = (currentContent) => { + fileContent = currentContent + replaceMetadata(fileContent, metadata) + fileContent = updateOrCreateSegment({ + original: fileContent, + replacementSegment: levelsContent, + startTag: levelsStartTag, + endTag: levelsEndTag + }) + fileContent = updateOrCreateSegment({ + original: fileContent, + replacementSegment: descriptionContent, + startTag: descriptionStartTag, + endTag: descriptionEndTag + }) + fileContent = updateOrCreateSegment({ + original: fileContent, + replacementSegment: detailsContent, + startTag: detailsStartTag, + endTag: detailsEndTag + }) + } + + const destination = path.join(process.cwd(), `docs/details/${check.code_name}.mdx`) + const fileExists = existsSync(destination) + if (fileExists) { + const currentFileContent = readFileSync(destination, 'utf8') + updateContent(currentFileContent) + } + writeFileSync(destination, fileContent) }) diff --git a/scripts/populate-implementations.js b/scripts/populate-implementations.js index d01f024..edea85b 100644 --- a/scripts/populate-implementations.js +++ b/scripts/populate-implementations.js @@ -1,13 +1,21 @@ -const { writeFileSync } = require('fs') +const { writeFileSync, existsSync, readFileSync } = require('fs') +const { updateOrCreateSegment } = require('@ulisesgascon/text-tags-manager') const path = require('path') const checks = require('../data/checks.json') +const listStartTag = '' +const listEndTag = '' const projectStatus = ['incubating', 'active', 'retiring'] const implementationPriority = ['expected', 'deferrable', 'recommended'] const data = {} const files = {} +// @TODO: Move this function to a shared file const capitalizeWords = str => str.split(' ').map(w => w[0].toUpperCase() + w.slice(1).toLowerCase()).join(' ') +// @TODO: Move this function to a shared file +const replaceMetadata = (fileContent, metadata) => { + return fileContent.replace(/---[^]*?---/, metadata) +} // Basic structure of the data object projectStatus.forEach(status => { @@ -20,7 +28,7 @@ projectStatus.forEach(status => { // Populate the data object checks -// @TODO: Remove this sort when the checks.json is sorted when generated in the dashboard script + // @TODO: Remove this sort when the checks.json is sorted when generated in the dashboard script .sort((a, b) => a.id - b.id) .forEach(item => projectStatus.forEach(status => { @@ -39,25 +47,44 @@ const addRow = (item) => `| ${item.section_number}. ${capitalizeWords(item.secti // Prepare the markdown files projectStatus.forEach((status, index) => { - let fileContent = `--- + const metadata = `--- sidebar_position: ${index + 1} id: ${status} title: ${status.charAt(0).toUpperCase() + status.slice(1)} slug: /implementations/${status} ---- - -` - - fileContent += implementationPriority.map(priority => { +---`.trim() + const listContent = implementationPriority.map(priority => { if (data[status][priority].length === 0) return '' return ` ## ${priority.charAt(0).toUpperCase() + priority.slice(1)} ${addHeader()} ${data[status][priority].map(addRow).join('\n')} - ` +` }).join('\n') + let fileContent = `${metadata} + +${listStartTag} +${listContent} +${listEndTag} +` + const updateContent = (currentContent) => { + fileContent = currentContent + replaceMetadata(fileContent, metadata) + fileContent = updateOrCreateSegment({ + original: fileContent, + replacementSegment: listContent, + startTag: listStartTag, + endTag: listEndTag + }) + } + const destination = path.join(process.cwd(), `docs/implementation/${status}.mdx`) + const fileExists = existsSync(destination) + if (fileExists) { + const currentFileContent = readFileSync(destination, 'utf8') + updateContent(currentFileContent) + } writeFileSync(destination, fileContent) })