Active

Expected

Section	Item	Priority Group	Details
7. Code Quality	Training on Secure Software Design	P0	details
7. Code Quality	Training on OWASP Top 10 or Equivalent	P0	details
1. User Authentication	Enforce MFA in GitHub Organization(s)	P1	details
1. User Authentication	Enforce MFA in npm Organization(s)	P1	details
1. User Authentication	Enforce MFA in all the tools	P1	details
1. User Authentication	Use MFA against impersonation	P1	details
3. Service Authentication	Check sensitive information	P2	details
3. Service Authentication	Ensure that the secrets are injected at runtime	P2	details
7. Code Quality	Ensure that all the commits are scanned	P2	details
7. Code Quality	Block New Commits with Secrets or Credentials	P2	details
1. User Authentication	Use SSH Keys with Passphrases for Repository Access	P3	details
3. Service Authentication	Publish to npm Using MFA-Enabled Accounts	P3	details
3. Service Authentication	Secure GitHub Webhooks with Secrets	P3	details
2. User Account Permissions	Restrict Default GitHub Org Member Permissions	P4	details
2. User Account Permissions	Allow Only Admins to Create Public Repositories	P4	details
2. User Account Permissions	Prevent Admins from Bypassing Branch Protection	P4	details
2. User Account Permissions	Define Roles Aligned to Functional Responsibilities	P4	details
2. User Account Permissions	Define Teams/Individuals with Write Access to Repositories	P4	details
2. User Account Permissions	Configure Two or more Owners for Access Continuity	P4	details
5. Vulnerability Management	Patch Actively Exploited Critical Vulnerabilities within 30 Days	P5	details
5. Vulnerability Management	Patch Non-Critical Vulnerabilities within 90 Days	P5	details
11. Dependency Management	Automate Dependency Vulnerability Identification	P6	details
7. Code Quality	Use Automated Static Code Analysis Tools	P6	details
7. Code Quality	Address Compiler/Linter Warnings Before Merging	P6	details
7. Code Quality	Use Static Application Security Testing for All Commits	P6	details
7. Code Quality	Require Commit Status Checks to Pass Before Merging	P6	details
6. Coordinated Vulnerability Disclosure	Ensure Security.md Meets OpenJS CVD Guidelines	P7	details
6. Coordinated Vulnerability Disclosure	Use CVD Tools to Manage Vulnerability Reports	P7	details
6. Coordinated Vulnerability Disclosure	Respond to External Vulnerability Reports in Under 14 Days	P7	details
6. Coordinated Vulnerability Disclosure	Define Clear Communication and Incident Response Plans	P7	details
6. Coordinated Vulnerability Disclosure	Assign CVEs to All Known Security Vulnerabilities	P7	details
6. Coordinated Vulnerability Disclosure	Include CVE IDs in Release Notes for Security Fixes	P7	details
7. Code Quality	Create Regression Tests for Bugs and Security Vulnerabilities	P8	details
4. Github Workflow Permissions	Set Default GitHub Workflow Token Permissions to Read Only	P9	details
4. Github Workflow Permissions	Prevent Workflows from Creating or Approving PRs	P9	details
9. Source Control	Disable Force Push on Default Branch	P9	details
9. Source Control	Prevent Deletion of Default Branch	P9	details
9. Source Control	Require Default Branch Updates Before Merging	P9	details
4. Github Workflows	Restrict GitHub Org Secrets to Specific Repositories	P10	details
4. Github Workflows	Limit GitHub Actions to Verified or Trusted Actions	P10	details
4. Github Workflows	Disable Self-Hosted Runners in GitHub Org	P10	details
4. Github Workflows	Restrict Build Pipeline Code Execution to Build Scripts	P11	details
4. Github Workflows	Limit Workflow Write Permissions to Job-Level	P11	details
4. Github Workflows	Avoid Script Injection from Untrusted Variables	P11	details
4. Github Workflows	Document Consistent and Automated Build Processes	P12	details
5. Vulnerability Management	Support Older Versions or Provide Upgrade Paths	P12	details
8. Code Review	Document Software Architecture	P12	details
9. Source Control	Automate CI/CD Steps in Code-Based Pipelines	P12	details
4. Github Workflows	Pin Actions with Secrets to Full-Length Commit SHAs	P13	details
10. Dependency Inventory	Automate Monitoring of Outdated Dependencies	P14	details
10. Dependency Inventory	Provide Machine-Readable Dependency Lists	P14	details
10. Dependency Inventory	Uniquely Identify Modified Dependencies	P14	details
5. Vulnerability Management	Refresh Dependencies with Annual Releases	P14	details

Section	Item	Priority Group	Details
1. User Authentication	Use AAL2/3 Passkeys for GitHub Access	R1	details
1. User Authentication	Use AAL2/3 Passkeys for Non-Interactive GitHub Access	R1	details
1. User Authentication	Use AAL2/3 Passkeys in All Other Contexts	R1	details
4. Github Workflows	Require Approval for Forked Workflow Changes	R2	details
4. Github Workflows	Use Workflow Security Scanners	R2	details
4. Github Workflows	Use GitHub Runner Security Scanners	R2	details
2. User Account Permissions	Require Active Admins in GitHub Org (Activity in 6 Months)	R3	details
2. User Account Permissions	Require Active Members with Write Access (Activity in 6 Months)	R3	details
9. Source Control	Require Pull Requests Before Merging	R4	details
9. Source Control	Enforce Commit Signoff for Web-Based Commits	R4	details
9. Source Control	Require Signed Commits	R4	details
10. Dependency Inventory	Include package-lock.json in Releases (Freestanding Apps)	R5	details
8. Code Review	Require Two-Party Review (Two+ Maintainers)	R6	details
8. Code Review	Require Code Owners Review (Four+ Maintainers)	R6	details
9. Source Control	Require Approved PRs for Mainline Commits (Two+ Maintainers)	R6	details
2. User Account Permissions	Limit GitHub Org Owners to Fewer Than Three	R7	details
2. User Account Permissions	Limit GitHub Repo Admins to Fewer Than Three	R7	details
5. Vulnerability Management	Patch Critical/High Vulnerabilities in 14 Days	R8	details
5. Vulnerability Management	Patch Non-Critical Vulnerabilities in 60 Days	R8	details

Expected​

Recommended​

Expected

Recommended