7. Code Quality | At least One Primary Maintainer has taken TBD Training on Secure Software Design | 0 | details |
7. Code Quality | At least One Primary Maintainer has taken TBD Training on OWASP Top 10 or Equivalent | 0 | details |
1. User Authentication | Multi Factor Authentication (MFA) Enforced Across the Github Organization | 1 | details |
1. User Authentication | Multi Factor Authentication (MFA) Enforced Across the npm Organization | 1 | details |
1. User Authentication | Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible | 1 | details |
1. User Authentication | Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available | 1 | details |
3. Service Authentication | No Secrets and Credentials in Source Code | 2 | details |
3. Service Authentication | Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets) | 2 | details |
7. Code Quality | All Commits are Scanned for Secrets and Credentials | 2 | details |
7. Code Quality | New Commits Containing Secrets or Credentials are Blocked from Merging | 2 | details |
1. User Authentication | Use SSH keys for developer access to source code repositories and use a passphrase | 3 | details |
3. Service Authentication | Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens | 3 | details |
3. Service Authentication | Github Webhooks Use Secrets | 3 | details |
2. User Account Permissions | Default Github Org Member Permissions Should Be Restricted | 4 | details |
2. User Account Permissions | Only Admins Should Be Able To Create Public Repositories | 4 | details |
2. User Account Permissions | [For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings | 4 | details |
2. User Account Permissions | Define roles aligned to functional responsibilities | 4 | details |
2. User Account Permissions | Define Individuals/Teams who Write Access to a Github Repo | 4 | details |
2. User Account Permissions | [For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity | 4 | details |
5. Vulnerability Management | Actively Exploited Critical Vulnerabilities Patched within 30 Days | 5 | details |
5. Vulnerability Management | Non-Critical Exploitable Vulnerabilities Patched within 90 Days | 5 | details |
11. Dependency Management | An automated process to identify dependencies with publicly disclosed vulnerabilities | 6 | details |
7. Code Quality | Use an Automated Static Code Analysis Tool (eg: ESLInt) | 6 | details |
7. Code Quality | Compilers/Linter Warnings Addressed in order to Merge | 6 | details |
7. Code Quality | All Commits are Scanned by a Static Application Security Testing Tool | 6 | details |
7. Code Quality | All Required Commit Status Checks must pass before Merging | 6 | details |
7. Code Quality | Security.md Meets OpenJS CVD Guidelines | 7 | details |
6. Coordinated Vulnerability Disclosure | Project Leverages a CVD Tool to Privately Receive/Manage External Vulnerability Reports (eg: H1/GH PVR) | 7 | details |
6. Coordinated Vulnerability Disclosure | All External Vulnerability Reports Responded to <14 Days | 7 | details |
6. Coordinated Vulnerability Disclosure | Establish a Clear Communication and Incident Response Plan | 7 | details |
6. Coordinated Vulnerability Disclosure | All Known Security Vulnerabilities are Issued a CVE | 7 | details |
6. Coordinated Vulnerability Disclosure | Release Notes must Include the CVE ID of Patched Security Vulnerabilities | 7 | details |
4. Github Workflow Permissions | Github Org Default Workflow Token Permissions are Set to Read Only | 9 | details |
4. Github Workflow Permissions | Workflows are not Allowed To Create or Approve Pull Requests | 9 | details |
9. Source Control | Prevent Force Push on Default Branch | 9 | details |
9. Source Control | Prevent Default Branch Deletion | 9 | details |
9. Source Control | Default Branch must be Up to Date before Merging | 9 | details |
4. Github Workflow Permissions | GitHub Organization Secrets are Restricted to Selected Repositories | 10 | details |
4. Github Workflow Permissions | GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions | 10 | details |
4. Github Workflows | Disable use of Self-Hosted Runners in Github Org | 10 | details |
4. Github Workflows | Build Pipeline Cannot Execute Arbitrary Code from Outside of a Build Script | 11 | details |
4. Github Workflows | Only Allow Workflows Write Permissions at the Job-Level | 11 | details |
4. Github Workflows | Avoid Script Injection from Untrusted Context Variables | 11 | details |
4. Github Workflow Permissions | Consistent and Automated Build Process is Documented and Used | 12 | details |
5. Vulnerability Management | Commonly Used Older Versions Supported or Upgrade Path Provided/Documented | 12 | details |
10. Dependency Inventory | Automated Process is Used to Monitor for and Maintain a List of Out of Date Dependencies | 14 | details |
10. Dependency Inventory | [Freestanding Applications Only] A Machine Readable List of all Direct and Transitive Dependencies is Available for the Software | 14 | details |
10. Dependency Inventory | Modified dependencies are uniquely identified and distinct from origin dependency | 14 | details |
5. Vulnerability Management | A new release to refresh dependencies occurs at least annually | 14 | details |