7. Code Quality | Training on Secure Software Design | P0 | details |
7. Code Quality | Training on OWASP Top 10 or Equivalent | P0 | details |
1. User Authentication | Enforce MFA in GitHub Organization(s) | P1 | details |
1. User Authentication | Enforce MFA in npm Organization(s) | P1 | details |
1. User Authentication | Enforce MFA in all the tools | P1 | details |
1. User Authentication | Use MFA against impersonation | P1 | details |
3. Service Authentication | Check sensitive information | P2 | details |
3. Service Authentication | Ensure that the secrets are injected at runtime | P2 | details |
7. Code Quality | Ensure that all the commits are scanned | P2 | details |
7. Code Quality | Block New Commits with Secrets or Credentials | P2 | details |
1. User Authentication | Use SSH Keys with Passphrases for Repository Access | P3 | details |
3. Service Authentication | Publish to npm Using MFA-Enabled Accounts | P3 | details |
3. Service Authentication | Secure GitHub Webhooks with Secrets | P3 | details |
2. User Account Permissions | Restrict Default GitHub Org Member Permissions | P4 | details |
2. User Account Permissions | Allow Only Admins to Create Public Repositories | P4 | details |
2. User Account Permissions | Prevent Admins from Bypassing Branch Protection | P4 | details |
2. User Account Permissions | Define Roles Aligned to Functional Responsibilities | P4 | details |
2. User Account Permissions | Define Teams/Individuals with Write Access to Repositories | P4 | details |
2. User Account Permissions | Configure Two or more Owners for Access Continuity | P4 | details |
5. Vulnerability Management | Patch Actively Exploited Critical Vulnerabilities within 30 Days | P5 | details |
5. Vulnerability Management | Patch Non-Critical Vulnerabilities within 90 Days | P5 | details |
11. Dependency Management | Automate Dependency Vulnerability Identification | P6 | details |
7. Code Quality | Use Automated Static Code Analysis Tools | P6 | details |
7. Code Quality | Address Compiler/Linter Warnings Before Merging | P6 | details |
7. Code Quality | Use Static Application Security Testing for All Commits | P6 | details |
7. Code Quality | Require Commit Status Checks to Pass Before Merging | P6 | details |
6. Coordinated Vulnerability Disclosure | Ensure Security.md Meets OpenJS CVD Guidelines | P7 | details |
6. Coordinated Vulnerability Disclosure | Use CVD Tools to Manage Vulnerability Reports | P7 | details |
6. Coordinated Vulnerability Disclosure | Respond to External Vulnerability Reports in Under 14 Days | P7 | details |
6. Coordinated Vulnerability Disclosure | Define Clear Communication and Incident Response Plans | P7 | details |
6. Coordinated Vulnerability Disclosure | Assign CVEs to All Known Security Vulnerabilities | P7 | details |
6. Coordinated Vulnerability Disclosure | Include CVE IDs in Release Notes for Security Fixes | P7 | details |
4. Github Workflow Permissions | Set Default GitHub Workflow Token Permissions to Read Only | P9 | details |
4. Github Workflow Permissions | Prevent Workflows from Creating or Approving PRs | P9 | details |
9. Source Control | Disable Force Push on Default Branch | P9 | details |
9. Source Control | Prevent Deletion of Default Branch | P9 | details |
9. Source Control | Require Default Branch Updates Before Merging | P9 | details |
4. Github Workflows | Restrict GitHub Org Secrets to Specific Repositories | P10 | details |
4. Github Workflows | Limit GitHub Actions to Verified or Trusted Actions | P10 | details |
4. Github Workflows | Disable Self-Hosted Runners in GitHub Org | P10 | details |
4. Github Workflows | Restrict Build Pipeline Code Execution to Build Scripts | P11 | details |
4. Github Workflows | Limit Workflow Write Permissions to Job-Level | P11 | details |
4. Github Workflows | Avoid Script Injection from Untrusted Variables | P11 | details |
4. Github Workflows | Document Consistent and Automated Build Processes | P12 | details |
5. Vulnerability Management | Support Older Versions or Provide Upgrade Paths | P12 | details |
10. Dependency Inventory | Automate Monitoring of Outdated Dependencies | P14 | details |
10. Dependency Inventory | Provide Machine-Readable Dependency Lists | P14 | details |
10. Dependency Inventory | Uniquely Identify Modified Dependencies | P14 | details |
5. Vulnerability Management | Refresh Dependencies with Annual Releases | P14 | details |