Retiring

Expected

Section	Item	Priority Group	Details
7. Code Quality	Training on Secure Software Design	P0	details
7. Code Quality	Training on OWASP Top 10 or Equivalent	P0	details
1. User Authentication	Enforce MFA in GitHub Organization(s)	P1	details
1. User Authentication	Enforce MFA in npm Organization(s)	P1	details
1. User Authentication	Enforce MFA in all the tools	P1	details
1. User Authentication	Use MFA against impersonation	P1	details
3. Service Authentication	Check sensitive information	P2	details
3. Service Authentication	Ensure that the secrets are injected at runtime	P2	details
1. User Authentication	Use SSH Keys with Passphrases for Repository Access	P3	details
3. Service Authentication	Publish to npm Using MFA-Enabled Accounts	P3	details
3. Service Authentication	Secure GitHub Webhooks with Secrets	P3	details
2. User Account Permissions	Restrict Default GitHub Org Member Permissions	P4	details
2. User Account Permissions	Allow Only Admins to Create Public Repositories	P4	details
2. User Account Permissions	Prevent Admins from Bypassing Branch Protection	P4	details
2. User Account Permissions	Define Roles Aligned to Functional Responsibilities	P4	details
2. User Account Permissions	Define Teams/Individuals with Write Access to Repositories	P4	details
2. User Account Permissions	Configure Two or more Owners for Access Continuity	P4	details
11. Dependency Management	Automate Dependency Vulnerability Identification	P6	details
6. Coordinated Vulnerability Disclosure	Ensure Security.md Meets OpenJS CVD Guidelines	P7	details
6. Coordinated Vulnerability Disclosure	Use CVD Tools to Manage Vulnerability Reports	P7	details
6. Coordinated Vulnerability Disclosure	Define Clear Communication and Incident Response Plans	P7	details
6. Coordinated Vulnerability Disclosure	Assign CVEs to All Known Security Vulnerabilities	P7	details
6. Coordinated Vulnerability Disclosure	Include CVE IDs in Release Notes for Security Fixes	P7	details
4. Github Workflow Permissions	Prevent Workflows from Creating or Approving PRs	P9	details
9. Source Control	Disable Force Push on Default Branch	P9	details
9. Source Control	Prevent Deletion of Default Branch	P9	details
9. Source Control	Require Default Branch Updates Before Merging	P9	details
4. Github Workflows	Disable Self-Hosted Runners in GitHub Org	P10	details
4. Github Workflows	Limit Workflow Write Permissions to Job-Level	P11	details
10. Dependency Inventory	Automate Monitoring of Outdated Dependencies	P14	details
10. Dependency Inventory	Provide Machine-Readable Dependency Lists	P14	details
10. Dependency Inventory	Uniquely Identify Modified Dependencies	P14	details

Section	Item	Priority Group	Details
1. User Authentication	Use AAL2/3 Passkeys for GitHub Access	R1	details
1. User Authentication	Use AAL2/3 Passkeys for Non-Interactive GitHub Access	R1	details
1. User Authentication	Use AAL2/3 Passkeys in All Other Contexts	R1	details
4. Github Workflows	Require Approval for Forked Workflow Changes	R2	details
4. Github Workflows	Use Workflow Security Scanners	R2	details
4. Github Workflows	Use GitHub Runner Security Scanners	R2	details
9. Source Control	Require Pull Requests Before Merging	R4	details
9. Source Control	Enforce Commit Signoff for Web-Based Commits	R4	details
9. Source Control	Require Signed Commits	R4	details
10. Dependency Inventory	Include package-lock.json in Releases (Freestanding Apps)	R5	details
9. Source Control	Require Approved PRs for Mainline Commits (Two+ Maintainers)	R6	details
2. User Account Permissions	Limit GitHub Org Owners to Fewer Than Three	R7	details
2. User Account Permissions	Limit GitHub Repo Admins to Fewer Than Three	R7	details

Expected​

Recommended​

Expected

Recommended