| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | AB | AC | AD | AE | AF | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Priority Group | Incubating | Active | Retiring | Section | Item | C-SCRM | MITRE | Sources | How To | ||||||||||||||||||||||
2 | 0 | Expected | Expected | Expected | 7. Code Quality | At least One Primary Maintainer has taken TBD Training on Secure Software Design | M1013 | OpenSSF Best Practices Badge Passing Level [know_secure_design] | ||||||||||||||||||||||||
3 | 0 | Expected | Expected | Expected | 7. Code Quality | At least One Primary Maintainer has taken TBD Training on OWASP Top 10 or Equivalent | M1013 | OpenSSF Best Practices Badge Passing Level [know_common_errors] | ||||||||||||||||||||||||
4 | 1 | Expected | Expected | Expected | 1. User Authentication | Multi Factor Authentication (MFA) Enforced Across the Github Organization | Y | CWE-308 M1032 | OpenSSF SCM Best Practices OpenSSF Best Practices Badge Gold Level [require_2FA] | Github Docs | ||||||||||||||||||||||
5 | 1 | Expected | Expected | Expected | 1. User Authentication | Multi Factor Authentication (MFA) Enforced Across the npm Organization | Y | CWE-308 M1032 | OpenSSF npm Best Practices | npm Docs | ||||||||||||||||||||||
6 | 1 | Expected | Expected | Expected | 1. User Authentication | Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible | CWE-308 M1032 | CNCF CNSWP v1.0 | ||||||||||||||||||||||||
7 | 1 | Expected | Expected | Expected | 1. User Authentication | Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available | Y | CWE-290 CAPEC-151 T1621 M1032 | OpenSSF Best Practices Badge Gold Level [secure_2FA] | Github Docs | ||||||||||||||||||||||
8 | 2 | Expected | Expected | Expected | 3. Service Authentication | No Secrets and Credentials in Source Code | Y | CWE-540 | OpenSSF Best Practices Badge Passing Level [no_leaked_credentials] | Github Docs | ||||||||||||||||||||||
9 | 2 | Expected | Expected | Expected | 3. Service Authentication | Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets) | Y | CWE-538 | CNCF CNSWP 2.0 #195 | Github Docs | ||||||||||||||||||||||
10 | 2 | Expected | Expected | N/A | 7. Code Quality | All Commits are Scanned for Secrets and Credentials | Y | CWE-540 CAPEC-150 | CNCF SSCP v1.0 #184 | Github Docs | ||||||||||||||||||||||
11 | 2 | Expected | Expected | N/A | 7. Code Quality | New Commits Containing Secrets or Credentials are Blocked from Merging | Y | CWE-358 | OpenSSF Best Practices Badge Passing Level [no_leaked_credentials] | Github Docs | ||||||||||||||||||||||
12 | 3 | Expected | Expected | Expected | 1. User Authentication | Use SSH keys for developer access to source code repositories and use a passphrase | Y | CWE-309 | CNCF SSCP v1.0 #192 | Github Docs | ||||||||||||||||||||||
13 | 3 | Expected | Expected | Expected | 3. Service Authentication | Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens | Y | CWE-308 | npm Docs | |||||||||||||||||||||||
14 | 3 | Expected | Expected | Expected | 3. Service Authentication | Github Webhooks Use Secrets | Y | CWE-306 | OpenSSF Scorecard OpenSSF SCM Best Practices | Github Docs | ||||||||||||||||||||||
15 | 4 | Expected | Expected | Expected | 2. User Account Permissions | Default Github Org Member Permissions Should Be Restricted | Y | CAPEC-180 M1026 | OpenSSF SCM Best Practices | Github Docs | ||||||||||||||||||||||
16 | 4 | Expected | Expected | Expected | 2. User Account Permissions | Only Admins Should Be Able To Create Public Repositories | Y | CAPEC-122 | OpenSSF SCM Best Practices | Github Docs | ||||||||||||||||||||||
17 | 4 | Expected | Expected | Expected | 2. User Account Permissions | [For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings | Y | CAPEC-122 | Github Supply Chain Security Best Practices | Github Docs | ||||||||||||||||||||||
18 | 4 | Expected | Expected | Expected | 2. User Account Permissions | Define roles aligned to functional responsibilities | Y | CAPEC-122 M1018 | CNCF SSCP v1.0 #188 OpenSSF Best Practices Badge Silver Level [roles_responsibilities] | Github Docs | ||||||||||||||||||||||
19 | 4 | Expected | Expected | Expected | 2. User Account Permissions | Define Individuals/Teams who Write Access to a Github Repo | Y | CAPEC-180 M1026 | CNCF SSCP v1.0 #185 | Github Docs | ||||||||||||||||||||||
20 | 4 | Expected | Expected | Expected | 2. User Account Permissions | [For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity | Y | M1026 | OpenSSF Best Practices Badge Silver Level [access_continuity] | Github Docs | ||||||||||||||||||||||
21 | 5 | Expected | Expected | N/A | 5. Vulnerability Management | Actively Exploited Critical Vulnerabilities Patched within 30 Days | OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed] Google Project Zero Vulnerability Disclosure Policy | |||||||||||||||||||||||||
22 | 5 | Expected | Expected | N/A | 5. Vulnerability Management | Non-Critical Exploitable Vulnerabilities Patched within 90 Days | Google Project Zero Vulnerability Disclosure Policy | |||||||||||||||||||||||||
23 | 6 | Expected | Expected | Expected | 11. Dependency Management | An automated process to identify dependencies with publicly disclosed vulnerabilities | Y | CWE-1395 M1016 | OWASP SCVS L1 5.4 OpenSSF Scorecard OpenSSF Best Practices Badge Passing Level [dependency_monitoring] | Github Docs | ||||||||||||||||||||||
24 | 6 | Expected | Expected | N/A | 7. Code Quality | Use an Automated Static Code Analysis Tool (eg: ESLInt) | CWE-1076 CWE-1078 M1016 | OWASP SCVS L1 5.1 OpenSSF Best Practices Badge Silver Level [coding_standards_enforced] | ESLint Docs | |||||||||||||||||||||||
25 | 6 | Expected | Expected | N/A | 7. Code Quality | Compilers/Linter Warnings Addressed in order to Merge | CWE-1127 | OpenSSF Best Practices Badge Silver Level [warnings_strict] | ESLint Docs | |||||||||||||||||||||||
26 | 6 | Expected | Expected | N/A | 7. Code Quality | All Commits are Scanned by a Static Application Security Testing Tool | CWE-1076 CWE-1078 M1016 | OWASP SCVS L1 6.6 OpenSSF Scorecard OpenSSF Best Practices Badge Gold Level [static_analysis_common_vulnerabilities] OpenSSF Best Practices Badge Gold Level [test_continuous_integration] | CodeQL Docs | |||||||||||||||||||||||
27 | 6 | Expected | Expected | N/A | 7. Code Quality | All Required Commit Status Checks must pass before Merging | Y | CWE-358 | OpenSSF Scorecard OpenSSF SCM Best Practices | Github Docs | ||||||||||||||||||||||
28 | 7 | Expected | Expected | Expected | 6. Coordinated Vulnerability Disclosure | Security.md Meets OpenJS CVD Guidelines | OpenSSF Scorecard OpenSSF Best Practices Badge Silver Level [vulnerability_response_process] | OpenJS CVD Guidance | ||||||||||||||||||||||||
29 | 7 | Expected | Expected | Expected | 6. Coordinated Vulnerability Disclosure | Project Leverages a CVD Tool to Privately Receive/Manage External Vulnerability Reports (eg: H1/GH PVR) | OpenSSF Best Practices Badge Passing Level [vulnerability_report_private] | Github Docs | ||||||||||||||||||||||||
30 | 7 | Expected | Expected | N/A | 6. Coordinated Vulnerability Disclosure | All External Vulnerability Reports Responded to <14 Days | OpenSSF Best Practices Badge Passing Level [vulnerability_report_response] | |||||||||||||||||||||||||
31 | 7 | Expected | Expected | Expected | 6. Coordinated Vulnerability Disclosure | Establish a Clear Communication and Incident Response Plan | OpenSSF SCM Best Practices | |||||||||||||||||||||||||
32 | 7 | Expected | Expected | Expected | 6. Coordinated Vulnerability Disclosure | All Known Security Vulnerabilities are Issued a CVE | Y | OpenSSF Best Practices Badge Passing Level [release_notes_vulns] | ||||||||||||||||||||||||
33 | 7 | Expected | Expected | Expected | 6. Coordinated Vulnerability Disclosure | Release Notes must Include the CVE ID of Patched Security Vulnerabilities | OpenSSF Best Practices Badge Passing Level [release_notes_vulns] | |||||||||||||||||||||||||
34 | 8 | Deferrable | Expected | N/A | 7. Code Quality | Regression Tests for => 50% of Bugs and 100% of Security Vulns | OpenSSF Best Practices Badge Silver Level [regression_tests_added50] | |||||||||||||||||||||||||
35 | 9 | Expected | Expected | N/A | 4. Github Workflow Permissions | Github Org Default Workflow Token Permissions are Set to Read Only | Y | CWE-250 CAPEC-69 | ||||||||||||||||||||||||
36 | 9 | Expected | Expected | Expected | 4. Github Workflow Permissions | Workflows are not Allowed To Create or Approve Pull Requests | Y | CWE-250 CAPEC-69 | OpenSSF Scorecard OpenSSF SCM Best Practices | Github Docs | ||||||||||||||||||||||
37 | 9 | Expected | Expected | Expected | 9. Source Control | Prevent Force Push on Default Branch | Y | OpenSSF Scorecard OpenSSF SCM Best Practices | Github Docs | |||||||||||||||||||||||
38 | 9 | Expected | Expected | Expected | 9. Source Control | Prevent Default Branch Deletion | Y | CWE-267 | OpenSSF Scorecard OpenSSF SCM Best Practices | Github Docs | ||||||||||||||||||||||
39 | 9 | Expected | Expected | Expected | 9. Source Control | Default Branch must be Up to Date before Merging | Y | OpenSSF Scorecard OpenSSF SCM Best Practices | Github Docs | |||||||||||||||||||||||
40 | 10 | Expected | Expected | N/A | 4. Github Workflows | GitHub Organization Secrets are Restricted to Selected Repositories | Y | CWE-250 CAPEC-69 | OpenSSF SCM Best Practices | Github Docs | ||||||||||||||||||||||
41 | 10 | Expected | Expected | N/A | 4. Github Workflows | GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions | Y | CWE-1357 CAPEC-17 CAPEC-538 CAPEC-446 | OpenSSF SCM Best Practices | Github Docs | ||||||||||||||||||||||
42 | 10 | Expected | Expected | Expected | 4. Github Workflows | Disable use of Self-Hosted Runners in Github Org | Y | CAPEC-439 | Github Action Hardening Docs | Github Docs | ||||||||||||||||||||||
43 | 11 | Expected | Expected | N/A | 4. Github Workflows | Build Pipeline Cannot Execute Arbitrary Code from Outside of a Build Script | Y | CWE-94 CAPEC-19 | OpenSSF Scorecard | |||||||||||||||||||||||
44 | 11 | Expected | Expected | Expected | 4. Github Workflows | Only Allow Workflows Write Permissions at the Job-Level | Y | CWE-250 CAPEC-69 | OpenSSF Scorecard OpenSSF SCM Best Practices | Github Docs | ||||||||||||||||||||||
45 | 11 | Expected | Expected | N/A | 4. Github Workflows | Avoid Script Injection from Untrusted Context Variables | Y | CWE-454 CAPEC-242 | OpenSSF Scorecard | Github Docs | ||||||||||||||||||||||
46 | 12 | Expected | Expected | N/A | 4. Github Workflows | Consistent and Automated Build Process is Documented and Used | Y | CWE-1068 | ||||||||||||||||||||||||
47 | 12 | Expected | Expected | N/A | 5. Vulnerability Management | Commonly Used Older Versions Supported or Upgrade Path Provided/Documented | Y | OpenSSF Best Practices Badge Silver Level [maintenance_or_update] | ||||||||||||||||||||||||
48 | 12 | Deferrable | Expected | N/A | 8. Code Review | [For Projects with Two or more Maintainers] Document Software Architecture | CWE-1053 | OpenSSF Best Practices Badge Silver Level [documentation_architecture] | ||||||||||||||||||||||||
49 | 12 | Deferrable | Expected | N/A | 9. Source Control | CI/CD steps should all be automated through a pipeline defined as code | Y | CNCF SSCP 1.0 #158 | Github Docs | |||||||||||||||||||||||
50 | 13 | Deferrable | Expected | N/A | 4. Github Workflows | Pin Actions with Access to Secrets to a Full Length Commit SHA | Y | CWE-1357 CAPEC-17 CAPEC-538 CAPEC-446 CAPEC-186 | Github Docs | |||||||||||||||||||||||
51 | 14 | Expected | Expected | Expected | 10. Dependency Inventory | Automated Process is Used to Monitor for and Maintain a List of Out of Date Dependencies | Y | OWASP SCVS L1 5.7 | Socket.Dev | |||||||||||||||||||||||
52 | 14 | Expected | Expected | Expected | 10. Dependency Inventory | [Freestanding Applications Only] A Machine Readable List of all Direct and Transitive Dependencies is Available for the Software | Y | OWASP SCVS L1 1.3 OpenSSF Best Practices Badge Silver Level [external_dependencies] | Github Docs | |||||||||||||||||||||||
53 | 14 | Expected | Expected | Expected | 10. Dependency Inventory | Modified dependencies are uniquely identified and distinct from origin dependency | Y | OWASP SCVS L2 6.5 | ||||||||||||||||||||||||
54 | 14 | Expected | Expected | N/A | 5. Vulnerability Management | A new release to refresh dependencies occurs at least annually | Y | OpenSSF Best Practices Badge Passing Level [maintained] | ||||||||||||||||||||||||
55 | Rec 1 | Recommended | Recommended | Recommended | 1. User Authentication | Github.com: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics | Y | CWE-308 M1032 | OpenSSF Great MFA Project Security Rationale NIST SP 800-63Bsup1 | Github Docs | ||||||||||||||||||||||
56 | Rec 1 | Recommended | Recommended | Recommended | 1. User Authentication | Non-Interactive Github: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics | Y | CWE-308 M1032 | OpenSSF Great MFA Project Security Rationale NIST SP 800-63Bsup1 | Github Docs | ||||||||||||||||||||||
57 | Rec 1 | Recommended | Recommended | Recommended | 1. User Authentication | All Other Contexts: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometrics | Y | CWE-308 M1032 | OpenSSF Great MFA Project Security Rationale NIST SP 800-63Bsup1 | |||||||||||||||||||||||
58 | Rec 2 | Recommended | Recommended | Recommended | 4. Github Workflows | Limit changes from forks to workflows by requiring approval for all outside collaborators | Y | CAPEC-180 | Github Docs | |||||||||||||||||||||||
59 | Rec 2 | Recommended | Recommended | Recommended | 4. Github Workflows | Use a Workflow Security Scanner | Y | M1047 | OpenSSF Scorecard OpenSSF SCM Best Practices | Step Security secure-repo | ||||||||||||||||||||||
60 | Rec 2 | Recommended | Recommended | Recommended | 4. Github Workflows | Use a Github Runner Security Scanner | Y | M1047 | Github Action Hardening Docs | Step Security harden-runner | ||||||||||||||||||||||
61 | Rec 3 | Recommended | Recommended | N/A | 2. User Account Permissions | Github Organization Admins Should Have Activity In The Last 6 Months | Y | M1026 | OpenSSF SCM Best Practices | |||||||||||||||||||||||
62 | Rec 3 | Recommended | Recommended | N/A | 2. User Account Permissions | Github Organization Members with Write Permissions Should Have Activity In The Last 6 Months | Y | M1026 | OpenSSF SCM Best Practices | |||||||||||||||||||||||
63 | Rec 4 | Recommended | Recommended | Recommended | 9. Source Control | Require Pull Requests before Merging | Y | CWE-778 | OpenSSF Scorecard OpenSSF Best Practices Badge Passing Level [repo_track] | Github Docs | ||||||||||||||||||||||
64 | Rec 4 | Recommended | Recommended | Recommended | 9. Source Control | Github Org Requires Commit Signoff for Web-Based Commits | Y | CNCF SSCP 1.0 #325 OpenSSF SCM Best Practices | Github Docs | |||||||||||||||||||||||
65 | Rec 4 | Recommended | Recommended | Recommended | 9. Source Control | Require Signed Commits | Y | CNCF SSCP 1.0 #325 OpenSSF SCM Best Practices | Github Docs | |||||||||||||||||||||||
66 | Rec 5 | Recommended | Recommended | Recommended | 10. Dependency Inventory | [Freestanding Applications Only] Commit a package-lock.json file with each release | Y | OpenSSF Scorecard | npm Docs OpenSSF SBOM Naming Conventions | |||||||||||||||||||||||
67 | Rec 6 | Recommended | Recommended | N/A | 8. Code Review | [For Projects with Two or more Maintainers] Require Two Party Review | Y | CAPEC-670 CAPEC-443 CAPEC-438 | OpenSSF Scorecard OpenSSF Best Practices Badge Gold Level [two_person_review] | Github Docs | ||||||||||||||||||||||
68 | Rec 6 | Recommended | Recommended | N/A | 8. Code Review | [For Projects with Four or more Maintainers] Require Code Owners Review | Y | CAPEC-670 CAPEC-443 CAPEC-438 | OpenSSF Scorecard | Github Docs | ||||||||||||||||||||||
69 | Rec 6 | Recommended | Recommended | Recommended | 9. Source Control | [For Projects with Two or more Maintainers] Require Approved PRs for all commits to mainline branches | Y | CAPEC-670 CAPEC-443 CAPEC-438 | OpenSSF Scorecard CNCF SSCP v1.0 #190 | Github Docs | ||||||||||||||||||||||
70 | Rec 7 | Recommended | Recommended | Recommended | 2. User Account Permissions | Limit Number of Github Org Owners (ideally Fewer Than Three) | Y | M1026 | OpenSSF SCM Best Practices | |||||||||||||||||||||||
71 | Rec 7 | Recommended | Recommended | Recommended | 2. User Account Permissions | Limit Number of Github Repository Admins (ideally Fewer Than Three) | Y | CAPEC-180 M1026 | OpenSSF SCM Best Practices | |||||||||||||||||||||||
72 | Rec 8 | Recommended | Recommended | N/A | 5. Vulnerability Management | Actively Exploited Critical and High Vulnerabilities Patched within 14 Days | OpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed] Google Project Zero Vulnerability Disclosure Policy | |||||||||||||||||||||||||
73 | Rec 8 | Recommended | Recommended | N/A | 5. Vulnerability Management | Non-Critical Expoitable Vulnerabilities Patched within 60 Days | OpenSSF Best Practices Badge Silver Level [vulnerabilities_fixed_60_days] OpenSSF Best Practices Badge Passing Level [static_analysis_fixed] | |||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||||||||
100 |