ABCDEFGHIJKLMNOPQRSTUVWXYZAAABACADAEAF
1
Priority GroupIncubatingActiveRetiringSectionItemC-SCRMMITRESourcesHow To
2
0ExpectedExpectedExpected7. Code QualityAt least One Primary Maintainer has taken TBD Training on Secure Software DesignM1013OpenSSF Best Practices Badge Passing Level [know_secure_design]
3
0ExpectedExpectedExpected7. Code QualityAt least One Primary Maintainer has taken TBD Training on OWASP Top 10 or EquivalentM1013OpenSSF Best Practices Badge Passing Level [know_common_errors]
4
1ExpectedExpectedExpected1. User AuthenticationMulti Factor Authentication (MFA) Enforced Across the Github OrganizationYCWE-308
M1032
OpenSSF SCM Best Practices
OpenSSF Best Practices Badge Gold Level [require_2FA]
Github Docs
5
1ExpectedExpectedExpected1. User AuthenticationMulti Factor Authentication (MFA) Enforced Across the npm OrganizationYCWE-308
M1032
OpenSSF npm Best Practicesnpm Docs
6
1ExpectedExpectedExpected1. User AuthenticationMulti Factor Authentication (MFA) Enforced in All Tools Wherever Techncially FeasibleCWE-308
M1032
CNCF CNSWP v1.0
7
1ExpectedExpectedExpected1. User AuthenticationUse Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available YCWE-290
CAPEC-151
T1621
M1032
OpenSSF Best Practices Badge Gold Level [secure_2FA]Github Docs
8
2ExpectedExpectedExpected3. Service AuthenticationNo Secrets and Credentials in Source CodeYCWE-540OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]Github Docs
9
2ExpectedExpectedExpected3. Service AuthenticationSecrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets)YCWE-538CNCF CNSWP 2.0 #195Github Docs
10
2ExpectedExpectedN/A7. Code QualityAll Commits are Scanned for Secrets and Credentials YCWE-540
CAPEC-150
CNCF SSCP v1.0 #184Github Docs
11
2ExpectedExpectedN/A7. Code QualityNew Commits Containing Secrets or Credentials are Blocked from MergingYCWE-358OpenSSF Best Practices Badge Passing Level [no_leaked_credentials]Github Docs
12
3ExpectedExpectedExpected1. User AuthenticationUse SSH keys for developer access to source code repositories and use a passphraseYCWE-309CNCF SSCP v1.0 #192Github Docs
13
3ExpectedExpectedExpected3. Service AuthenticationPublish to npm using an MFA-enabled account rather than single factor legacy or granular access tokensYCWE-308npm Docs
14
3ExpectedExpectedExpected3. Service AuthenticationGithub Webhooks Use SecretsYCWE-306OpenSSF Scorecard
OpenSSF SCM Best Practices
Github Docs
15
4ExpectedExpectedExpected2. User Account PermissionsDefault Github Org Member Permissions Should Be RestrictedYCAPEC-180
M1026
OpenSSF SCM Best PracticesGithub Docs
16
4ExpectedExpectedExpected2. User Account PermissionsOnly Admins Should Be Able To Create Public RepositoriesYCAPEC-122OpenSSF SCM Best PracticesGithub Docs
17
4ExpectedExpectedExpected2. User Account Permissions[For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection SettingsYCAPEC-122Github Supply Chain Security Best PracticesGithub Docs
18
4ExpectedExpectedExpected2. User Account PermissionsDefine roles aligned to functional responsibilitiesYCAPEC-122
M1018
CNCF SSCP v1.0 #188
OpenSSF Best Practices Badge Silver Level [roles_responsibilities]
Github Docs
19
4ExpectedExpectedExpected2. User Account PermissionsDefine Individuals/Teams who Write Access to a Github RepoYCAPEC-180
M1026
CNCF SSCP v1.0 #185Github Docs
20
4ExpectedExpectedExpected2. User Account Permissions[For Projects with Two or more Owners] Have at least Two Owners Configured for Access ContinuityYM1026OpenSSF Best Practices Badge Silver Level [access_continuity]Github Docs
21
5ExpectedExpectedN/A5. Vulnerability ManagementActively Exploited Critical Vulnerabilities Patched within 30 DaysOpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]
Google Project Zero Vulnerability Disclosure Policy
22
5ExpectedExpectedN/A5. Vulnerability ManagementNon-Critical Exploitable Vulnerabilities Patched within 90 DaysGoogle Project Zero Vulnerability Disclosure Policy
23
6ExpectedExpectedExpected11. Dependency ManagementAn automated process to identify dependencies with publicly disclosed vulnerabilitiesYCWE-1395
M1016
OWASP SCVS L1 5.4
OpenSSF Scorecard
OpenSSF Best Practices Badge Passing Level [dependency_monitoring]
Github Docs
24
6ExpectedExpectedN/A7. Code QualityUse an Automated Static Code Analysis Tool (eg: ESLInt)CWE-1076
CWE-1078
M1016
OWASP SCVS L1 5.1
OpenSSF Best Practices Badge Silver Level [coding_standards_enforced]
ESLint Docs
25
6ExpectedExpectedN/A7. Code QualityCompilers/Linter Warnings Addressed in order to MergeCWE-1127OpenSSF Best Practices Badge Silver Level [warnings_strict]ESLint Docs
26
6ExpectedExpectedN/A7. Code QualityAll Commits are Scanned by a Static Application Security Testing ToolCWE-1076
CWE-1078
M1016
OWASP SCVS L1 6.6
OpenSSF Scorecard
OpenSSF Best Practices Badge Gold Level [static_analysis_common_vulnerabilities]
OpenSSF Best Practices Badge Gold Level [test_continuous_integration]
CodeQL Docs
27
6ExpectedExpectedN/A7. Code QualityAll Required Commit Status Checks must pass before MergingYCWE-358OpenSSF Scorecard
OpenSSF SCM Best Practices
Github Docs
28
7ExpectedExpectedExpected6. Coordinated Vulnerability DisclosureSecurity.md Meets OpenJS CVD Guidelines OpenSSF Scorecard
OpenSSF Best Practices Badge Silver Level [vulnerability_response_process]
OpenJS CVD Guidance
29
7ExpectedExpectedExpected6. Coordinated Vulnerability DisclosureProject Leverages a CVD Tool to Privately Receive/Manage External Vulnerability Reports (eg: H1/GH PVR)OpenSSF Best Practices Badge Passing Level [vulnerability_report_private]Github Docs
30
7ExpectedExpectedN/A6. Coordinated Vulnerability DisclosureAll External Vulnerability Reports Responded to <14 DaysOpenSSF Best Practices Badge Passing Level [vulnerability_report_response]
31
7ExpectedExpectedExpected6. Coordinated Vulnerability DisclosureEstablish a Clear Communication and Incident Response PlanOpenSSF SCM Best Practices
32
7ExpectedExpectedExpected6. Coordinated Vulnerability DisclosureAll Known Security Vulnerabilities are Issued a CVEYOpenSSF Best Practices Badge Passing Level [release_notes_vulns]
33
7ExpectedExpectedExpected6. Coordinated Vulnerability DisclosureRelease Notes must Include the CVE ID of Patched Security VulnerabilitiesOpenSSF Best Practices Badge Passing Level [release_notes_vulns]
34
8DeferrableExpectedN/A7. Code QualityRegression Tests for => 50% of Bugs and 100% of Security VulnsOpenSSF Best Practices Badge Silver Level [regression_tests_added50]
35
9ExpectedExpectedN/A4. Github Workflow PermissionsGithub Org Default Workflow Token Permissions are Set to Read OnlyYCWE-250
CAPEC-69
36
9ExpectedExpectedExpected4. Github Workflow PermissionsWorkflows are not Allowed To Create or Approve Pull RequestsYCWE-250
CAPEC-69
OpenSSF Scorecard
OpenSSF SCM Best Practices
Github Docs
37
9ExpectedExpectedExpected9. Source ControlPrevent Force Push on Default BranchYOpenSSF Scorecard
OpenSSF SCM Best Practices
Github Docs
38
9ExpectedExpectedExpected9. Source ControlPrevent Default Branch DeletionYCWE-267OpenSSF Scorecard
OpenSSF SCM Best Practices
Github Docs
39
9ExpectedExpectedExpected9. Source ControlDefault Branch must be Up to Date before MergingYOpenSSF Scorecard
OpenSSF SCM Best Practices
Github Docs
40
10ExpectedExpectedN/A4. Github WorkflowsGitHub Organization Secrets are Restricted to Selected RepositoriesYCWE-250
CAPEC-69
OpenSSF SCM Best PracticesGithub Docs
41
10ExpectedExpectedN/A4. Github WorkflowsGitHub Actions Should Be Limited To Verified or Explicitly Trusted ActionsYCWE-1357
CAPEC-17
CAPEC-538
CAPEC-446
OpenSSF SCM Best PracticesGithub Docs
42
10ExpectedExpectedExpected4. Github WorkflowsDisable use of Self-Hosted Runners in Github OrgYCAPEC-439Github Action Hardening DocsGithub Docs
43
11ExpectedExpectedN/A4. Github WorkflowsBuild Pipeline Cannot Execute Arbitrary Code from Outside of a Build ScriptYCWE-94
CAPEC-19
OpenSSF Scorecard
44
11ExpectedExpectedExpected4. Github WorkflowsOnly Allow Workflows Write Permissions at the Job-LevelYCWE-250
CAPEC-69
OpenSSF Scorecard
OpenSSF SCM Best Practices
Github Docs
45
11ExpectedExpectedN/A4. Github WorkflowsAvoid Script Injection from Untrusted Context VariablesYCWE-454
CAPEC-242
OpenSSF ScorecardGithub Docs
46
12ExpectedExpectedN/A4. Github WorkflowsConsistent and Automated Build Process is Documented and UsedYCWE-1068
47
12ExpectedExpectedN/A5. Vulnerability ManagementCommonly Used Older Versions Supported or Upgrade Path Provided/DocumentedYOpenSSF Best Practices Badge Silver Level [maintenance_or_update]
48
12DeferrableExpectedN/A8. Code Review[For Projects with Two or more Maintainers] Document Software ArchitectureCWE-1053OpenSSF Best Practices Badge Silver Level [documentation_architecture]
49
12DeferrableExpectedN/A9. Source ControlCI/CD steps should all be automated through a pipeline defined as codeYCNCF SSCP 1.0 #158Github Docs
50
13DeferrableExpectedN/A4. Github WorkflowsPin Actions with Access to Secrets to a Full Length Commit SHAYCWE-1357
CAPEC-17
CAPEC-538
CAPEC-446
CAPEC-186
Github Docs
51
14ExpectedExpectedExpected10. Dependency InventoryAutomated Process is Used to Monitor for and Maintain a List of Out of Date DependenciesYOWASP SCVS L1 5.7Socket.Dev
52
14ExpectedExpectedExpected10. Dependency Inventory[Freestanding Applications Only] A Machine Readable List of all Direct and Transitive Dependencies is Available for the SoftwareYOWASP SCVS L1 1.3
OpenSSF Best Practices Badge Silver Level [external_dependencies]
Github Docs
53
14ExpectedExpectedExpected10. Dependency InventoryModified dependencies are uniquely identified and distinct from origin dependencyYOWASP SCVS L2 6.5
54
14ExpectedExpectedN/A5. Vulnerability ManagementA new release to refresh dependencies occurs at least annuallyYOpenSSF Best Practices Badge Passing Level [maintained]
55
Rec 1RecommendedRecommendedRecommended1. User AuthenticationGithub.com: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometricsYCWE-308
M1032
OpenSSF Great MFA Project Security Rationale
NIST SP 800-63Bsup1
Github Docs
56
Rec 1RecommendedRecommendedRecommended1. User AuthenticationNon-Interactive Github: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometricsYCWE-308
M1032
OpenSSF Great MFA Project Security Rationale
NIST SP 800-63Bsup1
Github Docs
57
Rec 1RecommendedRecommendedRecommended1. User AuthenticationAll Other Contexts: Use a passkey (AAL2) or hardware key (AAL3) that activates using a password or biometricsYCWE-308
M1032
OpenSSF Great MFA Project Security Rationale
NIST SP 800-63Bsup1
58
Rec 2RecommendedRecommendedRecommended4. Github WorkflowsLimit changes from forks to workflows by requiring approval for all outside collaboratorsYCAPEC-180Github Docs
59
Rec 2RecommendedRecommendedRecommended4. Github WorkflowsUse a Workflow Security ScannerYM1047OpenSSF Scorecard
OpenSSF SCM Best Practices
Step Security secure-repo
60
Rec 2RecommendedRecommendedRecommended4. Github WorkflowsUse a Github Runner Security ScannerYM1047Github Action Hardening Docs
Step Security harden-runner
61
Rec 3RecommendedRecommendedN/A2. User Account PermissionsGithub Organization Admins Should Have Activity In The Last 6 MonthsYM1026OpenSSF SCM Best Practices
62
Rec 3RecommendedRecommendedN/A2. User Account PermissionsGithub Organization Members with Write Permissions Should Have Activity In The Last 6 MonthsYM1026OpenSSF SCM Best Practices
63
Rec 4RecommendedRecommendedRecommended9. Source ControlRequire Pull Requests before MergingYCWE-778OpenSSF Scorecard
OpenSSF Best Practices Badge Passing Level [repo_track]
Github Docs
64
Rec 4RecommendedRecommendedRecommended9. Source ControlGithub Org Requires Commit Signoff for Web-Based CommitsYCNCF SSCP 1.0 #325
OpenSSF SCM Best Practices
Github Docs
65
Rec 4RecommendedRecommendedRecommended9. Source ControlRequire Signed CommitsYCNCF SSCP 1.0 #325
OpenSSF SCM Best Practices
Github Docs
66
Rec 5RecommendedRecommendedRecommended10. Dependency Inventory[Freestanding Applications Only] Commit a package-lock.json file with each releaseYOpenSSF Scorecard
npm Docs
OpenSSF SBOM Naming Conventions
67
Rec 6RecommendedRecommendedN/A8. Code Review[For Projects with Two or more Maintainers] Require Two Party ReviewYCAPEC-670
CAPEC-443
CAPEC-438
OpenSSF Scorecard
OpenSSF Best Practices Badge Gold Level [two_person_review]
Github Docs
68
Rec 6RecommendedRecommendedN/A8. Code Review[For Projects with Four or more Maintainers] Require Code Owners ReviewYCAPEC-670
CAPEC-443
CAPEC-438
OpenSSF ScorecardGithub Docs
69
Rec 6RecommendedRecommendedRecommended9. Source Control[For Projects with Two or more Maintainers] Require Approved PRs for all commits to mainline branchesYCAPEC-670
CAPEC-443
CAPEC-438
OpenSSF Scorecard
CNCF SSCP v1.0 #190
Github Docs
70
Rec 7RecommendedRecommendedRecommended2. User Account PermissionsLimit Number of Github Org Owners (ideally Fewer Than Three)YM1026OpenSSF SCM Best Practices
71
Rec 7RecommendedRecommendedRecommended2. User Account PermissionsLimit Number of Github Repository Admins (ideally Fewer Than Three)YCAPEC-180
M1026
OpenSSF SCM Best Practices
72
Rec 8RecommendedRecommendedN/A5. Vulnerability ManagementActively Exploited Critical and High Vulnerabilities Patched within 14 DaysOpenSSF Best Practices Badge Passing Level [vulnerabilities_critical_fixed]
Google Project Zero Vulnerability Disclosure Policy
73
Rec 8RecommendedRecommendedN/A5. Vulnerability ManagementNon-Critical Expoitable Vulnerabilities Patched within 60 DaysOpenSSF Best Practices Badge Silver Level [vulnerabilities_fixed_60_days]
OpenSSF Best Practices Badge Passing Level [static_analysis_fixed]
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100