Skip to content

CI/CD Supply Chain

Name Id Description
CI/CD - Binary artifacts stored in SCM cicd-binary-artifacts-stored-in-scm Ensure that binary / executable artifacts are not stored in SCM.
CI/CD - Branch Protection - Allows reviewer to self-review their own changes cicd-branch-protection Ensure that default repository branches are protected.
CI/CD - GitHub Actions can approve pull requests cicd-gha-can-create-and-approve-pull-requests Ensure that GitHub Actions cannot approve Pull Requests automatically.
CI/CD - All GitHub Actions are allowed to run cicd-gha-org-allows-all-actions Ensure that not all GitHub Actions are allowed to run.
CI/CD - GitHub Organization Secret visible from public repositories cicd-gha-org-secret-publicly-visible Ensure that GitHub organizations do not have Organization-level secrets that can be accessed by workflows from public repositories.
CI/CD - GitHub Actions have Read / Write permissions cicd-gha-read-write-token-permissions Ensure that GitHub Actions do not have Read / Write permissions token.
CI/CD - GitHub Action risky pull_request_target usage cicd-gha-risky-pull-request-target-usage Ensure that GitHub Actions are not making risky usage of pull_request_target events.
CI/CD - GitHub Action with shell injection cicd-gha-shell-injection-detected Ensure that GitHub Actions do not have shell injection.
CI/CD - Missing Software Composition Analysis (SCA) Scanning cicd-sca-scanning-absent Ensure that Software Composition Analysis (SCA) is performed.
CI/CD - Missing GitHub Organization 2FA Enforcement cicd-scm-2fa-enforcement-absent Ensure the GitHub Organization is enforcing the all members have 2FA enabled.
CI/CD - Using unpinned dependencies cicd-unpinned-dependencies Ensure that dependency management lock files are being used.