Skip to content

CI/CD Supply Chain

Name Id Description
CI/CD - Weak GitHub OIDC Claim Verification cicd-aws-github-oidc-sub Checks for IAM policies with lax validation of GitHub's OIDC subject claim.
CI/CD - Binary artifacts stored in SCM cicd-binary-artifacts-stored-in-scm Ensure that binary / executable artifacts are not stored in SCM.
CI/CD - Branch Protection - Allows reviewer to self-review their own changes cicd-branch-protection Ensure that default repository branches are protected.
CI/CD - CircleCI $BASH_ENV Injection cicd-circleci-bash-env-injection Checks for CircleCI workflows where unescaped output is added to $BASH_ENV.
CI/CD - CircleCI Shell Injection cicd-circleci-bash-env-injection Ensure CircleCI workflows use pipeline variables safely.
CI/CD - CircleCI Unversionned Orb cicd-circleci-unversioned-orb Ensure CircleCI workflows do not use unversionned Orbs.
CI/CD - GitHub Actions can approve pull requests cicd-gha-can-create-and-approve-pull-requests Ensure that GitHub Actions cannot approve Pull Requests automatically.
CI/CD - GitHub Action evaluates curl's output cicd-gha-curl-eval Checks for data evaluted from a curl command.
CI/CD - All GitHub Actions are allowed to run cicd-gha-org-allows-all-actions Ensure that not all GitHub Actions are allowed to run.
CI/CD - GitHub Organization Secret visible from public repositories cicd-gha-org-secret-publicly-visible Ensure that GitHub organizations do not have Organization-level secrets that can be accessed by workflows from public repositories.
CI/CD - GitHub Actions have Read / Write permissions cicd-gha-read-write-token-permissions Ensure that GitHub Actions do not have Read / Write permissions token.
CI/CD - GitHub Action risky pull_request_target usage cicd-gha-risky-pull-request-target-usage Ensure that GitHub Actions are not making risky usage of pull_request_target events.
CI/CD - GitHub Action risky workflow_run usgae cicd-gha-risky-pull-request-target-usage Checks for GitHub Action workflow using workflow_run where the code from the incoming PR is checked out.
CI/CD - GitHub Script Injection cicd-gha-script-injection Checks for GitHub Action workflows using actions/github-script with untrusted attributes.
CI/CD - GitHub Action with shell injection cicd-gha-shell-injection-detected Ensure that GitHub Actions do not have shell injection.
CI/CD - GitHub Action Unsecure Commands cicd-gha-unsecure-commands Ensure that GitHub Actions do not enable deprecated unsecure commands.
CI/CD - GitHub Action uses inputs cicd-gha-workflow-dispatch-inputs Checks for GitHub Action workflows defines workflow_dispatch inputs.
CI/CD - GitHub Action uses write-all permissions cicd-gha-write-all-permissions Checks for GitHub Action workflows that enables write on all permissions.
CI/CD - GitLab Environment no approvals required for deployments cicd-gl-deployment-approval GitLab Environment does not require approvals for deployments.
CI/CD - Missing Software Composition Analysis (SCA) Scanning cicd-sca-scanning-absent Ensure that Software Composition Analysis (SCA) is performed.
CI/CD - Missing GitHub Organization 2FA Enforcement cicd-scm-2fa-enforcement-absent Ensure the GitHub Organization is enforcing the all members have 2FA enabled.
CI/CD - Elevated GitHub App Permissions cicd-scm-gh-app-with-elevated-permissions Checks for GitHub organizations with third-party applications that have elevated permissions.
CI/CD - Audit Log - Branch Protection Overriden by Admin cicd-scm-gh-audit-log-branch-protection-overriden Checks for GitHub repositories where an Audit Log event indicates that Branch Protection was overriden using administrator's privilege.
CI/CD - Audit Log - OAuth App Restriction Disabled cicd-scm-gh-audit-log-oauth-app-restriction-disabled Checks for GitHub organizations where an Audit Log event indicates that OAuth App restrictions were disabled.
CI/CD - GitHub Organization has Outside Collaborators cicd-scm-gh-org-has-outside-collaborators Checks for GitHub organizations with outside collaborators.
CI/CD - Privileged Default Member Permissions cicd-scm-gh-org-high-default-member-permissions Checks for GitHub organizations with privileged default member permissions.
CI/CD - Insecure GitHub Webhooks cicd-scm-gh-org-insecure-webhook Checks for GitHub organizations with insecure webhooks.
CI/CD - GitLab On Push Secret File Detection Missing cicd-scm-gl-on-push-secret-detection GitLab project does not have the push rule for secret file detection enabled.
CI/CD - Using unpinned dependencies cicd-unpinned-dependencies Ensure that dependency management lock files are being used.