|CI/CD - Weak GitHub OIDC Claim Verification
||Checks for IAM policies with lax validation of GitHub's OIDC subject claim.
|CI/CD - Binary artifacts stored in SCM
||Ensure that binary / executable artifacts are not stored in SCM.
|CI/CD - Branch Protection - Allows reviewer to self-review their own changes
||Ensure that default repository branches are protected.
|CI/CD - CircleCI $BASH_ENV Injection
||Checks for CircleCI workflows where unescaped output is added to $BASH_ENV.
|CI/CD - CircleCI Shell Injection
||Ensure CircleCI workflows use pipeline variables safely.
|CI/CD - CircleCI Unversionned Orb
||Ensure CircleCI workflows do not use unversionned Orbs.
|CI/CD - GitHub Actions can approve pull requests
||Ensure that GitHub Actions cannot approve Pull Requests automatically.
|CI/CD - GitHub Action evaluates curl's output
||Checks for data evaluted from a curl command.
|CI/CD - All GitHub Actions are allowed to run
||Ensure that not all GitHub Actions are allowed to run.
|CI/CD - GitHub Organization Secret visible from public repositories
||Ensure that GitHub organizations do not have Organization-level secrets that can be accessed by workflows from public repositories.
|CI/CD - GitHub Actions have Read / Write permissions
||Ensure that GitHub Actions do not have Read / Write permissions token.
|CI/CD - GitHub Action risky pull_request_target usage
||Ensure that GitHub Actions are not making risky usage of pull_request_target events.
|CI/CD - GitHub Action risky workflow_run usgae
||Checks for GitHub Action workflow using workflow_run where the code from the incoming PR is checked out.
|CI/CD - GitHub Script Injection
||Checks for GitHub Action workflows using actions/github-script with untrusted attributes.
|CI/CD - GitHub Action with shell injection
||Ensure that GitHub Actions do not have shell injection.
|CI/CD - GitHub Action Unsecure Commands
||Ensure that GitHub Actions do not enable deprecated unsecure commands.
|CI/CD - GitHub Action uses inputs
||Checks for GitHub Action workflows defines workflow_dispatch inputs.
|CI/CD - GitHub Action uses write-all permissions
||Checks for GitHub Action workflows that enables write on all permissions.
|CI/CD - GitLab Environment no approvals required for deployments
||GitLab Environment does not require approvals for deployments.
|CI/CD - Missing Software Composition Analysis (SCA) Scanning
||Ensure that Software Composition Analysis (SCA) is performed.
|CI/CD - Missing GitHub Organization 2FA Enforcement
||Ensure the GitHub Organization is enforcing the all members have 2FA enabled.
|CI/CD - Elevated GitHub App Permissions
||Checks for GitHub organizations with third-party applications that have elevated permissions.
|CI/CD - Audit Log - Branch Protection Overriden by Admin
||Checks for GitHub repositories where an Audit Log event indicates that Branch Protection was overriden using administrator's privilege.
|CI/CD - Audit Log - OAuth App Restriction Disabled
||Checks for GitHub organizations where an Audit Log event indicates that OAuth App restrictions were disabled.
|CI/CD - GitHub Organization has Outside Collaborators
||Checks for GitHub organizations with outside collaborators.
|CI/CD - Privileged Default Member Permissions
||Checks for GitHub organizations with privileged default member permissions.
|CI/CD - Insecure GitHub Webhooks
||Checks for GitHub organizations with insecure webhooks.
|CI/CD - GitLab On Push Secret File Detection Missing
||GitLab project does not have the push rule for secret file detection enabled.
|CI/CD - Using unpinned dependencies
||Ensure that dependency management lock files are being used.