| CI/CD - Weak GitHub OIDC Claim Verification |
cicd-aws-github-oidc-sub |
Checks for IAM policies with lax validation of GitHub's OIDC subject claim. |
| CI/CD - Azure DevOps Project Limit Pipelines Authorization Scope |
cicd-azure-devops-missing-authz-for-project |
Ensure Azure DevOps projects limit autorization scope of Azure Pipelines. |
| CI/CD - Azure Pipeline Self-Hosted Agent Pools |
cicd-azure-devops-using-user-managed-agent-pools |
Ensure pipelines run using Microsoft-hosted agents |
| CI/CD - Limit Azure Pipelines Variables |
cicd-azure-devops-variables-settable-at-queue-time |
Ensure Azure Pipelines limit variables that can be set a queue time. |
| CI/CD - Binary artifacts stored in SCM |
cicd-binary-artifacts-stored-in-scm |
Ensure that binary / executable artifacts are not stored in SCM. |
| CI/CD - Branch Protection - Allows reviewer to self-review their own changes |
cicd-branch-protection |
Ensure that default repository branches are protected. |
| CI/CD - CircleCI $BASH_ENV Injection |
cicd-circleci-bash-env-injection |
Checks for CircleCI workflows where unescaped output is added to $BASH_ENV. |
| CI/CD - CircleCI Shell Injection |
cicd-circleci-bash-env-injection |
Ensure CircleCI workflows use pipeline variables safely. |
| CI/CD - CircleCI Unversionned Orb |
cicd-circleci-unversioned-orb |
Ensure CircleCI workflows do not use unversionned Orbs. |
| CI/CD - GitHub Actions can approve pull requests |
cicd-gha-can-create-and-approve-pull-requests |
Ensure that GitHub Actions cannot approve Pull Requests automatically. |
| CI/CD - GitHub Action evaluates curl's output |
cicd-gha-curl-eval |
Checks for data evaluted from a curl command. |
| CI/CD - All GitHub Actions are allowed to run |
cicd-gha-org-allows-all-actions |
Ensure that not all GitHub Actions are allowed to run. |
| CI/CD - GitHub Organization Secret visible from public repositories |
cicd-gha-org-secret-publicly-visible |
Ensure that GitHub organizations do not have Organization-level secrets that can be accessed by workflows from public repositories. |
| CI/CD - GitHub Actions have Read / Write permissions |
cicd-gha-read-write-token-permissions |
Ensure that GitHub Actions do not have Read / Write permissions token. |
| CI/CD - GitHub Action risky pull_request_target usage |
cicd-gha-risky-pull-request-target-usage |
Ensure that GitHub Actions are not making risky usage of pull_request_target events. |
| CI/CD - GitHub Action risky workflow_run usgae |
cicd-gha-risky-pull-request-target-usage |
Checks for GitHub Action workflow using workflow_run where the code from the incoming PR is checked out. |
| CI/CD - GitHub Script Injection |
cicd-gha-script-injection |
Checks for GitHub Action workflows using actions/github-script with untrusted attributes. |
| CI/CD - GitHub Action with shell injection |
cicd-gha-shell-injection-detected |
Ensure that GitHub Actions do not have shell injection. |
| CI/CD - GitHub Action Unsecure Commands |
cicd-gha-unsecure-commands |
Ensure that GitHub Actions do not enable deprecated unsecure commands. |
| CI/CD - GitHub Action uses inputs |
cicd-gha-workflow-dispatch-inputs |
Checks for GitHub Action workflows defines workflow_dispatch inputs. |
| CI/CD - GitHub Action uses write-all permissions |
cicd-gha-write-all-permissions |
Checks for GitHub Action workflows that enables write on all permissions. |
| CI/CD - GitLab Environment no approvals required for deployments |
cicd-gl-deployment-approval |
GitLab Environment does not require approvals for deployments. |
| CI/CD - Missing Software Composition Analysis (SCA) Scanning |
cicd-sca-scanning-absent |
Ensure that Software Composition Analysis (SCA) is performed. |
| CI/CD - Missing SCM 2FA Enforcement |
cicd-scm-2fa-enforcement-absent |
Ensure the SCM is enforcing that all members have 2FA enabled. |
| CI/CD - Elevated GitHub App Permissions |
cicd-scm-gh-app-with-elevated-permissions |
Checks for GitHub organizations with third-party applications that have elevated permissions. |
| CI/CD - Audit Log - Branch Protection Overriden by Admin |
cicd-scm-gh-audit-log-branch-protection-overriden |
Checks for GitHub repositories where an Audit Log event indicates that Branch Protection was overriden using administrator's privilege. |
| CI/CD - Audit Log - OAuth App Restriction Disabled |
cicd-scm-gh-audit-log-oauth-app-restriction-disabled |
Checks for GitHub organizations where an Audit Log event indicates that OAuth App restrictions were disabled. |
| CI/CD - GitHub Organization has Outside Collaborators |
cicd-scm-gh-org-has-outside-collaborators |
Checks for GitHub organizations with outside collaborators. |
| CI/CD - Privileged Default Member Permissions |
cicd-scm-gh-org-high-default-member-permissions |
Checks for GitHub organizations with privileged default member permissions. |
| CI/CD - Insecure GitHub Webhooks |
cicd-scm-gh-org-insecure-webhook |
Checks for GitHub organizations with insecure webhooks. |
| CI/CD - Invalid Number of GitHub Organization Owners |
cicd-scm-gh-org-number-of-owners |
Checks for the number of GitHub Organization owners |
| CI/CD - Invalid Number of GitHub Repository Admins |
cicd-scm-gh-repo-number-of-admins |
Checks for the number of GitHub Repository contributors with administrative privileges. |
| CI/CD - GitHub Repository with Privileged Outside Collaborators |
cicd-scm-gh-repo-outside-collaborator-admin-maintainer |
Checks for GitHub repositories with privileged outside collaborators |
| CI/CD - GitLab On Push Secret File Detection Missing |
cicd-scm-gl-on-push-secret-detection |
GitLab project does not have the push rule for secret file detection enabled. |
| CI/CD - Inactive SCM Members |
cicd-scm-inactive-members |
Checks for SCMs with inactive members. |
| CI/CD - SCM Repository Creation Not Restricted |
cicd-scm-limit-repo-creation |
Checks the creation of repositories is restricted. |
| CI/CD - SCM Organization Not Verified |
cicd-scm-org-verified |
Check the SCM organization has been verified. |
| CI/CD - SCM Private Forks |
cicd-scm-private-forks |
Ensure SCM does not allow private repository forks. |
| CI/CD - Using unpinned dependencies |
cicd-unpinned-dependencies |
Ensure that dependency management lock files are being used. |