Skip to content

CI/CD Supply Chain

Name Id Description
CI/CD - Azure DevOps Project Limit Pipelines Authorization Scope cicd-azure-devops-missing-authz-for-project Ensure Azure DevOps projects limit autorization scope of Azure Pipelines.
CI/CD - Azure Pipeline Self-Hosted Agent Pools cicd-azure-devops-using-user-managed-agent-pools Ensure pipelines run using Microsoft-hosted agents
CI/CD - Limit Azure Pipelines Variables cicd-azure-devops-variables-settable-at-queue-time Ensure Azure Pipelines limit variables that can be set a queue time.
CI/CD - Branch Protection - Allows reviewer to self-review their own changes cicd-branch-protection Ensure that default repository branches are protected.
CI/CD - GitHub Actions can approve pull requests cicd-gha-can-create-and-approve-pull-requests Ensure that GitHub Actions cannot approve Pull Requests automatically.
CI/CD - All GitHub Actions are allowed to run cicd-gha-org-allows-all-actions Ensure that not all GitHub Actions are allowed to run.
CI/CD - GitHub Organization Secret visible from public repositories cicd-gha-org-secret-publicly-visible Ensure that GitHub organizations do not have Organization-level secrets that can be accessed by workflows from public repositories.
CI/CD - GitHub Actions have Read / Write permissions cicd-gha-read-write-token-permissions Ensure that GitHub Actions do not have Read / Write permissions token.
CI/CD - GitLab Environment no approvals required for deployments cicd-gl-deployment-approval GitLab Environment does not require approvals for deployments.
CI/CD - Missing Software Composition Analysis (SCA) Scanning cicd-sca-scanning-absent Ensure that Software Composition Analysis (SCA) is performed.
CI/CD - Missing SCM 2FA Enforcement cicd-scm-2fa-enforcement-absent Ensure the SCM is enforcing that all members have 2FA enabled.
CI/CD - Elevated GitHub App Permissions cicd-scm-gh-app-with-elevated-permissions Checks for GitHub organizations with third-party applications that have elevated permissions.
CI/CD - Audit Log - Branch Protection Overriden by Admin cicd-scm-gh-audit-log-branch-protection-overriden Checks for GitHub repositories where an Audit Log event indicates that Branch Protection was overriden using administrator's privilege.
CI/CD - Audit Log - OAuth App Restriction Disabled cicd-scm-gh-audit-log-oauth-app-restriction-disabled Checks for GitHub organizations where an Audit Log event indicates that OAuth App restrictions were disabled.
CI/CD - GitHub Organization has Outside Collaborators cicd-scm-gh-org-has-outside-collaborators Checks for GitHub organizations with outside collaborators.
CI/CD - Privileged Default Member Permissions cicd-scm-gh-org-high-default-member-permissions Checks for GitHub organizations with privileged default member permissions.
CI/CD - Insecure GitHub Webhooks cicd-scm-gh-org-insecure-webhook Checks for GitHub organizations with insecure webhooks.
CI/CD - Invalid Number of GitHub Organization Owners cicd-scm-gh-org-number-of-owners Checks for the number of GitHub Organization owners
CI/CD - Invalid Number of GitHub Repository Admins cicd-scm-gh-repo-number-of-admins Checks for the number of GitHub Repository contributors with administrative privileges.
CI/CD - GitHub Repository with Privileged Outside Collaborators cicd-scm-gh-repo-outside-collaborator-admin-maintainer Checks for GitHub repositories with privileged outside collaborators
CI/CD - GitLab On Push Secret File Detection Missing cicd-scm-gl-on-push-secret-detection GitLab project does not have the push rule for secret file detection enabled.
CI/CD - Inactive SCM Members cicd-scm-inactive-members Checks for SCMs with inactive members.
CI/CD - SCM Repository Creation Not Restricted cicd-scm-limit-repo-creation Checks the creation of repositories is restricted.
CI/CD - SCM Organization Not Verified cicd-scm-org-verified Check the SCM organization has been verified.
CI/CD - SCM Private Forks cicd-scm-private-forks Ensure SCM does not allow private repository forks.
CI/CD - Missing Lockfile resulting in unpinned dependencies cicd-unpinned-dependencies Checks for the absence of a lockfile.