| CI/CD - Azure DevOps Project Limit Pipelines Authorization Scope |
cicd-azure-devops-missing-authz-for-project |
Ensure Azure DevOps projects limit autorization scope of Azure Pipelines. |
| CI/CD - Azure Pipeline Self-Hosted Agent Pools |
cicd-azure-devops-using-user-managed-agent-pools |
Ensure pipelines run using Microsoft-hosted agents |
| CI/CD - Limit Azure Pipelines Variables |
cicd-azure-devops-variables-settable-at-queue-time |
Ensure Azure Pipelines limit variables that can be set a queue time. |
| CI/CD - Binary Artifacts Stored in SCM |
cicd-binary-artifacts |
Ensure binary artifacts are not stored in source control management (SCM) systems to reduce repository size and improve security. |
| CI/CD - Branch Protection - Allows reviewer to self-review their own changes |
cicd-branch-protection |
Ensure that default repository branches are protected. |
| CI/CD - CircleCI Injection |
cicd-circleci-shell-injection |
Prevent shell injection attacks in CircleCI configurations by following secure scripting practices. |
| CI/CD - CircleCI Unversioned Orb Usage |
cicd-circleci-unversioned-orb |
Avoid using unversioned orbs in CircleCI to ensure pipeline stability and reproducibility. |
| CI/CD - GitHub Actions can approve pull requests |
cicd-gha-can-create-and-approve-pull-requests |
Ensure that GitHub Actions cannot approve Pull Requests automatically. |
| CI/CD - All GitHub Actions are allowed to run |
cicd-gha-org-allows-all-actions |
Ensure that not all GitHub Actions are allowed to run. |
| CI/CD - GitHub Organization Secret visible from public repositories |
cicd-gha-org-secret-publicly-visible |
Ensure that GitHub organizations do not have Organization-level secrets that can be accessed by workflows from public repositories. |
| CI/CD - GitHub Actions have Read / Write permissions |
cicd-gha-read-write-token-permissions |
Ensure that GitHub Actions do not have Read / Write permissions token. |
| CI/CD - GitHub Actions Unsecure Commands |
cicd-gha-unsecure-commands |
Avoid using unsecure commands in GitHub Actions workflows to prevent security vulnerabilities such as injection attacks. |
| CI/CD - GitHub Actions Workflow Dispatch Inputs |
cicd-gha-workflow-dispatch-inputs |
Ensure GitHub Actions workflows that use workflow dispatch include secure and validated inputs to prevent misuse or unexpected behavior. |
| CI/CD - GitLab Environment no approvals required for deployments |
cicd-gl-deployment-approval |
GitLab Environment does not require approvals for deployments. |
| CI/CD - Missing Software Composition Analysis (SCA) Scanning |
cicd-sca-scanning-absent |
Ensure that Software Composition Analysis (SCA) is performed. |
| CI/CD - Missing SCM 2FA Enforcement |
cicd-scm-2fa-enforcement-absent |
Ensure the SCM is enforcing that all members have 2FA enabled. |
| CI/CD - Elevated GitHub App Permissions |
cicd-scm-gh-app-with-elevated-permissions |
Checks for GitHub organizations with third-party applications that have elevated permissions. |
| CI/CD - Audit Log - Branch Protection Overriden by Admin |
cicd-scm-gh-audit-log-branch-protection-overriden |
Checks for GitHub repositories where an Audit Log event indicates that Branch Protection was overriden using administrator's privilege. |
| CI/CD - Audit Log - OAuth App Restriction Disabled |
cicd-scm-gh-audit-log-oauth-app-restriction-disabled |
Checks for GitHub organizations where an Audit Log event indicates that OAuth App restrictions were disabled. |
| CI/CD - GitHub Organization has Outside Collaborators |
cicd-scm-gh-org-has-outside-collaborators |
Checks for GitHub organizations with outside collaborators. |
| CI/CD - Privileged Default Member Permissions |
cicd-scm-gh-org-high-default-member-permissions |
Checks for GitHub organizations with privileged default member permissions. |
| CI/CD - Insecure GitHub Webhooks |
cicd-scm-gh-org-insecure-webhook |
Checks for GitHub organizations with insecure webhooks. |
| CI/CD - Invalid Number of GitHub Organization Owners |
cicd-scm-gh-org-number-of-owners |
Checks for the number of GitHub Organization owners |
| CI/CD - Invalid Number of GitHub Repository Admins |
cicd-scm-gh-repo-number-of-admins |
Checks for the number of GitHub Repository contributors with administrative privileges. |
| CI/CD - GitHub Repository with Privileged Outside Collaborators |
cicd-scm-gh-repo-outside-collaborator-admin-maintainer |
Checks for GitHub repositories with privileged outside collaborators |
| CI/CD - GitLab On Push Secret File Detection Missing |
cicd-scm-gl-on-push-secret-detection |
GitLab project does not have the push rule for secret file detection enabled. |
| CI/CD - Inactive SCM Members |
cicd-scm-inactive-members |
Checks for SCMs with inactive members. |
| CI/CD - SCM Repository Creation Not Restricted |
cicd-scm-limit-repo-creation |
Checks the creation of repositories is restricted. |
| CI/CD - SCM Organization Not Verified |
cicd-scm-org-verified |
Check the SCM organization has been verified. |
| CI/CD - SCM Private Forks |
cicd-scm-private-forks |
Ensure SCM does not allow private repository forks. |
| CI/CD - Restrict SCM Repository Creation |
cicd-scm-repo-creation-restricted |
Ensure source control management (SCM) systems restrict repository creation to authorized users to prevent unauthorized or unmonitored repositories. |
| CI/CD - Missing Lockfile resulting in unpinned dependencies |
cicd-unpinned-dependencies |
Checks for the absence of a lockfile. |
| CI/CD - Webhook Misconfiguration Detected |
cicd-webhooks-misconfiguration |
Detects when required webhooks are missing or disabled in CI/CD workflows, which can prevent security scans from triggering on code changes. |