Skip to content

CI/CD Supply Chain

Name Description
cicd-binary-artifacts-stored-in-scm Ensure that binary / executable artifacts are not stored in SCM.
cicd-branch-protection Ensure that default repository branches are protected.
cicd-gha-can-create-and-approve-pull-requests Ensure that GitHub Actions cannot approve Pull Requests automatically.
cicd-gha-org-allows-all-actions Ensure that not all GitHub Actions are allowed to run.
cicd-gha-org-secret-publicly-visible Ensure that GitHub organizations do not have Organization-level secrets
cicd-gha-read-write-token-permissions Ensure that GitHub Actions do not have Read / Write permissions token.
cicd-gha-risky-pull-request-target-usage Ensure that GitHub Actions are not making risky usage of pull_request_target events.
cicd-gha-shell-injection-detected Ensure that GitHub Actions do not have shell injection.
cicd-sca-scanning-absent Ensure that Software Composition Analysis (SCA) is performed.
cicd-scm-2fa-enforcement-absent Ensure the GitHub Organization is enforcing the all members have 2FA enabled.
cicd-unpinned-dependencies Ensure that dependency management lock files are being used.