|
9 | 9 | "entity": "Branch", |
10 | 10 | "description": "Ensure that every code change is reviewed and approved by two authorized contributors who are strongly authenticated.", |
11 | 11 | "remediation": "An organization can protect specific code branches — for example, the \"main\" branch which often is the version deployed to production — by setting protection rules. These rules secure your code repository from unwanted or unauthorized changes. You may set requirements for any code change to that branch, and thus specify a minimum number of reviewers required to approve a change.", |
12 | | - "scannerType": "Rego" |
| 12 | + "scannerType": "Rego", |
| 13 | + "slsa_level": [4] |
13 | 14 | }, |
14 | 15 | "1.1.4": { |
15 | 16 | "title": "Ensure previous approvals are dismissed when updates are introduced to a code change proposal", |
16 | 17 | "type": "SCM", |
17 | 18 | "entity": "Branch", |
18 | 19 | "description": "Ensure updates to a proposed code change require re-approval of reviewers", |
19 | 20 | "remediation": "For each code repository in use, enforce an organization-wide policy to dismiss given approvals to code change suggestions if those suggestions were updated.", |
20 | | - "scannerType": "Rego" |
| 21 | + "scannerType": "Rego", |
| 22 | + "slsa_level": [] |
21 | 23 | }, |
22 | 24 | "1.1.5": { |
23 | 25 | "title": "Ensure that there are restrictions on who can dismiss code change reviews", |
24 | 26 | "type": "SCM", |
25 | 27 | "entity": "Branch", |
26 | 28 | "description": "Only trusted users should be allowed to dismiss code change reviews", |
27 | 29 | "remediation": "For each code repository in use, carefully select the individual collaborators or groups whom you trust with the ability to dismiss code change reviews.", |
28 | | - "scannerType": "Rego" |
| 30 | + "scannerType": "Rego", |
| 31 | + "slsa_level": [] |
29 | 32 | }, |
30 | 33 | "1.1.6": { |
31 | 34 | "title": "Ensure code owners are set for extra sensitive code or configuration", |
32 | 35 | "type": "SCM", |
33 | 36 | "entity": "Branch", |
34 | 37 | "description": "Code owners are trusted users that are responsible for reviewing and managing an important piece of code or configuration. Set code owners for every extremely sensitive code or configuration.", |
35 | 38 | "remediation": "For every code repository in use, identify particularly sensitive parts of code and configurations and set trusted users to be their code owners.", |
36 | | - "scannerType": "Rego" |
| 39 | + "scannerType": "Rego", |
| 40 | + "slsa_level": [4] |
37 | 41 | }, |
38 | 42 | "1.1.8": { |
39 | 43 | "title": "Ensure inactive branches are reviewed and removed periodically", |
40 | 44 | "type": "SCM", |
41 | 45 | "entity": "Repository", |
42 | 46 | "description": "Keep track of code branches that are inactive for a period of time and remove them periodically.", |
43 | 47 | "remediation": "For each code repository in use, review existing Git branches and remove those which have not been active for a prescribed period of time.", |
44 | | - "scannerType": "Rego" |
| 48 | + "scannerType": "Rego", |
| 49 | + "slsa_level": [] |
45 | 50 | }, |
46 | 51 | "1.1.9": { |
47 | 52 | "title": "Ensure all checks have passed before the merge of new code", |
48 | 53 | "type": "SCM", |
49 | 54 | "entity": "Branch", |
50 | 55 | "description": "Before a code change request can be merged to the codebase, all pre-defined checks must successfully pass.", |
51 | 56 | "remediation": "Configure each code repository to require all status checks to pass before permitting a merge of new code.", |
52 | | - "scannerType": "Rego" |
| 57 | + "scannerType": "Rego", |
| 58 | + "slsa_level": [4] |
53 | 59 | }, |
54 | 60 | "1.1.10": { |
55 | 61 | "title": "Ensure open git branches are up to date before they can be merged into codebase", |
56 | 62 | "type": "SCM", |
57 | 63 | "entity": "Branch", |
58 | 64 | "description": "Organizations should make sure each suggested code change is in full sync with the existing state of its origin code repository, before allowing to merge it in.", |
59 | 65 | "remediation": "For each code repository in use, enforce a policy to only allow merging open branches if they are current with the latest change from their origin repository.", |
60 | | - "scannerType": "Rego" |
| 66 | + "scannerType": "Rego", |
| 67 | + "slsa_level": [] |
61 | 68 | }, |
62 | 69 | "1.1.11": { |
63 | 70 | "title": "Ensure all open comments are resolved before allowing to merge code changes", |
64 | 71 | "type": "SCM", |
65 | 72 | "entity": "Branch", |
66 | 73 | "description": "Organizations should enforce a \"no open comments\" policy before allowing to merge code changes.", |
67 | 74 | "remediation": "For each code repository in use, require open comments to be resolved before the relevant code change can be merged.", |
68 | | - "scannerType": "Rego" |
| 75 | + "scannerType": "Rego", |
| 76 | + "slsa_level": [] |
69 | 77 | }, |
70 | 78 | "1.1.12": { |
71 | 79 | "title": "Ensure verifying signed commits of new changes before merging", |
72 | 80 | "type": "SCM", |
73 | 81 | "entity": "Branch", |
74 | 82 | "description": "Ensure every commit in pull request is signed and verified before merge", |
75 | 83 | "remediation": "For each repository in use, enforce the branch protection rule of requiring signed commits, and make sure only signed commits are capable of merging.", |
76 | | - "scannerType": "Rego" |
| 84 | + "scannerType": "Rego", |
| 85 | + "slsa_level": [4] |
77 | 86 | }, |
78 | 87 | "1.1.13": { |
79 | 88 | "title": "Ensure linear history is required", |
80 | 89 | "type": "SCM", |
81 | 90 | "entity": "Repository", |
82 | 91 | "description": "Linear history is the name for Git history where all of the commits come one after another. Such history exists if a pull request is merged either by rebase merge (re-order the commits history) or squash merge (squashes all commits to one). Ensure that linear history is required by enforcing the use of rebase or squash merge when merging a pull request.", |
83 | 92 | "remediation": "For each repository in use, require linear history and/or allow only rebase merge and squash merge.", |
84 | | - "scannerType": "Rego" |
| 93 | + "scannerType": "Rego", |
| 94 | + "slsa_level": [3, 4] |
85 | 95 | }, |
86 | 96 | "1.1.14": { |
87 | 97 | "title": "Ensure branch protection rules are enforced on administrators", |
88 | 98 | "type": "SCM", |
89 | 99 | "entity": "Repository", |
90 | 100 | "description": "Ensure administrators are subject to branch protection rules.", |
91 | 101 | "remediation": "For each repository in use, enforce branch protection rules on administrators, as well.", |
92 | | - "scannerType": "Rego" |
| 102 | + "scannerType": "Rego", |
| 103 | + "slsa_level": [4] |
93 | 104 | }, |
94 | 105 | "1.1.15": { |
95 | 106 | "title": "Ensure pushing of new code is restricted to specific individuals or teams", |
96 | 107 | "type": "SCM", |
97 | 108 | "entity": "Repository", |
98 | 109 | "description": "Enforce that only trusted users can push to protected branches.", |
99 | 110 | "remediation": "For each repository in use, allow only trusted and responsible users to push or merge new code.", |
100 | | - "scannerType": "Rego" |
| 111 | + "scannerType": "Rego", |
| 112 | + "slsa_level": [4] |
101 | 113 | }, |
102 | 114 | "1.1.16": { |
103 | 115 | "title": "Ensure force pushes code to branches is denied", |
104 | 116 | "type": "SCM", |
105 | 117 | "entity": "Repository", |
106 | 118 | "description": "The 'force push' option allows users with 'push' permissions to force their changes directly to the branch without PR and it should be disabled.", |
107 | 119 | "remediation": "For each repository in use, block the option to \"Force Push\" code.", |
108 | | - "scannerType": "Rego" |
| 120 | + "scannerType": "Rego", |
| 121 | + "slsa_level": [4] |
109 | 122 | }, |
110 | 123 | "1.1.17": { |
111 | 124 | "title": "Ensure branch deletions are denied", |
112 | 125 | "type": "SCM", |
113 | 126 | "entity": "Repository", |
114 | 127 | "description": "Ensure that users with push access only can't delete a protected branch.", |
115 | 128 | "remediation": "For each repository that is being used, block the option to delete protected branches via branch protection rules.", |
116 | | - "scannerType": "Rego" |
| 129 | + "scannerType": "Rego", |
| 130 | + "slsa_level": [3, 4] |
117 | 131 | } |
118 | 132 | } |
119 | 133 | } |
0 commit comments