Update BR-01 to split CI/CD security into 3 areas

[evankanderson]

As discussed in the 2025-11-25 meeting and on Slack.

The BR-01 controls was originally lifted from the Scorecard Dangerous-Workflow check. When this control was refactored into assessment criteria, we ended up with some ambiguity and possible overlap:

• BR-01.01 talked about "input parameters", which suggests something like the GitHub workflow_run trigger, which supports user-selected explicit values. It could also be read to cover input metadata (e.g. PR title), but it's not clear.
• BR-01.02 talked about specifically sanitizing branch names, but not other input metadata.

I unified the current assessments into BR-01.01, which covers all untrusted metadata executed without contributor review.

Both of these missed the "Untrusted Code Checkout" check from Dangerous-Workflow, which I've revived as BR-01.03 (to avoid re-using BR-01.02 with a different meaning).

I revised the plain meaning of BR-01.01 to BR-01.04 as a level 3 control for projects with higher levels of assurances.

[funnelfiasco]

This seems significant enough that I'm going to leave a fake nack to block merging in order to make sure there's enough time for discussion.

[SecurityCRob]

I'm fine adding more requirement statements, as Evan requests here. I ask that changes like this get merged into the crosswalk spreadsheet as we implement them, as some stakeholders use that as a prime source. I think we have the yaml --> website covered through our automation. We want to ensure all paths into the catalog are consistent for the user.

[evankanderson]

I'm fine adding more requirement statements, as Evan requests here. I ask that changes like this get merged into the crosswalk spreadsheet as we implement them, as some stakeholders use that as a prime source. I think we have the yaml --> website covered through our automation. We want to ensure all paths into the catalog are consistent for the user.

You're talking about filling in the Scorecard -> Dangerous Workflows mapping for BR-01? And you want me to update docs/Compliance%20Crosswalk%20Matrix-17Nov2025.xlsx, or something else (possibly not in source control)?

[eddie-knight]

Do you have any references to help me understand what attacker-selected metadata is?

The recommendation and control objective both focus on untrusted inputs, while this requirement hones in on attackers specifically.

[eddie-knight]

This is different enough that it'll need a new ID if it's accepted.

Or, as we discussed previously, it'll need to come with the addition of an orchestrated release notification process to inform and support downstream adopters that the old ID has been removed and reassigned to a new requirement.

[eddie-knight]

This reads quite similar to the text removed above "When a CI/CD pipeline accepts an input parameter, that parameter MUST be sanitized and validated prior to use in the pipeline."

[SecurityCRob]

I'm fine adding more requirement statements, as Evan requests here. I ask that changes like this get merged into the crosswalk spreadsheet as we implement them, as some stakeholders use that as a prime source. I think we have the yaml --> website covered through our automation. We want to ensure all paths into the catalog are consistent for the user.

You're talking about filling in the Scorecard -> Dangerous Workflows mapping for BR-01? And you want me to update docs/Compliance%20Crosswalk%20Matrix-17Nov2025.xlsx, or something else (possibly not in source control)?

No, our Compliance Crosswalk(1) - after each update of the yaml files I've been trying to keep it current. Beyond the yaml files, if we had some way to get this file into git and still allow edits, that would be a dream. As it goes today after I update the xls, i output a pdf and store in our osps repo.

(1) - https://docs.google.com/spreadsheets/d/1an5mx3rayoz3JRFUepD56zgprpwXBXBG70fVZvIMCpA/edit?gid=1342785291#gid=1342785291