# OpenJS Foundation — Project Security Requirements ## Purpose This document defines the minimum security requirements that OpenJS Foundation projects must meet at each stage of [project progression][progression]. It bridges the gap between the high-level expectations in [PROJECT_PROGRESSION.md][progression] and the comprehensive [OpenJS Security Compliance Guide][compliance-guide], providing a focused, actionable checklist for each progression stage. The [Security Compliance Guide][compliance-guide] remains the authoritative reference for implementation details. Each requirement below links to the relevant guidance. This document tells you **what** is required and **when**; the compliance guide tells you **how**. ## How This Document Works Requirements are organized into three tiers corresponding to project lifecycle stages: | Tier | Stage Gate | Intent | |------|-----------|--------| | **Tier 1** | Required to enter or remain **At Large** | Basic security hygiene — achievable in an afternoon | | **Tier 2** | Required to graduate to **Impact** | Security processes and access governance — demonstrates organizational maturity | | **Tier 3** | Ongoing goals for **Impact** projects | Industry-leading practices — tracked at annual review, not a gate | Projects at a given stage must satisfy all requirements for that tier **and all tiers below it**. For example, an Impact project must meet Tier 1, Tier 2, and be making progress on Tier 3. **Feature Complete**, **Sunsetting**, and **Archived** projects are exempt from new requirements but should maintain their SECURITY.md to direct users to any known unpatched issues. ## Tier 1 — At Large Entry These requirements establish that a project takes security seriously and that the community knows how to report vulnerabilities. A small project with a single maintainer should be able to meet all of these in a single session. ### Vulnerability Reporting - [ ] **Publish a SECURITY.md** that meets [OpenJS CVD guidelines][cvd-guidelines]. Place it in the `.github` repository for your organization, or in each repository's root. It must include at least one confidential reporting channel (e.g., a private email address, GitHub Private Vulnerability Reporting, or a platform like HackerOne). _Compliance guide: [securityPolicyMeetsStandards][cg-securityPolicy]_ - [ ] **Respond to external vulnerability reports within 14 days.** _Compliance guide: [respond14Days][cg-respond14]_ ### Authentication - [ ] **Enforce MFA on your GitHub organization(s).** _Compliance guide: [ghOrgEnforceMFA][cg-ghMFA]_ *- [ ] **Enforce MFA on your npm organization(s)** (if the project publishes to npm). _Compliance guide: [npmOrgEnforceMFA][cg-npmMFA]* **(this can be removed, enforced by npm)** ### Source Control - [ ] **Do not store credentials or secrets in repository files.** Secrets must be managed outside the codebase (e.g., environment variables, secret managers). _Compliance guide: [credsNotInProjectRepoFiles][cg-noCreds]_ - [ ] **Prevent deletion of the default branch.** _Compliance guide: [ghDefaultBranchPreventDeletion][cg-preventDeletion]_ ### Dependencies *- [ ] **Enable automated dependency vulnerability scanning** (e.g., Dependabot, Socket, Snyk, or equivalent). _Compliance guide: [depMgmtWithVulns][cg-depVulns]*** potentially remove...** --- ## Tier 2 — Graduating to Impact These requirements demonstrate that a project has mature access controls, CI/CD security practices, and a vulnerability management process. They are appropriate for projects that have grown beyond a solo maintainer and are seeking the responsibility and visibility that comes with Impact status. These requirements must be met before the CPC will approve graduation to Impact. ### Access Governance - [ ] **Manage GitHub permissions using Organizations.** Do not rely on individual repository-level grants. _Compliance guide: [useGhOrgs][cg-useGhOrgs]_ - [ ] **Manage npm permissions using Organizations and Teams** (if applicable). _Compliance guide: [useNpmOrgsTeams][cg-useNpmOrgs]_ - [ ] **Document who has write access** to GitHub repositories. _Compliance guide: [ghDocRepoWriteAccess][cg-ghDocWrite]_ - [ ] **Document who has publish access** to npm packages. _Compliance guide: [npmDocPublishAccess][cg-npmDocPublish]_ - [ ] **Configure two or more organization owners** for access continuity (bus factor). _Compliance guide: [ghOwnerContinuityPolicy][cg-ownerContinuity]_ - [ ] **Restrict default organization member permissions** so that new members do not automatically receive write access. _Compliance guide: [ghOrgRestrictDefaultMemberPerms][cg-restrictDefault]_ ### CI/CD Security - [ ] **Check commits for credentials** using automated tooling in CI. _Compliance guide: [checkCommits4Creds][cg-checkCreds]_ - [ ] **Require all commit/PR checks to pass** before merging to the default branch. _Compliance guide: [ghCommitChecksMustPass][cg-checksPass]_ - [ ] **Set default workflow token permissions to read-only.** Write permissions should be granted at the job level only when needed. _Compliance guide: [ghDefaultTokenPermsReadOnly][cg-tokenReadOnly]_ - [ ] **Pin GitHub Actions that use secrets to full-length commit SHAs** (not tags or branches). _Compliance guide: [ghPinActionsWithSecrets][cg-pinActions]_ - [ ] **Inject secrets at runtime.** Never bake secrets into build artifacts or container images. _Compliance guide: [ghInjectSecretsAtRuntime][cg-injectSecrets]_ - [ ] **Restrict package publishing access** to the minimum set of accounts needed. _Compliance guide: [npmPackagePublishingAccess][cg-npmPubAccess]_ - [ ] **Restrict organization secrets to specific repositories** rather than making them available organization-wide. _Compliance guide: [ghRestrictSecretsToRepos][cg-restrictSecrets]_ ### Credential Management - [ ] **Secure GitHub webhooks with secrets** to validate incoming payloads. _Compliance guide: [ghWebhooksUseSecrets][cg-webhookSecrets]_ ### Vulnerability Management - [ ] **Define a clear incident response plan** including communication procedures and roles. _Compliance guide: [docIncidentResponsePlan][cg-incidentResponse]_ - [ ] **Include CVE IDs** for security fixes in changelogs and release notes. _Compliance guide: [includeCVEInReleaseNotes][cg-cveInNotes]_ - [ ] **Patch non-critical vulnerabilities within 90 days** of disclosure. _Compliance guide: [nonCriticalVulns90Days][cg-90day]_ --- ## Tier 3 — Ongoing Goals for Impact Projects These requirements reflect industry best practices that the foundation encourages all Impact projects to pursue. They are not a gate for any progression stage but are tracked at annual reviews. Progress — not perfection — is the expectation. ### Hardened Authentication - [ ] Use passkeys (AAL2/3) or hardware keys for GitHub access. _Compliance guide: [ghMFAUseHwKeyInteractive][cg-hwKeyGh], [ghMFAUseHwKeyNonInteractive][cg-hwKeyGhNon]_ - [ ] Use passkeys or hardware keys for npm access. _Compliance guide: [npmMFAUseHwKey][cg-hwKeyNpm]_ - [ ] Do not use MFA methods vulnerable to phishing attacks (GitHub and npm). _Compliance guide: [ghMFAphishingResistant][cg-phishGh], [npmMFAphishingResistant][cg-phishNpm]_ ### Strengthened Source Control - [ ] Require pull requests before merging to the default branch. _Compliance guide: [ghMergingRequiresPr][cg-requirePR]_ - [ ] Require two-party review for mainline commits (projects with two or more maintainers). _Compliance guide: [ghTwoPartyReview][cg-twoParty]_ - [ ] Require code owner review for large projects and teams. _Compliance guide: [ghCodeOwnerReviewForLargeTeams][cg-codeOwner]_ - [ ] Require signed commits. _Compliance guide: [ghRequireSignedCommits][cg-signedCommits]_ - [ ] Disable force push on the default branch. _Compliance guide: [ghDefaultBranchNoForcePush][cg-noForcePush]_ - [ ] Prevent admins from bypassing branch protection. _Compliance guide: [ghPreventAdminBypass][cg-noAdminBypass]_ ### Advanced CI/CD - [ ] Use static application security testing (SAST) for all commits. _Compliance guide: [staticAppSecTesting][cg-sast]_ - [ ] Use automated static code analysis tools. _Compliance guide: [staticCodeAnalysis][cg-staticAnalysis]_ - [ ] Block new commits that contain credentials. _Compliance guide: [ghBlockCommitsWithCreds][cg-blockCreds]_ - [ ] Restrict build pipeline code execution to build scripts only. _Compliance guide: [ghNoArbitraryCodeInPipeline][cg-noArbitrary]_ - [ ] Disable self-hosted runners in the GitHub organization. _Compliance guide: [ghNoSelfHostedRunners][cg-noSelfHosted]_ - [ ] Avoid script injection from untrusted variables. _Compliance guide: [ghPreventScriptInjection][cg-preventInjection]_ - [ ] Publish to npm using MFA-enabled accounts. _Compliance guide: [npmPublishingWithMFA][cg-npmPubMFA]_ - [ ] Limit GitHub Actions to verified or explicitly trusted actions. _Compliance guide: [ghVerifiedActionsOnly][cg-verifiedActions]_ - [ ] Require approval for workflow changes from forked repositories. _Compliance guide: [ghForkWorkflowApproval][cg-forkApproval]_ ### Accelerated Vulnerability Response - [ ] Patch actively exploited critical vulnerabilities within 30 days. _Compliance guide: [criticalVulns30Days][cg-30day]_ - [ ] Patch critical/high vulnerabilities within 14 days. _Compliance guide: [exploitableHighCritVulns14Days][cg-14day]_ - [ ] Patch non-critical vulnerabilities within 60 days (stricter than the Tier 2 90-day requirement). _Compliance guide: [exploitableNonCritVulns60Days][cg-60day]_ - [ ] Assign CVEs to all known security vulnerabilities. _Compliance guide: [assignCVEForKnownVulns][cg-assignCVE]_ ### Governance & Training - [ ] Document software architecture. _Compliance guide: [docSoftwareArchitecture][cg-docArch]_ - [ ] Create regression tests for bugs and security vulnerabilities. _Compliance guide: [regressionTestsForVulns][cg-regressionTests]_ - [ ] OWASP Top 10 or equivalent training for maintainers. _Compliance guide: [owaspTop10Training][cg-owasp]_ - [ ] Training on secure software design. _Compliance guide: [softwareDesignTraining][cg-secDesign]_ - [ ] Support older versions or provide upgrade paths. _Compliance guide: [upgradePathsForOlderReleases][cg-upgradePaths]_ - [ ] Refresh dependencies with annual releases. _Compliance guide: [annualDependencyRefresh][cg-annualRefresh]_ - [ ] Use annotated git release tags. _Compliance guide: [releasesUseGitTags][cg-releaseTags]_ ### Access Hardening - [ ] Limit GitHub organization owners to fewer than three. _Compliance guide: [ghOrgOwners][cg-limitGhOwners]_ - [ ] Limit GitHub repository admins to fewer than three. _Compliance guide: [ghRepoAdmins][cg-limitGhAdmins]_ - [ ] Limit npm organization owners to fewer than three. _Compliance guide: [npmNumOrgOwners][cg-limitNpmOwners]_ - [ ] Limit npm organization admins to fewer than three. _Compliance guide: [npmNumOrgAdmins][cg-limitNpmAdmins]_ - [ ] Limit npm team membership to the bare minimum required to publish. _Compliance guide: [npmNumMembers][cg-limitNpmMembers]_ - [ ] Require activity within the past 12 months for GitHub admins and members with write access. _Compliance guide: [activeGhAdmins][cg-activeAdmins], [activeGhWriteAccess][cg-activeWrite]_ --- ## Verification & Self-Attestation Projects self-attest to meeting tier requirements as part of the [progression process][progression]. The recommended approach is: 1. **At application time**, the project's progression proposal should include a completed copy of the relevant tier checklist(s) in the proposal issue, with a brief note on each item describing how the project meets it (e.g., a link to a GitHub org settings page, a CI workflow file, or a SECURITY.md). 2. **At annual review**, Impact projects should report on their Tier 3 progress using the same checklist format. 3. **The CPC** may request evidence or clarification for any item during the review process. The intent is a lightweight, trust-based process — not a formal audit. ## Existing Impact Projects Projects that held Impact status before this document was adopted should meet Tier 1 and Tier 2 requirements within 12 months of adoption. The CPC will work with each project to develop a reasonable timeline. Progress is reported at the project's next annual review. ## Changes to This Document This document is maintained by the Cross Project Council. Proposed changes follow the standard [CPC governance process][cpc-governance]. The Security Working Group may propose additions based on evolving threats or ecosystem changes. --- ## Integration with PROJECT_PROGRESSION.md The following language is proposed for addition to [PROJECT_PROGRESSION.md][progression]: > ### Security Requirements > > Projects must meet the security requirements defined in [PROJECT_SECURITY_REQUIREMENTS.md](./PROJECT_SECURITY_REQUIREMENTS.md) for their current or target progression stage. Specifically: > > - **At Large** projects must meet Tier 1 requirements. > - **Incubating** projects must meet Tier 1 requirements and should be working toward Tier 2. > - **Impact** projects must meet Tier 1 and Tier 2 requirements and should demonstrate ongoing progress on Tier 3 at annual review. ## Relationship to PROJECT_SECURITY_REPORTING.md This document supersedes [PROJECT_SECURITY_REPORTING.md][security-reporting]. The requirements previously covered by that document — publishing a SECURITY.md and maintaining a confidential reporting channel — are now captured in Tier 1 of this document. [PROJECT_SECURITY_REPORTING.md][security-reporting] should be updated to redirect to this document. --- <!-- Link references --> <!-- Progression and governance --> [progression]: https://github.com/openjs-foundation/cross-project-council/blob/main/PROJECT_PROGRESSION.md [security-reporting]: https://github.com/openjs-foundation/cross-project-council/blob/main/PROJECT_SECURITY_REPORTING.md [compliance-guide]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT [cvd-guidelines]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/context-CVDTool.md [cpc-governance]: https://github.com/openjs-foundation/cross-project-council/blob/main/CPC-CHARTER.md <!-- Compliance guide individual items --> <!-- Filenames use category-guideline.md convention. Update paths if the compliance guide restructures. --> <!-- Tier 1 --> [cg-securityPolicy]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/governance-securityPolicyMeetsStandards.md [cg-respond14]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/vulnRemediationTimelines-respond14Days.md [cg-ghMFA]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/enforceMFAonOrgs-ghOrgEnforceMFA.md [cg-npmMFA]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/enforceMFAonOrgs-npmOrgEnforceMFA.md [cg-noCreds]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-credsNotInProjectRepoFiles.md [cg-preventDeletion]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/branchProtection-ghDefaultBranchPreventDeletion.md [cg-depVulns]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ciCdScanners-depMgmtWithVulns.md <!-- Tier 2 — Access Governance --> [cg-useGhOrgs]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/useRBACfeatures-useGhOrgs.md [cg-useNpmOrgs]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/useRBACfeatures-useNpmOrgsTeams.md [cg-ghDocWrite]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/defineRolesAndPerms-ghDocRepoWriteAcces.md [cg-npmDocPublish]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/defineRolesAndPerms-npmDocPublishAccess.md [cg-ownerContinuity]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/governance-ghOwnerContinuityPolicy.md [cg-restrictDefault]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/useRBACfeatures-ghOrgRestrictDefaultMemberPerms.md <!-- Tier 2 — CI/CD Security --> [cg-checkCreds]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ciCdScanners-checkCommits4Creds.md [cg-checksPass]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/branchProtection-ghCommitChecksMustPass.md [cg-tokenReadOnly]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-ghDefaultTokenPermsReadOnly.md [cg-pinActions]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ghWorkflowSec-ghPinActionsWithSecrets.md [cg-injectSecrets]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-ghInjectSecretsAtRuntime.md [cg-granularTokens]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-npmOnlyUseGranularAccessTokens.md [cg-npmPubAccess]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-npmPackagePublishingAccess.md [cg-restrictSecrets]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-ghRestrictSecretsToRepos.md <!-- Tier 2 — Credential Management --> [cg-webhookSecrets]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-ghWebhooksUseSecrets.md <!-- Tier 2 — Vulnerability Management --> [cg-incidentResponse]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/governance-docIncidentResponsePlan.md [cg-cveInNotes]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/releaseDocumentation-includeCVEInReleaseNotes.md [cg-90day]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/vulnRemediationTimelines-nonCriticalVulns90Days.md <!-- Tier 3 — Hardened Authentication --> [cg-hwKeyGh]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/useHwOrPassKey-ghMFAUseHwKeyInteractive.md [cg-hwKeyGhNon]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/useHwOrPassKey-ghMFAUseHwKeyNonInteractive.md [cg-hwKeyNpm]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/useHwOrPassKey-npmMFAUseHwKey.md [cg-phishGh]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/usePhishingResistentMFA-ghMFAphishingResistant.md [cg-phishNpm]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/usePhishingResistentMFA-npmMFAphishingResistant.md <!-- Tier 3 — Strengthened Source Control --> [cg-requirePR]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/branchProtection-ghMergingRequiresPr.md [cg-twoParty]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/multiPartyReviews-ghTwoPartyReview.md [cg-codeOwner]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/multiPartyReviews-ghCodeOwnerReviewForLargeTeams.md [cg-signedCommits]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/branchProtection-ghRequireSignedCommits.md [cg-noForcePush]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/branchProtection-ghDefaultBranchNoForcePush.md [cg-noAdminBypass]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/branchProtection-ghPreventAdminBypass.md <!-- Tier 3 — Advanced CI/CD --> [cg-sast]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ciCdScanners-staticAppSecTesting.md [cg-staticAnalysis]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ciCdScanners-staticCodeAnalysis.md [cg-blockCreds]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-ghBlockCommitsWithCreds.md [cg-noArbitrary]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ghWorkflowSec-ghNoArbitraryCodeInPipeline.md [cg-noSelfHosted]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ghWorkflowSec-ghNoSelfHostedRunners.md [cg-preventInjection]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ghWorkflowSec-ghPreventScriptInjection.md [cg-npmPubMFA]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-npmPublishingWithMFA.md [cg-verifiedActions]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ghWorkflowSec-ghVerifiedActionsOnly.md [cg-forkApproval]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ghWorkflowSec-ghForkWorkflowApproval.md <!-- Tier 3 — Accelerated Vulnerability Response --> [cg-30day]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/vulnRemediationTimelines-criticalVulns30Days.md [cg-14day]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/vulnRemediationTimelines-exploitableHighCritVulns14Days.md [cg-60day]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/vulnRemediationTimelines-exploitableNonCritVulns60Days.md [cg-assignCVE]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/releaseDocumentation-assignCVEForKnownVulns.md <!-- Tier 3 — Governance & Training --> [cg-docArch]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/projectDocumentation-docSoftwareArchitecture.md [cg-regressionTests]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/vulnPrevention-regressionTestsForVulns.md [cg-owasp]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/securityTraining-owaspTop10Training.md [cg-secDesign]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/securityTraining-softwareDesignTraining.md [cg-upgradePaths]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/projectDocumentation-upgradePathsForOlderReleases.md [cg-annualRefresh]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/governance-annualDependencyRefresh.md [cg-releaseTags]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/releaseDocumentation-releasesUseGitTags.md <!-- Tier 3 — Access Hardening --> [cg-limitGhOwners]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/limitOwnersAndAdmins-ghOrgOwners.md [cg-limitGhAdmins]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/limitOwnersAndAdmins-ghRepoAdmins.md [cg-limitNpmOwners]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/limitOwnersAndAdmins-npmNumOrgOwners.md [cg-limitNpmAdmins]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/limitOwnersAndAdmins-npmNumOrgAdmins.md [cg-limitNpmMembers]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/limitOwnersAndAdmins-npmNumMembers.md [cg-activeAdmins]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/permsRequireActivity-activeGhAdmins.md [cg-activeWrite]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/permsRequireActivity-activeGhWriteAccess.md