# OpenJS Foundation — Project Security Requirements ***note a lot of links are broken and need to be fixed*** ## Purpose This document defines the minimum security requirements that OpenJS Foundation projects must meet at each stage of [project progression][progression]. It bridges the gap between the high-level expectations in PROJECT_PROGRESSION.md and the comprehensive [OpenJS Security Compliance Guide][compliance-guide], providing a focused, actionable checklist for each progression stage. The [Security Compliance Guide][compliance-guide] remains the authoritative reference for implementation details. Each requirement below links to the relevant guidance. This document tells you **what** is required and **when**; the compliance guide tells you **how**. ## How This Document Works Requirements are organized into three tiers corresponding to project lifecycle stages: | Tier | Stage Gate | Intent | |------|-----------|--------| | **Tier 1** | Required to enter or remain **At Large** | Basic security hygiene — achievable in an afternoon | | **Tier 2** | Required to graduate from **Incubating** to **Impact** | Security processes and access governance — demonstrates organizational maturity | | **Tier 3** | Ongoing goals for **Impact** projects | Industry-leading practices — tracked at annual review, not a gate | Projects at a given stage must satisfy all requirements for that tier **and all tiers below it**. For example, an Impact project must meet Tier 1, Tier 2, and be making progress on Tier 3. **Archived** and **Emeritus** projects are exempt from new requirements but should maintain their SECURITY.md to direct users to any known unpatched issues. ## Tier 1 — At Large Entry These requirements establish that a project takes security seriously and that the community knows how to report vulnerabilities. A small project with a single maintainer should be able to meet all of these in a single session. ### Vulnerability Reporting - [ ] **Publish a SECURITY.md** that meets [OpenJS CVD guidelines][cvd-guidelines]. Place it in the `.github` repository for your organization, or in each repository's root. It must include at least one confidential reporting channel (e.g., a private email address, GitHub Private Vulnerability Reporting, or a platform like HackerOne). _Compliance guide: [securityPolicyMeetsStandards][cg-securityPolicy]_ - [ ] **Respond to external vulnerability reports within 14 days.** _Compliance guide: [respond14Days][cg-respond14]_ ### Authentication - [ ] **Enforce MFA on your GitHub organization(s).** _Compliance guide: [ghOrgEnforceMFA][cg-ghMFA]_ - [ ] **Enforce MFA on your npm organization(s)** (if the project publishes to npm). _Compliance guide: [npmOrgEnforceMFA][cg-npmMFA]_ ### Source Control - [ ] **Do not store credentials or secrets in repository files.** Secrets must be managed outside the codebase (e.g., environment variables, secret managers). _Compliance guide: [credsNotInProjectRepoFiles][cg-noCreds]_ - [ ] **Prevent deletion of the default branch.** _Compliance guide: [ghDefaultBranchPreventDeletion][cg-preventDeletion]_ ### Dependencies - [ ] **Enable automated dependency vulnerability scanning** (e.g., Dependabot, Socket, Snyk, or equivalent). _Compliance guide: [depMgmtWithVulns][cg-depVulns]_ --- ## Tier 2 — Incubating to Impact These requirements demonstrate that a project has mature access controls, CI/CD security practices, and a vulnerability management process. They are appropriate for projects that have grown beyond a solo maintainer and are seeking the responsibility and visibility that comes with Impact status. Projects should begin working toward these requirements upon entering Incubating. They must be met before the CPC will approve graduation to Impact. ### Access Governance - [ ] **Manage GitHub permissions using Organizations.** Do not rely on individual repository-level grants. _Compliance guide: [useGhOrgs][cg-useGhOrgs]_ - [ ] **Manage npm permissions using Organizations and Teams** (if applicable). _Compliance guide: [useNpmOrgsTeams][cg-useNpmOrgs]_ - [ ] **Document who has write access** to GitHub repositories. _Compliance guide: [ghDocRepoWriteAccess][cg-ghDocWrite]_ - [ ] **Document who has publish access** to npm packages. _Compliance guide: [npmDocPublishAccess][cg-npmDocPublish]_ - [ ] **Configure two or more organization owners** for access continuity (bus factor). _Compliance guide: [ghOwnerContinuityPolicy][cg-ownerContinuity]_ - [ ] **Restrict default organization member permissions** so that new members do not automatically receive write access. _Compliance guide: [ghOrgRestrictDefaultMemberPerms][cg-restrictDefault]_ ### CI/CD Security - [ ] **Check commits for credentials** using automated tooling in CI. _Compliance guide: [checkCommits4Creds][cg-checkCreds]_ - [ ] **Require all commit/PR checks to pass** before merging to the default branch. _Compliance guide: [ghCommitChecksMustPass][cg-checksPass]_ - [ ] **Set default workflow token permissions to read-only.** Write permissions should be granted at the job level only when needed. _Compliance guide: [ghDefaultTokenPermsReadOnly][cg-tokenReadOnly]_ - [ ] **Pin GitHub Actions that use secrets to full-length commit SHAs** (not tags or branches). _Compliance guide: [ghPinActionsWithSecrets][cg-pinActions]_ - [ ] **Inject secrets at runtime.** Never bake secrets into build artifacts or container images. _Compliance guide: [ghInjectSecretsAtRuntime][cg-injectSecrets]_ - [ ] **Use granular access tokens** for npm publishing (not legacy full-access tokens). _Compliance guide: [npmOnlyUseGranularAccessTokens][cg-granularTokens]_ - [ ] **Restrict package publishing access** to the minimum set of accounts needed. _Compliance guide: [npmPackagePublishingAccess][cg-npmPubAccess]_ - [ ] **Restrict organization secrets to specific repositories** rather than making them available organization-wide. _Compliance guide: [ghRestrictSecretsToRepos][cg-restrictSecrets]_ ### Credential Management - [ ] **Secure GitHub webhooks with secrets** to validate incoming payloads. _Compliance guide: [ghWebhooksUseSecrets][cg-webhookSecrets]_ ### Vulnerability Management - [ ] **Define a clear incident response plan** including communication procedures and roles. _Compliance guide: [docIncidentResponsePlan][cg-incidentResponse]_ - [ ] **Include CVE IDs** for security fixes in changelogs and release notes. _Compliance guide: [includeCVEInReleaseNotes][cg-cveInNotes]_ - [ ] **Patch non-critical vulnerabilities within 90 days** of disclosure. _Compliance guide: [nonCriticalVulns90Days][cg-90day]_ --- ## Tier 3 — Ongoing Goals for Impact Projects These requirements reflect industry best practices that the foundation encourages all Impact projects to pursue. They are not a gate for any progression stage but are tracked at annual reviews. Progress — not perfection — is the expectation. ### Hardened Authentication - [ ] Use passkeys (AAL2/3) or hardware keys for GitHub access. _Compliance guide: [ghMFAUseHwKeyInteractive][cg-hwKeyGh], [ghMFAUseHwKeyNonInteractive][cg-hwKeyGhNon]_ - [ ] Use passkeys or hardware keys for npm access. _Compliance guide: [npmMFAUseHwKey][cg-hwKeyNpm]_ - [ ] Do not use MFA methods vulnerable to phishing attacks (GitHub and npm). _Compliance guide: [ghMFAphishingResistant][cg-phishGh], [npmMFAphishingResistant][cg-phishNpm]_ ### Strengthened Source Control - [ ] Require pull requests before merging to the default branch. _Compliance guide: [ghMergingRequiresPr][cg-requirePR]_ - [ ] Require two-party review for mainline commits (projects with two or more maintainers). _Compliance guide: [ghTwoPartyReview][cg-twoParty]_ - [ ] Require code owner review for large projects and teams. _Compliance guide: [ghCodeOwnerReviewForLargeTeams][cg-codeOwner]_ - [ ] Require signed commits. _Compliance guide: [ghRequireSignedCommits][cg-signedCommits]_ - [ ] Disable force push on the default branch. _Compliance guide: [ghDefaultBranchNoForcePush][cg-noForcePush]_ - [ ] Prevent admins from bypassing branch protection. _Compliance guide: [ghPreventAdminBypass][cg-noAdminBypass]_ ### Advanced CI/CD - [ ] Use static application security testing (SAST) for all commits. _Compliance guide: [staticAppSecTesting][cg-sast]_ - [ ] Use automated static code analysis tools. _Compliance guide: [staticCodeAnalysis][cg-staticAnalysis]_ - [ ] Block new commits that contain credentials. _Compliance guide: [ghBlockCommitsWithCreds][cg-blockCreds]_ - [ ] Restrict build pipeline code execution to build scripts only. _Compliance guide: [ghNoArbitraryCodeInPipeline][cg-noArbitrary]_ - [ ] Disable self-hosted runners in the GitHub organization. _Compliance guide: [ghNoSelfHostedRunners][cg-noSelfHosted]_ - [ ] Avoid script injection from untrusted variables. _Compliance guide: [ghPreventScriptInjection][cg-preventInjection]_ - [ ] Publish to npm using MFA-enabled accounts. _Compliance guide: [npmPublishingWithMFA][cg-npmPubMFA]_ - [ ] Limit GitHub Actions to verified or explicitly trusted actions. _Compliance guide: [ghVerifiedActionsOnly][cg-verifiedActions]_ - [ ] Require approval for workflow changes from forked repositories. _Compliance guide: [ghForkWorkflowApproval][cg-forkApproval]_ ### Accelerated Vulnerability Response - [ ] Patch actively exploited critical vulnerabilities within 30 days. _Compliance guide: [criticalVulns30Days][cg-30day]_ - [ ] Patch critical/high vulnerabilities within 14 days. _Compliance guide: [exploitableHighCritVulns14Days][cg-14day]_ - [ ] Patch non-critical vulnerabilities within 60 days (stricter than the Tier 2 90-day requirement). _Compliance guide: [exploitableNonCritVulns60Days][cg-60day]_ - [ ] Assign CVEs to all known security vulnerabilities. _Compliance guide: [assignCVEForKnownVulns][cg-assignCVE]_ ### Governance & Training - [ ] Document software architecture. _Compliance guide: [docSoftwareArchitecture][cg-docArch]_ - [ ] Create regression tests for bugs and security vulnerabilities. _Compliance guide: [regressionTestsForVulns][cg-regressionTests]_ - [ ] OWASP Top 10 or equivalent training for maintainers. _Compliance guide: [owaspTop10Training][cg-owasp]_ - [ ] Training on secure software design. _Compliance guide: [softwareDesignTraining][cg-secDesign]_ - [ ] Support older versions or provide upgrade paths. _Compliance guide: [upgradePathsForOlderReleases][cg-upgradePaths]_ - [ ] Refresh dependencies with annual releases. _Compliance guide: [annualDependencyRefresh][cg-annualRefresh]_ - [ ] Use annotated git release tags. _Compliance guide: [releasesUseGitTags][cg-releaseTags]_ ### Access Hardening - [ ] Limit GitHub organization owners to fewer than three. _Compliance guide: [ghOrgOwners][cg-limitGhOwners]_ - [ ] Limit GitHub repository admins to fewer than three. _Compliance guide: [ghRepoAdmins][cg-limitGhAdmins]_ - [ ] Limit npm organization owners to fewer than three. _Compliance guide: [npmNumOrgOwners][cg-limitNpmOwners]_ - [ ] Limit npm organization admins to fewer than three. _Compliance guide: [npmNumOrgAdmins][cg-limitNpmAdmins]_ - [ ] Limit npm team membership to the bare minimum required to publish. _Compliance guide: [npmNumMembers][cg-limitNpmMembers]_ - [ ] Require activity within the past 12 months for GitHub admins and members with write access. _Compliance guide: [activeGhAdmins][cg-activeAdmins], [activeGhWriteAccess][cg-activeWrite]_ --- ## Verification & Self-Attestation Projects self-attest to meeting tier requirements as part of the [progression process][progression]. The recommended approach is: 1. **At application time**, the project's progression proposal should include a completed copy of the relevant tier checklist(s) in the proposal issue, with a brief note on each item describing how the project meets it (e.g., a link to a GitHub org settings page, a CI workflow file, or a SECURITY.md). 2. **At annual review**, Impact projects should report on their Tier 3 progress using the same checklist format. 3. **The CPC** may request evidence or clarification for any item during the review process. The intent is a lightweight, trust-based process — not a formal audit. ## Existing Impact Projects Projects that held Impact status before this document was adopted should meet Tier 1 and Tier 2 requirements within 12 months of adoption. The CPC will work with each project to develop a reasonable timeline. Progress is reported at the project's next annual review. ## Changes to This Document This document is maintained by the Cross Project Council. Proposed changes follow the standard [CPC governance process][cpc-governance]. The Security Collaboration Space may propose additions based on evolving threats or ecosystem changes. --- ## Integration with PROJECT_PROGRESSION.md The following language is proposed for addition to [PROJECT_PROGRESSION.md][progression]: > ### Security Requirements > > Projects must meet the security requirements defined in [PROJECT_SECURITY_REQUIREMENTS.md](./PROJECT_SECURITY_REQUIREMENTS.md) for their current or target progression stage. Specifically: > > - **At Large** projects must meet Tier 1 requirements. > - **Incubating** projects must meet Tier 1 requirements and should be working toward Tier 2. > - **Impact** projects must meet Tier 1 and Tier 2 requirements and should demonstrate ongoing progress on Tier 3 at annual review. ## Relationship to PROJECT_SECURITY_REPORTING.md This document supersedes [PROJECT_SECURITY_REPORTING.md][security-reporting]. The requirements previously covered by that document — publishing a SECURITY.md and maintaining a confidential reporting channel — are now captured in Tier 1 of this document. PROJECT_SECURITY_REPORTING.md should be updated to redirect to this document. --- <!-- Link references --> <!-- Progression and governance --> [progression]: https://github.com/openjs-foundation/cross-project-council/blob/main/PROJECT_PROGRESSION.md [security-reporting]: https://github.com/openjs-foundation/cross-project-council/blob/main/PROJECT_SECURITY_REPORTING.md [compliance-guide]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT [cvd-guidelines]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/context-CVDTool.md [cpc-governance]: https://github.com/openjs-foundation/cross-project-council/blob/main/GOVERNANCE.md <!-- Compliance guide individual items --> <!-- Filenames use category-guideline.md convention. Update paths if the compliance guide restructures. --> <!-- Tier 1 --> [cg-securityPolicy]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/governance-securityPolicyMeetsStandards.md [cg-respond14]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/vulnRemediationTimelines-respond14Days.md [cg-ghMFA]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/enforceMFAonOrgs-ghOrgEnforceMFA.md [cg-npmMFA]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/enforceMFAonOrgs-npmOrgEnforceMFA.md [cg-noCreds]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-credsNotInProjectRepoFiles.md [cg-preventDeletion]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/branchProtection-ghDefaultBranchPreventDeletion.md [cg-depVulns]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ciCdScanners-depMgmtWithVulns.md <!-- Tier 2 — Access Governance --> [cg-useGhOrgs]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/useRBACfeatures-useGhOrgs.md [cg-useNpmOrgs]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/useRBACfeatures-useNpmOrgsTeams.md [cg-ghDocWrite]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/defineRolesAndPerms-ghDocRepoWriteAcces.md [cg-npmDocPublish]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/defineRolesAndPerms-npmDocPublishAccess.md [cg-ownerContinuity]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/governance-ghOwnerContinuityPolicy.md [cg-restrictDefault]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/useRBACfeatures-ghOrgRestrictDefaultMemberPerms.md <!-- Tier 2 — CI/CD Security --> [cg-checkCreds]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ciCdScanners-checkCommits4Creds.md [cg-checksPass]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/branchProtection-ghCommitChecksMustPass.md [cg-tokenReadOnly]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-ghDefaultTokenPermsReadOnly.md [cg-pinActions]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ghWorkflowSec-ghPinActionsWithSecrets.md [cg-injectSecrets]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-ghInjectSecretsAtRuntime.md [cg-granularTokens]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-npmOnlyUseGranularAccessTokens.md [cg-npmPubAccess]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-npmPackagePublishingAccess.md [cg-restrictSecrets]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-ghRestrictSecretsToRepos.md <!-- Tier 2 — Credential Management --> [cg-webhookSecrets]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-ghWebhooksUseSecrets.md <!-- Tier 2 — Vulnerability Management --> [cg-incidentResponse]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/governance-docIncidentResponsePlan.md [cg-cveInNotes]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/releaseDocumentation-includeCVEInReleaseNotes.md [cg-90day]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/vulnRemediationTimelines-nonCriticalVulns90Days.md <!-- Tier 3 — Hardened Authentication --> [cg-hwKeyGh]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/useHwOrPassKey-ghMFAUseHwKeyInteractive.md [cg-hwKeyGhNon]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/useHwOrPassKey-ghMFAUseHwKeyNonInteractive.md [cg-hwKeyNpm]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/useHwOrPassKey-npmMFAUseHwKey.md [cg-phishGh]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/usePhishingResistentMFA-ghMFAphishingResistant.md [cg-phishNpm]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/usePhishingResistentMFA-npmMFAphishingResistant.md <!-- Tier 3 — Strengthened Source Control --> [cg-requirePR]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/branchProtection-ghMergingRequiresPr.md [cg-twoParty]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/multiPartyReviews-ghTwoPartyReview.md [cg-codeOwner]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/multiPartyReviews-ghCodeOwnerReviewForLargeTeams.md [cg-signedCommits]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/branchProtection-ghRequireSignedCommits.md [cg-noForcePush]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/branchProtection-ghDefaultBranchNoForcePush.md [cg-noAdminBypass]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/branchProtection-ghPreventAdminBypass.md <!-- Tier 3 — Advanced CI/CD --> [cg-sast]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ciCdScanners-staticAppSecTesting.md [cg-staticAnalysis]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ciCdScanners-staticCodeAnalysis.md [cg-blockCreds]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-ghBlockCommitsWithCreds.md [cg-noArbitrary]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ghWorkflowSec-ghNoArbitraryCodeInPipeline.md [cg-noSelfHosted]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ghWorkflowSec-ghNoSelfHostedRunners.md [cg-preventInjection]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ghWorkflowSec-ghPreventScriptInjection.md [cg-npmPubMFA]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/properCredUse-npmPublishingWithMFA.md [cg-verifiedActions]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ghWorkflowSec-ghVerifiedActionsOnly.md [cg-forkApproval]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/ghWorkflowSec-ghForkWorkflowApproval.md <!-- Tier 3 — Accelerated Vulnerability Response --> [cg-30day]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/vulnRemediationTimelines-criticalVulns30Days.md [cg-14day]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/vulnRemediationTimelines-exploitableHighCritVulns14Days.md [cg-60day]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/vulnRemediationTimelines-exploitableNonCritVulns60Days.md [cg-assignCVE]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/releaseDocumentation-assignCVEForKnownVulns.md <!-- Tier 3 — Governance & Training --> [cg-docArch]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/projectDocumentation-docSoftwareArchitecture.md [cg-regressionTests]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/vulnPrevention-regressionTestsForVulns.md [cg-owasp]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/securityTraining-owaspTop10Training.md [cg-secDesign]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/securityTraining-softwareDesignTraining.md [cg-upgradePaths]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/projectDocumentation-upgradePathsForOlderReleases.md [cg-annualRefresh]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/governance-annualDependencyRefresh.md [cg-releaseTags]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/releaseDocumentation-releasesUseGitTags.md <!-- Tier 3 — Access Hardening --> [cg-limitGhOwners]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/limitOwnersAndAdmins-ghOrgOwners.md [cg-limitGhAdmins]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/limitOwnersAndAdmins-ghRepoAdmins.md [cg-limitNpmOwners]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/limitOwnersAndAdmins-npmNumOrgOwners.md [cg-limitNpmAdmins]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/limitOwnersAndAdmins-npmNumOrgAdmins.md [cg-limitNpmMembers]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/limitOwnersAndAdmins-npmNumMembers.md [cg-activeAdmins]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/permsRequireActivity-activeGhAdmins.md [cg-activeWrite]: https://github.com/openjs-foundation/security-collab-space/tree/main/docs/OpenJS_Security_Compliance_Guidelines/v2-DRAFT/guidelines/permsRequireActivity-activeGhWriteAccess.md