Try   HackMD

Priority Group Indexes

Priority Index Option 1.1

Priority Group 1

  • User Authentication
    • Multi Factor Authentication (MFA) Enforced Across the Github Organization
    • Multi Factor Authentication (MFA) Enforced Across the npm Organization
    • Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible
    • Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available

Priority Group 2

  • Service Authentication
    • No Secrets and Credentials in Source Code
    • Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets)
  • Code Quality
    • All Commits are Scanned for Secrets and Credentials
    • New Commits Containing Secrets or Credentials are Blocked from Merging

Priority Group 3

  • User Authentication
    • Use SSH keys for developer access to source code repositories and use a passphrase
  • Service Authentication
    • Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens
    • Github Webhooks Use Secrets

Priority Group 4

  • User Account Permissions
    • Default Github Org Member Permissions Should Be Restricted
    • Only Admins Should Be Able To Create Public Repositories
    • [For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings
    • Define roles aligned to functional responsibilities
    • Define Individuals/Teams who Write Access to a Github Repo
    • [For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity

Priority Group 5

  • Vulnerability Management
    • Actively Exploited Critical Vulnerabilities Patched within 30 Days
    • Non-Critical Exploitable Vulnerabilities Patched within 90 Days

Priority Group 6

  • Dependencies
    • An automated process to identify dependencies with publicly disclosed vulnerabilities
  • Code Quality
    • Use an Automated Static Code Analysis Tool (eg: ESLInt)
    • Compilers/Linter Warnings Addressed in order to Merge
    • All Commits are Scanned by a Static Application Security Testing Tool
    • All Required Commit Status Checks must pass before Merging

Priority Index Option 1.2

Priority Group 1

  • User Authentication
    1. Multi Factor Authentication (MFA) Enforced Across the Github Organization
    2. Multi Factor Authentication (MFA) Enforced Across the npm Organization
    3. Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible
    4. Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available

Priority Group 2

  • Service Authentication
    5. No Secrets and Credentials in Source Code
    6. Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets)
  • Code Quality
    7. All Commits are Scanned for Secrets and Credentials
    8. New Commits Containing Secrets or Credentials are Blocked from Merging

Priority Group 3

  • User Authentication
    9. Use SSH keys for developer access to source code repositories and use a passphrase
  • Service Authentication
    10. Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens
    11. Github Webhooks Use Secrets

Priority Group 4

  • User Account Permissions
    12. Default Github Org Member Permissions Should Be Restricted
    13. Only Admins Should Be Able To Create Public Repositories
    14. [For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings
    15. Define roles aligned to functional responsibilities
    16. Define Individuals/Teams who Write Access to a Github Repo
    17. [For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity

Priority Group 5

  • Vulnerability Management
    18. Actively Exploited Critical Vulnerabilities Patched within 30 Days
    19. Non-Critical Exploitable Vulnerabilities Patched within 90 Days

Priority Group 6

  • Dependencies
    20. An automated process to identify dependencies with publicly disclosed vulnerabilities
  • Code Quality
    21. Use an Automated Static Code Analysis Tool (eg: ESLInt)
    22. Compilers/Linter Warnings Addressed in order to Merge
    23. All Commits are Scanned by a Static Application Security Testing Tool
    24. All Required Commit Status Checks must pass before Merging

Priority Index Option 1.3

Priority Group 1

  • User Authentication
    1.1. Multi Factor Authentication (MFA) Enforced Across the Github Organization
    1.2. Multi Factor Authentication (MFA) Enforced Across the npm Organization
    1.3. Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible
    1.4. Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available

Priority Index Option 1.4

User Authentication

(UA-MFGH) Multi Factor Authentication (MFA) Enforced Across the Github Organization
(UA-MFNPM) Multi Factor Authentication (MFA) Enforced Across the npm Organization
(UA-MFO) Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible
(UA-MFI) Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available

Priority Index Option 2.1

Priority Group 1

Category Guideline
User Authentication Multi Factor Authentication (MFA) Enforced Across the Github Organization
User Authentication Multi Factor Authentication (MFA) Enforced Across the npm Organization
User Authentication Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible
User Authentication Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available

Priority Group 2

Category Guideline
Service Authentication No Secrets and Credentials in Source Code
Service Authentication Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets)
Code Quality All Commits are Scanned for Secrets and Credentials
Code Quality New Commits Containing Secrets or Credentials are Blocked from Merging

Priority Group 3

Category Guideline
User Authentication Use SSH keys for developer access to source code repositories and use a passphrase
Service Authentication Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens
Service Authentication Github Webhooks Use Secrets

Priority Group 4

Category Guideline
User Account Permissions Default Github Org Member Permissions Should Be Restricted
User Account Permissions Only Admins Should Be Able To Create Public Repositories
User Account Permissions [For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings
User Account Permissions Define roles aligned to functional responsibilities
User Account Permissions Define Individuals/Teams who Write Access to a Github Repo
User Account Permissions [For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity

Priority Group 5

Category Guideline
Vulnerability Management Actively Exploited Critical Vulnerabilities Patched within 30 Days
Vulnerability Management Non-Critical Exploitable Vulnerabilities Patched within 90 Days

Priority Group 6

Category Guideline
Dependencies An automated process to identify dependencies with publicly disclosed vulnerabilities
Code Quality Use an Automated Static Code Analysis Tool (eg: ESLInt)
Code Quality Compilers/Linter Warnings Addressed in order to Merge
Code Quality All Commits are Scanned by a Static Application Security Testing Tool
Code Quality All Required Commit Status Checks must pass before

Priority Index Option 2.2

Priority Group 1

ID Guideline
UA:MFG Multi Factor Authentication (MFA) Enforced Across the Github Organization
UA:MFN Multi Factor Authentication (MFA) Enforced Across the npm Organization
UA:MFO Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible
UA:MFI Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available

Priority Index Option 2.3

Priority Group 1

ID Category Guideline
1.1 User Authentication Multi Factor Authentication (MFA) Enforced Across the Github Organization
1.2 User Authentication Multi Factor Authentication (MFA) Enforced Across the npm Organization
1.3 User Authentication Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible
1.4 User Authentication Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available

Priority Group 2

ID Category Guideline
3.1 Service Authentication No Secrets and Credentials in Source Code
3.2 Service Authentication Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets)
7.3 Code Quality All Commits are Scanned for Secrets and Credentials
7.4 Code Quality New Commits Containing Secrets or Credentials are Blocked from Merging

Priority Group 3

ID Category Guideline
1.5 User Authentication Use SSH keys for developer access to source code repositories and use a passphrase
3.3 Service Authentication Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens
3.4 Service Authentication Github Webhooks Use Secrets

Priority Group 4

ID Category Guideline
2.1 User Account Permissions Default Github Org Member Permissions Should Be Restricted
2.2 User Account Permissions Only Admins Should Be Able To Create Public Repositories
2.3 User Account Permissions [For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings
2.4 User Account Permissions Define roles aligned to functional responsibilities
2.5 User Account Permissions Define Individuals/Teams who Write Access to a Github Repo
2.6 User Account Permissions [For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity

Priority Group 5

ID Category Guideline
5.1 Vulnerability Management Actively Exploited Critical Vulnerabilities Patched within 30 Days
5.2 Vulnerability Management Non-Critical Exploitable Vulnerabilities Patched within 90 Days

Priority Group 6

ID Category Guideline
10.1 Dependencies An automated process to identify dependencies with publicly disclosed vulnerabilities
7.1 Code Quality Use an Automated Static Code Analysis Tool (eg: ESLInt)
7.2 Code Quality Compilers/Linter Warnings Addressed in order to Merge
7.3 Code Quality All Commits are Scanned by a Static Application Security Testing Tool
7.4 Code Quality All Required Commit Status Checks must pass before Merging

Priority Index Option 3.1

Priority Group 1

ID I A R Category Guideline
1.1 E E E User Authentication Multi Factor Authentication (MFA) Enforced Across the Github Organization
1.2 E E E User Authentication Multi Factor Authentication (MFA) Enforced Across the npm Organization
1.3 E E E User Authentication Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible
1.4 E E E User Authentication Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available

Priority Group 2

ID I A R Category Guideline
3.1 E E E Service Authentication No Secrets and Credentials in Source Code
3.2 E E E Service Authentication Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets)
7.3 E E E Code Quality All Commits are Scanned for Secrets and Credentials
7.4 E E E Code Quality New Commits Containing Secrets or Credentials are Blocked from Merging

Priority Group 3

ID I A R Category Guideline
1.5 E E E User Authentication Use SSH keys for developer access to source code repositories and use a passphrase
3.3 E E E Service Authentication Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens
3.4 E E E Service Authentication Github Webhooks Use Secrets

Priority Group 4

ID I A R Category Guideline
2.1 E E E User Account Permissions Default Github Org Member Permissions Should Be Restricted
2.2 E E E User Account Permissions Only Admins Should Be Able To Create Public Repositories
2.3 E E E User Account Permissions [For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings
2.4 E E E User Account Permissions Define roles aligned to functional responsibilities
2.5 E E E User Account Permissions Define Individuals/Teams who Write Access to a Github Repo
2.6 E E E User Account Permissions [For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity

Priority Index Option 3.2

Priority Group 1

I A R ID Category Guideline
E E E 1.2 User Authentication Multi Factor Authentication (MFA) Enforced Across the Github Organization
E E E 1.3 User Authentication Multi Factor Authentication (MFA) Enforced Across the npm Organization
E E E 1.4 User Authentication Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible
E E E 1.5 User Authentication Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available

Priority Index Option 3.3

Priority Group 1

I A R Category ID Guideline
E E E User Authentication 1.2 Multi Factor Authentication (MFA) Enforced Across the Github Organization
E E E User Authentication 1.3 Multi Factor Authentication (MFA) Enforced Across the npm Organization
E E E User Authentication 1.4 Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible
E E E User Authentication 1.5 Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available

Priority Index Option 4.1

Priority Group 1

ID Inc AL&I Ar Guideline
UA:MFG E E E Multi Factor Authentication (MFA) Enforced Across the Github Organization
UA:MFN E E E Multi Factor Authentication (MFA) Enforced Across the npm Organization
UA:MFO E E E Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible
UA:MFI E E E Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available

Priority Index Option 4.2

Priority Group 1

ID Guideline In AL&I Ar
UA:MFG Multi Factor Authentication (MFA) Enforced Across the Github Organization E E E
UA:MFN Multi Factor Authentication (MFA) Enforced Across the npm Organization E E E
UA:MFO Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible E E E
UA:MFI Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available E E E