Priority Group Indexes
Priority Index Option 1.1
Priority Group 1
- User Authentication
- Multi Factor Authentication (MFA) Enforced Across the Github Organization
- Multi Factor Authentication (MFA) Enforced Across the npm Organization
- Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible
- Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available
Priority Group 2
- Service Authentication
- No Secrets and Credentials in Source Code
- Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets)
- Code Quality
- All Commits are Scanned for Secrets and Credentials
- New Commits Containing Secrets or Credentials are Blocked from Merging
Priority Group 3
- User Authentication
- Use SSH keys for developer access to source code repositories and use a passphrase
- Service Authentication
- Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens
- Github Webhooks Use Secrets
Priority Group 4
- User Account Permissions
- Default Github Org Member Permissions Should Be Restricted
- Only Admins Should Be Able To Create Public Repositories
- [For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings
- Define roles aligned to functional responsibilities
- Define Individuals/Teams who Write Access to a Github Repo
- [For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity
Priority Group 5
- Vulnerability Management
- Actively Exploited Critical Vulnerabilities Patched within 30 Days
- Non-Critical Exploitable Vulnerabilities Patched within 90 Days
Priority Group 6
- Dependencies
- An automated process to identify dependencies with publicly disclosed vulnerabilities
- Code Quality
- Use an Automated Static Code Analysis Tool (eg: ESLInt)
- Compilers/Linter Warnings Addressed in order to Merge
- All Commits are Scanned by a Static Application Security Testing Tool
- All Required Commit Status Checks must pass before Merging
Priority Index Option 1.2
Priority Group 1
- User Authentication
- Multi Factor Authentication (MFA) Enforced Across the Github Organization
- Multi Factor Authentication (MFA) Enforced Across the npm Organization
- Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible
- Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available
Priority Group 2
- Service Authentication
5. No Secrets and Credentials in Source Code
6. Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets)
- Code Quality
7. All Commits are Scanned for Secrets and Credentials
8. New Commits Containing Secrets or Credentials are Blocked from Merging
Priority Group 3
- User Authentication
9. Use SSH keys for developer access to source code repositories and use a passphrase
- Service Authentication
10. Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens
11. Github Webhooks Use Secrets
Priority Group 4
- User Account Permissions
12. Default Github Org Member Permissions Should Be Restricted
13. Only Admins Should Be Able To Create Public Repositories
14. [For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings
15. Define roles aligned to functional responsibilities
16. Define Individuals/Teams who Write Access to a Github Repo
17. [For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity
Priority Group 5
- Vulnerability Management
18. Actively Exploited Critical Vulnerabilities Patched within 30 Days
19. Non-Critical Exploitable Vulnerabilities Patched within 90 Days
Priority Group 6
- Dependencies
20. An automated process to identify dependencies with publicly disclosed vulnerabilities
- Code Quality
21. Use an Automated Static Code Analysis Tool (eg: ESLInt)
22. Compilers/Linter Warnings Addressed in order to Merge
23. All Commits are Scanned by a Static Application Security Testing Tool
24. All Required Commit Status Checks must pass before Merging
Priority Index Option 1.3
Priority Group 1
- User Authentication
1.1. Multi Factor Authentication (MFA) Enforced Across the Github Organization
1.2. Multi Factor Authentication (MFA) Enforced Across the npm Organization
1.3. Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible
1.4. Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available
Priority Index Option 1.4
User Authentication
(UA-MFGH) Multi Factor Authentication (MFA) Enforced Across the Github Organization
(UA-MFNPM) Multi Factor Authentication (MFA) Enforced Across the npm Organization
(UA-MFO) Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible
(UA-MFI) Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available
Priority Index Option 2.1
Priority Group 1
Category |
Guideline |
User Authentication |
Multi Factor Authentication (MFA) Enforced Across the Github Organization |
User Authentication |
Multi Factor Authentication (MFA) Enforced Across the npm Organization |
User Authentication |
Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible |
User Authentication |
Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available |
Priority Group 2
Category |
Guideline |
Service Authentication |
No Secrets and Credentials in Source Code |
Service Authentication |
Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets) |
Code Quality |
All Commits are Scanned for Secrets and Credentials |
Code Quality |
New Commits Containing Secrets or Credentials are Blocked from Merging |
Priority Group 3
Category |
Guideline |
User Authentication |
Use SSH keys for developer access to source code repositories and use a passphrase |
Service Authentication |
Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens |
Service Authentication |
Github Webhooks Use Secrets |
Priority Group 4
Category |
Guideline |
User Account Permissions |
Default Github Org Member Permissions Should Be Restricted |
User Account Permissions |
Only Admins Should Be Able To Create Public Repositories |
User Account Permissions |
[For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings |
User Account Permissions |
Define roles aligned to functional responsibilities |
User Account Permissions |
Define Individuals/Teams who Write Access to a Github Repo |
User Account Permissions |
[For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity |
Priority Group 5
Category |
Guideline |
Vulnerability Management |
Actively Exploited Critical Vulnerabilities Patched within 30 Days |
Vulnerability Management |
Non-Critical Exploitable Vulnerabilities Patched within 90 Days |
Priority Group 6
Category |
Guideline |
Dependencies |
An automated process to identify dependencies with publicly disclosed vulnerabilities |
Code Quality |
Use an Automated Static Code Analysis Tool (eg: ESLInt) |
Code Quality |
Compilers/Linter Warnings Addressed in order to Merge |
Code Quality |
All Commits are Scanned by a Static Application Security Testing Tool |
Code Quality |
All Required Commit Status Checks must pass before |
Priority Index Option 2.2
Priority Group 1
ID |
Guideline |
UA:MFG |
Multi Factor Authentication (MFA) Enforced Across the Github Organization |
UA:MFN |
Multi Factor Authentication (MFA) Enforced Across the npm Organization |
UA:MFO |
Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible |
UA:MFI |
Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available |
Priority Index Option 2.3
Priority Group 1
ID |
Category |
Guideline |
1.1 |
User Authentication |
Multi Factor Authentication (MFA) Enforced Across the Github Organization |
1.2 |
User Authentication |
Multi Factor Authentication (MFA) Enforced Across the npm Organization |
1.3 |
User Authentication |
Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible |
1.4 |
User Authentication |
Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available |
Priority Group 2
ID |
Category |
Guideline |
3.1 |
Service Authentication |
No Secrets and Credentials in Source Code |
3.2 |
Service Authentication |
Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets) |
7.3 |
Code Quality |
All Commits are Scanned for Secrets and Credentials |
7.4 |
Code Quality |
New Commits Containing Secrets or Credentials are Blocked from Merging |
Priority Group 3
ID |
Category |
Guideline |
1.5 |
User Authentication |
Use SSH keys for developer access to source code repositories and use a passphrase |
3.3 |
Service Authentication |
Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens |
3.4 |
Service Authentication |
Github Webhooks Use Secrets |
Priority Group 4
ID |
Category |
Guideline |
2.1 |
User Account Permissions |
Default Github Org Member Permissions Should Be Restricted |
2.2 |
User Account Permissions |
Only Admins Should Be Able To Create Public Repositories |
2.3 |
User Account Permissions |
[For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings |
2.4 |
User Account Permissions |
Define roles aligned to functional responsibilities |
2.5 |
User Account Permissions |
Define Individuals/Teams who Write Access to a Github Repo |
2.6 |
User Account Permissions |
[For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity |
Priority Group 5
ID |
Category |
Guideline |
5.1 |
Vulnerability Management |
Actively Exploited Critical Vulnerabilities Patched within 30 Days |
5.2 |
Vulnerability Management |
Non-Critical Exploitable Vulnerabilities Patched within 90 Days |
Priority Group 6
ID |
Category |
Guideline |
10.1 |
Dependencies |
An automated process to identify dependencies with publicly disclosed vulnerabilities |
7.1 |
Code Quality |
Use an Automated Static Code Analysis Tool (eg: ESLInt) |
7.2 |
Code Quality |
Compilers/Linter Warnings Addressed in order to Merge |
7.3 |
Code Quality |
All Commits are Scanned by a Static Application Security Testing Tool |
7.4 |
Code Quality |
All Required Commit Status Checks must pass before Merging |
Priority Index Option 3.1
Priority Group 1
ID |
I |
A |
R |
Category |
Guideline |
1.1 |
E |
E |
E |
User Authentication |
Multi Factor Authentication (MFA) Enforced Across the Github Organization |
1.2 |
E |
E |
E |
User Authentication |
Multi Factor Authentication (MFA) Enforced Across the npm Organization |
1.3 |
E |
E |
E |
User Authentication |
Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible |
1.4 |
E |
E |
E |
User Authentication |
Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available |
Priority Group 2
ID |
I |
A |
R |
Category |
Guideline |
3.1 |
E |
E |
E |
Service Authentication |
No Secrets and Credentials in Source Code |
3.2 |
E |
E |
E |
Service Authentication |
Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets) |
7.3 |
E |
E |
E |
Code Quality |
All Commits are Scanned for Secrets and Credentials |
7.4 |
E |
E |
E |
Code Quality |
New Commits Containing Secrets or Credentials are Blocked from Merging |
Priority Group 3
ID |
I |
A |
R |
Category |
Guideline |
1.5 |
E |
E |
E |
User Authentication |
Use SSH keys for developer access to source code repositories and use a passphrase |
3.3 |
E |
E |
E |
Service Authentication |
Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens |
3.4 |
E |
E |
E |
Service Authentication |
Github Webhooks Use Secrets |
Priority Group 4
ID |
I |
A |
R |
Category |
Guideline |
2.1 |
E |
E |
E |
User Account Permissions |
Default Github Org Member Permissions Should Be Restricted |
2.2 |
E |
E |
E |
User Account Permissions |
Only Admins Should Be Able To Create Public Repositories |
2.3 |
E |
E |
E |
User Account Permissions |
[For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings |
2.4 |
E |
E |
E |
User Account Permissions |
Define roles aligned to functional responsibilities |
2.5 |
E |
E |
E |
User Account Permissions |
Define Individuals/Teams who Write Access to a Github Repo |
2.6 |
E |
E |
E |
User Account Permissions |
[For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity |
Priority Index Option 3.2
Priority Group 1
I |
A |
R |
ID |
Category |
Guideline |
E |
E |
E |
1.2 |
User Authentication |
Multi Factor Authentication (MFA) Enforced Across the Github Organization |
E |
E |
E |
1.3 |
User Authentication |
Multi Factor Authentication (MFA) Enforced Across the npm Organization |
E |
E |
E |
1.4 |
User Authentication |
Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible |
E |
E |
E |
1.5 |
User Authentication |
Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available |
Priority Index Option 3.3
Priority Group 1
I |
A |
R |
Category |
ID |
Guideline |
E |
E |
E |
User Authentication |
1.2 |
Multi Factor Authentication (MFA) Enforced Across the Github Organization |
E |
E |
E |
User Authentication |
1.3 |
Multi Factor Authentication (MFA) Enforced Across the npm Organization |
E |
E |
E |
User Authentication |
1.4 |
Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible |
E |
E |
E |
User Authentication |
1.5 |
Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available |
Priority Index Option 4.1
Priority Group 1
ID |
Inc |
AL&I |
Ar |
Guideline |
UA:MFG |
E |
E |
E |
Multi Factor Authentication (MFA) Enforced Across the Github Organization |
UA:MFN |
E |
E |
E |
Multi Factor Authentication (MFA) Enforced Across the npm Organization |
UA:MFO |
E |
E |
E |
Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible |
UA:MFI |
E |
E |
E |
Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available |
Priority Index Option 4.2
Priority Group 1
ID |
Guideline |
In |
AL&I |
Ar |
UA:MFG |
Multi Factor Authentication (MFA) Enforced Across the Github Organization |
E |
E |
E |
UA:MFN |
Multi Factor Authentication (MFA) Enforced Across the npm Organization |
E |
E |
E |
UA:MFO |
Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible |
E |
E |
E |
UA:MFI |
Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available |
E |
E |
E |