diff --git a/docs/probes.md b/docs/probes.md index ca9dfebdb70..16c7db619ad 100644 --- a/docs/probes.md +++ b/docs/probes.md @@ -7,6 +7,8 @@ please [contribute](../CONTRIBUTING.md)! ## archived +**Lifecycle**: stable + **Description**: Check that the project is archived **Motivation**: An archived project will not received security patches, and is not actively tested or used. @@ -19,6 +21,8 @@ If the project is not archived, the outcome is OutcomeFalse. ## blocksDeleteOnBranches +**Lifecycle**: stable + **Description**: Check that the project blocks non-admins from deleting branches. **Motivation**: Allowing non-admins to delete project branches has a similar effect to performing force pushes. @@ -30,6 +34,8 @@ If the project is not archived, the outcome is OutcomeFalse. ## blocksForcePushOnBranches +**Lifecycle**: stable + **Description**: Check that the project blocks force push on its branches. **Motivation**: Allowing force pushes to branches could allow those with write access to make insecure changes to the behavior of the project. @@ -42,6 +48,8 @@ Returns OutcomeNotAvailable if Scorecard cannot fetch the data from the reposito ## branchProtectionAppliesToAdmins +**Lifecycle**: stable + **Description**: Check that the project's branch protection rules apply to project admins. **Motivation**: Admins may be able to bypass branch protection settings which could defeat the purpose of having them. @@ -53,6 +61,8 @@ Returns OutcomeNotAvailable if Scorecard cannot fetch the data from the reposito ## branchesAreProtected +**Lifecycle**: stable + **Description**: Check that the project uses protected branches. **Motivation**: Unprotected branches may allow actions that could compromise the project's security. @@ -64,6 +74,8 @@ Returns OutcomeNotAvailable if Scorecard cannot fetch the data from the reposito ## codeApproved +**Lifecycle**: stable + **Description**: Check that all recent changesets have been approved by someone who is not the author of the changeset. **Motivation**: To ensure that the review process works, the proposed changes should have a minimum number of approvals. @@ -77,6 +89,8 @@ If there are no changes, the probe returns OutcomeNotApplicable ## codeReviewOneReviewers +**Lifecycle**: experimental + **Description**: Check that at least one reviewers review a change before merging. **Motivation**: To ensure that the review process works, the proposed changes should have a minimum number of approvals. @@ -89,6 +103,8 @@ If the changes had fewer than one reviewers, the prove returns OutcomeFalse (0) ## contributorsFromOrgOrCompany +**Lifecycle**: experimental + **Description**: Checks whether a project has a contributions from users associated with a company or organization. **Motivation**: This probe tries to determine if the project has recent contributors from multiple organizations. For some projects, having a diverse group of contributors is an indicator of project health. @@ -101,6 +117,8 @@ If the project has contributing organizations, the probe returns 1 OutcomeTrue p ## createdRecently +**Lifecycle**: stable + **Description**: Checks if the project was created in the last 90 days. **Motivation**: Recently created repositories have been used for malicious forks / typosquatting attacks in the past. A newly created repo is not a strong signal on its own, but can be a useful piece of information. @@ -113,6 +131,8 @@ If the project is older than 90 days, the outcome is OutcomeFalse. The finding w ## dependencyUpdateToolConfigured +**Lifecycle**: stable + **Description**: Check that a dependency update tool config is present. **Motivation**: Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks. Tools can help the process of updating dependencies by scanning for outdated or insecure requirements, and opening a pull request to update them if found. @@ -125,6 +145,8 @@ If no tool is detected, the probe returns OutcomeFalse. ## dismissesStaleReviews +**Lifecycle**: stable + **Description**: Check that the project dismisses stale reviews when new commits are pushed. **Motivation**: When a project does not dismiss stale reviews, contributors can bring their pull requests to an approved state and then make unreviewed commits. @@ -136,6 +158,8 @@ If no tool is detected, the probe returns OutcomeFalse. ## fuzzed +**Lifecycle**: stable + **Description**: Check that the project is fuzzed **Motivation**: Fuzzing, or fuzz testing, is the practice of feeding unexpected or random data into a program to expose bugs. Regular fuzzing is important to detect vulnerabilities that may be exploited by others, especially since attackers can also use fuzzing to find the same flaws. @@ -148,6 +172,8 @@ If no fuzzing tool is found, or the project uses a tool we don't detect, one fin ## hasBinaryArtifacts +**Lifecycle**: stable + **Description**: Checks if the project has any binary files in its source tree. **Motivation**: Binary files are not human readable so users and reviewers can't easily see what they do. @@ -160,6 +186,8 @@ If the probe finds no binary files, it returns a single OutcomeFalse. ## hasDangerousWorkflowScriptInjection +**Lifecycle**: stable + **Description**: Check whether the project has GitHub Actions workflows that enable script injection. **Motivation**: Script injections allow attackers to use untrusted input to access privileged resources (code execution, secret exfiltration, etc.) @@ -172,6 +200,8 @@ If no dangerous patterns are found, the probe returns one finding with OutcomeFa ## hasDangerousWorkflowUntrustedCheckout +**Lifecycle**: stable + **Description**: Check whether the project has GitHub Actions workflows that does untrusted checkouts. **Motivation**: GitHub workflows triggered with pull_request_target or workflow_run have write permission to the target repository and access to target repository secrets. Combined with a dangerous checkout of PR contents, attackers may be able to compromise the repository, for example, by using build scripts controlled by the PR author. @@ -184,6 +214,8 @@ The probe returns one finding with OutcomeFalse if no untrusted checkouts are de ## hasFSFOrOSIApprovedLicense +**Lifecycle**: stable + **Description**: Check that the project has an FSF or OSI approved license. **Motivation**: A license can give users information about how the source code may or may not be used. Using a recognized license facilitates security or legal reviews for potential users. @@ -197,6 +229,8 @@ If the license is not of an approved format, the probe returns a single OutcomeF ## hasLicenseFile +**Lifecycle**: stable + **Description**: Check that the project has a license file **Motivation**: A license can give users information about how the source code may or may not be used. The lack of a license will impede any kind of security review or audit and creates a legal risk for potential users. @@ -209,6 +243,8 @@ If a license file is not found, the probe returns a single OutcomeFalse. ## hasNoGitHubWorkflowPermissionUnknown +**Lifecycle**: experimental + **Description**: Checks that GitHub workflows have workflows with unknown permissions **Motivation**: Unknown permissions may be a result of a bug or another error from fetching the permission levels. @@ -221,6 +257,8 @@ The probe returns 1 true outcome if the project has no workflows with unknown pe ## hasOSVVulnerabilities +**Lifecycle**: stable + **Description**: Check whether the project has known vulnerabilities **Motivation**: This check determines whether the project has open, unfixed vulnerabilities in its own codebase or its dependencies using the OSV (Open Source Vulnerabilities) service. An open vulnerability may be exploited by attackers and should be fixed as soon as possible. @@ -233,6 +271,8 @@ If there are no known vulnerabilities detected, the probe returns one false outc ## hasOpenSSFBadge +**Lifecycle**: stable + **Description**: This check determines whether the project has an OpenSSF (formerly CII) Best Practices Badge. **Motivation**: The OpenSSF Best Practices badge indicates whether or not the project uses a set of security-focused best development practices for open source software. @@ -245,6 +285,8 @@ If the project does not have a badge, the probe returns one OutcomeFalse. ## hasPermissiveLicense +**Lifecycle**: stable + **Description**: Check that the project has an permissive license. **Motivation**: A permissive license allows users to use the analyzed component to be used in derivative works. Non-permissive licenses (as copyleft licenses) might be a legal risk for potential users. @@ -258,6 +300,8 @@ If the license is not permissive, the probe returns a single OutcomeFalse. ## hasRecentCommits +**Lifecycle**: stable + **Description**: Check whether the project has at least one commit per week over the last 90 days. **Motivation**: A project which is not active might not be patched, have its dependencies patched, or be actively tested and used. A lack of active maintenance should signal that potential users should investigate further to judge the situation. A project may not need further features or maintenance; In this case, the probe results can be disregarded. @@ -270,6 +314,8 @@ If the project does not have commits in the last 90 days, the probe returns a si ## hasReleaseSBOM +**Lifecycle**: experimental + **Description**: Check that the project publishes an SBOM as part of its release artifacts. **Motivation**: An SBOM can give users information about how the source code components and dependencies. They help facilitate sotware supplychain security and aid in identifying upstream vulnerabilities in a codebase. @@ -282,6 +328,8 @@ If an SBOM artifact is not found, the probe returns a single OutcomeFalse. ## hasSBOM +**Lifecycle**: experimental + **Description**: Check that the project has an SBOM file **Motivation**: An SBOM can give users information about how the source code components and dependencies. They help facilitate sotware supplychain security and aid in identifying upstream vulnerabilities in a codebase. @@ -294,6 +342,8 @@ If an SBOM file is not found, the probe returns a single OutcomeFalse. ## hasUnverifiedBinaryArtifacts +**Lifecycle**: stable + **Description**: Checks if the project has binary files in its source tree. The probe skips verified binary files which currently are gradle-wrappers. **Motivation**: Binary files are not human readable so users and reviewers can't easily see what they do. @@ -306,6 +356,8 @@ If the probe finds no unverified binary files, it returns OutcomeFalse. ## issueActivityByProjectMember +**Lifecycle**: stable + **Description**: Checks that a collaborator, member or owner has participated in issues in the last 90 days. **Motivation**: A project which does not respond to issues may not be actively maintained. A lack of active maintenance should signal that potential users should investigate further to judge the situation. However a project may simply not have any recent issues; In this case, the probe results can be disregarded. @@ -318,6 +370,8 @@ If collaborators, members or owners have NOT participated in issues in the last ## jobLevelPermissions +**Lifecycle**: experimental + **Description**: Checks that GitHub workflows do not have "write" permissions at the "job" level. **Motivation**: In some circumstances, having "write" permissions at the "job" level may enable attackers to escalate privileges. @@ -330,6 +384,8 @@ The probe returns 1 true outcome if the project has no workflows "write" permiss ## packagedWithAutomatedWorkflow +**Lifecycle**: stable + **Description**: Checks whether the project uses automated packaging. **Motivation**: Packages give users of a project an easy way to download, install, update, and uninstall the software by a package manager. In particular, they make it easy for users to receive security patches as updates. @@ -342,6 +398,8 @@ If the project doesn't use automated packaing we can detect, the outcome is nega ## pinsDependencies +**Lifecycle**: stable + **Description**: Check that the project pins dependencies to a specific digest. **Motivation**: Pinned dependencies ensure that checking and deployment are all done with the same software, reducing deployment risks, simplifying debugging, and enabling reproducibility. They can help mitigate compromised dependencies from undermining the security of the project (in the case where you've evaluated the pinned dependency, you are confident it's not compromised, and a later version is released that is compromised). @@ -355,6 +413,8 @@ If the project has no supported dependencies, the probe returns OutcomeNotApplic ## releasesAreSigned +**Lifecycle**: stable + **Description**: Check that the projects GitHub and GitLab releases are signed. **Motivation**: Signed releases allow consumers to verify their artifacts before consuming them. @@ -368,6 +428,8 @@ If the project has no releases, the probe returns OutcomeNotApplicable. ## releasesHaveProvenance +**Lifecycle**: stable + **Description**: Check that the projects releases on GitHub and GitLab have provenance. **Motivation**: Provenance give users security-critical, verifiable information so that consumers can verify their artifacts before consuming them. @@ -381,6 +443,8 @@ If the project has no releases, the probe returns OutcomeNotApplicable. ## releasesHaveVerifiedProvenance +**Lifecycle**: experimental + **Description**: Checks if the project releases with provenance attestations that have been verified **Motivation**: Package provenance attestations provide a greater guarantee of authenticity and integrity than package signatures alone, since the attestation can be performed over a hash of both the package contents and metadata. Developers can attest to particular qualities of the build, such as the build environment, build steps or builder identity. @@ -393,6 +457,8 @@ If we didn't find a package or didn't find releases, return OutcomeNotAvailable. ## requiresApproversForPullRequests +**Lifecycle**: stable + **Description**: Check that the project requires approvers for pull requests. **Motivation**: Requiring approvers for pull requests makes it harder to introduce vulnerable code to the project. @@ -404,6 +470,8 @@ If we didn't find a package or didn't find releases, return OutcomeNotAvailable. ## requiresCodeOwnersReview +**Lifecycle**: stable + **Description**: Check that the project requires dedicated code owners to review PRs. **Motivation**: Code owners are expected to have deep knowledge about a code; Having experienced reviewers for PRs is expected to prevent security issues. @@ -415,6 +483,8 @@ If we didn't find a package or didn't find releases, return OutcomeNotAvailable. ## requiresLastPushApproval +**Lifecycle**: stable + **Description**: Check that the project requires approval of the most recent push. **Motivation**: Requiring approval of the most recent push prevents contributors from sneaking malicious commits into a PR after it has been approved. @@ -426,6 +496,8 @@ If we didn't find a package or didn't find releases, return OutcomeNotAvailable. ## requiresPRsToChangeCode +**Lifecycle**: stable + **Description**: Check that the project requires pull requests to change code. **Motivation**: Changing code through pull requests promotes testing and reviews of the suggested change. @@ -437,6 +509,8 @@ If we didn't find a package or didn't find releases, return OutcomeNotAvailable. ## requiresUpToDateBranches +**Lifecycle**: stable + **Description**: Check that the project requires PRs to be in sync with the base branch. **Motivation**: Requiring PRs to be in sync with the base branch is good practice. @@ -448,6 +522,8 @@ If we didn't find a package or didn't find releases, return OutcomeNotAvailable. ## runsStatusChecksBeforeMerging +**Lifecycle**: stable + **Description**: Check that the project runs required status checks **Motivation**: Required status checks can check for common errors and resolve issues in PRs. @@ -459,6 +535,8 @@ If we didn't find a package or didn't find releases, return OutcomeNotAvailable. ## sastToolConfigured +**Lifecycle**: stable + **Description**: Check that the project uses a SAST tool **Motivation**: SAST is testing run on source code before the application is run. Using SAST tools can prevent known classes of bugs from being inadvertently introduced in the codebase. @@ -471,6 +549,8 @@ If the project does not use a SAST tool, or uses a tool we dont currently detect ## sastToolRunsOnAllCommits +**Lifecycle**: stable + **Description**: Checks that a SAST tool runs on all commits in the projects CI. **Motivation**: SAST is testing run on source code before the application is run. Using SAST tools can prevent known classes of bugs from being inadvertently introduced in the codebase. @@ -484,6 +564,8 @@ If the project does not run any SAST tools successfully on every pull request be ## securityPolicyContainsLinks +**Lifecycle**: stable + **Description**: Check that the security policy contains web or email links. **Motivation**: URLs point users to additional information as well as online disclosure forms. Emails provide a point of contact for vulnerability disclosure. @@ -497,6 +579,8 @@ If no security policy files are found, one finding with OutcomeFalse is returned ## securityPolicyContainsText +**Lifecycle**: stable + **Description**: Check that the security policy contains enough text and not just links. **Motivation**: Telling security researchers how to privately disclose problems with your project is important. The more details available, the better. @@ -510,6 +594,8 @@ If no security policy is found, one finding with OutcomeFalse is returned. ## securityPolicyContainsVulnerabilityDisclosure +**Lifecycle**: stable + **Description**: Check that the security policy indicates a vulnerability disclosure process. **Motivation**: If someone finds a vulnerability in the project, it is important for them to be able to communicate it to the maintainers. @@ -523,6 +609,8 @@ If no security policy is found, the probe returns one finding with OutcomeFalse. ## securityPolicyPresent +**Lifecycle**: stable + **Description**: Check if a security policy is defined in the repository or in the org's .github repository. **Motivation**: A security policy (typically a SECURITY.md file) can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. If you have a large organization, having a unified security policy across all your repositories may simplify the vulnerability disclosure response. @@ -535,6 +623,8 @@ If no security file is found, one finding with OutcomeFalse is returned. ## testsRunInCI +**Lifecycle**: stable + **Description**: Checks that the project runs tests in the CI for example with GitHub Actions or Prow. **Motivation**: Running tests helps developers catch mistakes early on, which can reduce the number of vulnerabilities that find their way into a project. @@ -547,6 +637,8 @@ The probe returns a single OutcomeNotApplicable if the projects has had no pull ## topLevelPermissions +**Lifecycle**: experimental + **Description**: Checks that the project does not have any top-level write permissions in its workflows. **Motivation**: In some circumstances, having "write" permissions at the "top" level may enable attackers to escalate privileges. @@ -559,6 +651,8 @@ The probe returns 1 true outcome if the project has no workflows "write" permiss ## webhooksUseSecrets +**Lifecycle**: experimental + **Description**: This check determines whether the webhooks defined in the repository have secrets configured to authenticate the origins of requests. **Motivation**: Webhooks without secret authorization have the potential to make projects accessible to third-parties. diff --git a/docs/probes/internal/generate/main.go b/docs/probes/internal/generate/main.go index 0ee461f1675..126a1a17fc4 100644 --- a/docs/probes/internal/generate/main.go +++ b/docs/probes/internal/generate/main.go @@ -39,6 +39,7 @@ func printField(w io.Writer, name string, value any) { func printProbe(w io.Writer, p *pyaml.Probe) { // short, motivation, implementation, outcome, remediation, ecosystem fmt.Fprint(w, "\n"+"## "+p.ID+"\n\n") + printField(w, "Lifecycle", p.Lifecycle) printField(w, "Description", p.Short) printField(w, "Motivation", p.Motivation) printField(w, "Implementation", p.Implementation) diff --git a/finding/probe.go b/finding/probe.go index 33778f2aeff..0e3a07f0823 100644 --- a/finding/probe.go +++ b/finding/probe.go @@ -28,6 +28,9 @@ import ( // RemediationEffort indicates the estimated effort necessary to remediate a finding. type RemediationEffort int +// lifecycle indicates the probe's stability. +type lifecycle string + const ( // RemediationEffortNone indicates a no remediation effort. RemediationEffortNone RemediationEffort = iota @@ -37,6 +40,10 @@ const ( RemediationEffortMedium // RemediationEffortHigh indicates a high remediation effort. RemediationEffortHigh + + lifecycleExperimental lifecycle = "experimental" + lifecycleStable lifecycle = "stable" + lifecycleDeprecated lifecycle = "deprecated" ) // Remediation represents the remediation for a finding. @@ -109,6 +116,9 @@ func validate(r *pyaml.Probe, probeID string) error { if err := validateEcosystem(r.Ecosystem); err != nil { return err } + if err := validateLifecycle(lifecycle(r.Lifecycle)); err != nil { + return err + } return nil } @@ -178,6 +188,15 @@ func validateSupportedClients(r pyaml.Ecosystem) error { return nil } +func validateLifecycle(l lifecycle) error { + switch l { + case lifecycleExperimental, lifecycleStable, lifecycleDeprecated: + return nil + default: + return fmt.Errorf("%w: %v", errInvalid, fmt.Sprintf("lifecycle '%v'", l)) + } +} + func parseFromYAML(content []byte) (*pyaml.Probe, error) { r := pyaml.Probe{} diff --git a/finding/probe_test.go b/finding/probe_test.go index 0b02ba37c2f..a6bceabdacd 100644 --- a/finding/probe_test.go +++ b/finding/probe_test.go @@ -90,6 +90,18 @@ func Test_probeFromBytes(t *testing.T) { path: "testdata/invalid-client.yml", err: errInvalid, }, + { + name: "invalid lifecycle is an error", + id: "invalid-lifecycle", + path: "testdata/invalid-lifecycle.yml", + err: errInvalid, + }, + { + name: "missing lifecycle is an error", + id: "missing-lifecycle", + path: "testdata/missing-lifecycle.yml", + err: errInvalid, + }, } for _, tt := range tests { tt := tt // Re-initializing variable so it is not changed while executing the closure below diff --git a/finding/testdata/all-fields.yml b/finding/testdata/all-fields.yml index ff1627f7a00..18c4ce70a31 100644 --- a/finding/testdata/all-fields.yml +++ b/finding/testdata/all-fields.yml @@ -1,4 +1,5 @@ id: all-fields +lifecycle: stable short: short description motivation: > mot1 diff --git a/finding/testdata/effort-high.yml b/finding/testdata/effort-high.yml index ea005702b2d..6ff37e0e9f5 100644 --- a/finding/testdata/effort-high.yml +++ b/finding/testdata/effort-high.yml @@ -1,4 +1,5 @@ id: effort-high +lifecycle: stable short: short description motivation: > line1 diff --git a/finding/testdata/effort-low.yml b/finding/testdata/effort-low.yml index b8db02dee9d..cc095c0689a 100644 --- a/finding/testdata/effort-low.yml +++ b/finding/testdata/effort-low.yml @@ -1,4 +1,5 @@ id: effort-low +lifecycle: stable short: short description motivation: > line1 diff --git a/finding/testdata/invalid-client.yml b/finding/testdata/invalid-client.yml index 261c1197977..c99acde385b 100644 --- a/finding/testdata/invalid-client.yml +++ b/finding/testdata/invalid-client.yml @@ -1,4 +1,5 @@ id: invalid-client +lifecycle: stable short: short description motivation: > mot1 diff --git a/finding/testdata/invalid-effort.yml b/finding/testdata/invalid-effort.yml index 0fc9474478c..ddf98aebd69 100644 --- a/finding/testdata/invalid-effort.yml +++ b/finding/testdata/invalid-effort.yml @@ -1,4 +1,5 @@ id: invalid-effort +lifecycle: stable short: short description motivation: > line1 diff --git a/finding/testdata/invalid-language.yml b/finding/testdata/invalid-language.yml index c697ad0a8c2..7a1e8b903d5 100644 --- a/finding/testdata/invalid-language.yml +++ b/finding/testdata/invalid-language.yml @@ -1,4 +1,5 @@ id: invalid-language +lifecycle: stable short: short description motivation: > mot1 diff --git a/finding/testdata/invalid-lifecycle.yml b/finding/testdata/invalid-lifecycle.yml new file mode 100644 index 00000000000..f8674544ec5 --- /dev/null +++ b/finding/testdata/invalid-lifecycle.yml @@ -0,0 +1,26 @@ +id: all-fields +lifecycle: foo +short: short description +motivation: > + mot1 + mot2 +implementation: > + impl1 + impl2 +remediation: + onOutcome: False + effort: Low + text: + - step1 + - step2 https://www.google.com/something + markdown: + - step1 + - step2 [google.com](https://www.google.com/something) +ecosystem: + languages: + - c + - c++ + clients: + - github + - gitlab + - localdir diff --git a/finding/testdata/metadata-variables.yml b/finding/testdata/metadata-variables.yml index 30c962b7d18..3ce1db88ad0 100644 --- a/finding/testdata/metadata-variables.yml +++ b/finding/testdata/metadata-variables.yml @@ -1,4 +1,5 @@ id: metadata-variables +lifecycle: stable short: short description motivation: > line1 diff --git a/finding/testdata/missing-id.yml b/finding/testdata/missing-id.yml index 7fb1325e35d..08919865150 100644 --- a/finding/testdata/missing-id.yml +++ b/finding/testdata/missing-id.yml @@ -1,3 +1,4 @@ +lifecycle: stable short: short description motivation: > line1 diff --git a/finding/testdata/missing-lifecycle.yml b/finding/testdata/missing-lifecycle.yml new file mode 100644 index 00000000000..ff1627f7a00 --- /dev/null +++ b/finding/testdata/missing-lifecycle.yml @@ -0,0 +1,25 @@ +id: all-fields +short: short description +motivation: > + mot1 + mot2 +implementation: > + impl1 + impl2 +remediation: + onOutcome: False + effort: Low + text: + - step1 + - step2 https://www.google.com/something + markdown: + - step1 + - step2 [google.com](https://www.google.com/something) +ecosystem: + languages: + - c + - c++ + clients: + - github + - gitlab + - localdir diff --git a/internal/probes/yaml/yaml.go b/internal/probes/yaml/yaml.go index 2759013e3f7..53c1943099d 100644 --- a/internal/probes/yaml/yaml.go +++ b/internal/probes/yaml/yaml.go @@ -31,6 +31,7 @@ type Probe struct { ID string `yaml:"id"` Short string `yaml:"short"` Motivation string `yaml:"motivation"` + Lifecycle string `yaml:"lifecycle"` Implementation string `yaml:"implementation"` Ecosystem Ecosystem `yaml:"ecosystem"` Outcomes []string `yaml:"outcome"` diff --git a/probes/README.md b/probes/README.md index 7acd973d76a..86e91442335 100644 --- a/probes/README.md +++ b/probes/README.md @@ -16,6 +16,13 @@ A probe consists of three files: - `impl.go`: The actual implementation of the probe. - `impl_test.go`: The probe's test. +## Lifecycle + +Probes can exist in several different lifecycle states: +* `Experimental`: The semantics of the probe may change, and there are no stability guarantees. +* `Stable`: The probe behavior and semantics will not change. There may be bug fixes as needed. +* `Deprecated`: The probe is no longer supported and callers should not expect it to be maintained. + ## Reusing code in probes When multiple probes use the same code, the reused code can be placed in a package under `probes/internal/` diff --git a/probes/archived/def.yml b/probes/archived/def.yml index 96a55830eb4..4b7c7502cff 100644 --- a/probes/archived/def.yml +++ b/probes/archived/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: archived +lifecycle: stable short: Check that the project is archived motivation: > An archived project will not received security patches, and is not actively tested or used. diff --git a/probes/blocksDeleteOnBranches/def.yml b/probes/blocksDeleteOnBranches/def.yml index 7eb618c2c9a..580d58688fe 100644 --- a/probes/blocksDeleteOnBranches/def.yml +++ b/probes/blocksDeleteOnBranches/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: blocksDeleteOnBranches +lifecycle: stable short: Check that the project blocks non-admins from deleting branches. motivation: > Allowing non-admins to delete project branches has a similar effect to performing force pushes. diff --git a/probes/blocksForcePushOnBranches/def.yml b/probes/blocksForcePushOnBranches/def.yml index 5f93616e047..c7e3c1c9d96 100644 --- a/probes/blocksForcePushOnBranches/def.yml +++ b/probes/blocksForcePushOnBranches/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: blocksForcePushOnBranches +lifecycle: stable short: Check that the project blocks force push on its branches. motivation: > Allowing force pushes to branches could allow those with write access to make insecure changes to the behavior of the project. diff --git a/probes/branchProtectionAppliesToAdmins/def.yml b/probes/branchProtectionAppliesToAdmins/def.yml index 008f4e14007..100623c729c 100644 --- a/probes/branchProtectionAppliesToAdmins/def.yml +++ b/probes/branchProtectionAppliesToAdmins/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: branchProtectionAppliesToAdmins +lifecycle: stable short: Check that the project's branch protection rules apply to project admins. motivation: > Admins may be able to bypass branch protection settings which could defeat the purpose of having them. diff --git a/probes/branchesAreProtected/def.yml b/probes/branchesAreProtected/def.yml index 81288456ee5..3ed8b4b8474 100644 --- a/probes/branchesAreProtected/def.yml +++ b/probes/branchesAreProtected/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: branchesAreProtected +lifecycle: stable short: Check that the project uses protected branches. motivation: > Unprotected branches may allow actions that could compromise the project's security. diff --git a/probes/codeApproved/def.yml b/probes/codeApproved/def.yml index 0b34a7a9b4a..c8a978ad740 100644 --- a/probes/codeApproved/def.yml +++ b/probes/codeApproved/def.yml @@ -14,6 +14,7 @@ id: codeApproved +lifecycle: stable short: Check that all recent changesets have been approved by someone who is not the author of the changeset. motivation: > To ensure that the review process works, the proposed changes diff --git a/probes/codeReviewOneReviewers/def.yml b/probes/codeReviewOneReviewers/def.yml index e0a47abf49f..a40c7bab790 100644 --- a/probes/codeReviewOneReviewers/def.yml +++ b/probes/codeReviewOneReviewers/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: codeReviewOneReviewers +lifecycle: experimental short: Check that at least one reviewers review a change before merging. motivation: > To ensure that the review process works, the proposed changes diff --git a/probes/contributorsFromOrgOrCompany/def.yml b/probes/contributorsFromOrgOrCompany/def.yml index 2cd0f4a560a..1538a26d4e0 100644 --- a/probes/contributorsFromOrgOrCompany/def.yml +++ b/probes/contributorsFromOrgOrCompany/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: contributorsFromOrgOrCompany +lifecycle: experimental short: Checks whether a project has a contributions from users associated with a company or organization. motivation: > This probe tries to determine if the project has recent contributors from multiple organizations. diff --git a/probes/createdRecently/def.yml b/probes/createdRecently/def.yml index b2fb844a040..6a20315360b 100644 --- a/probes/createdRecently/def.yml +++ b/probes/createdRecently/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: createdRecently +lifecycle: stable short: Checks if the project was created in the last 90 days. motivation: > Recently created repositories have been used for malicious forks / typosquatting attacks in the past. diff --git a/probes/dependencyUpdateToolConfigured/def.yml b/probes/dependencyUpdateToolConfigured/def.yml index 2a0dea93634..a2bc4f46db7 100644 --- a/probes/dependencyUpdateToolConfigured/def.yml +++ b/probes/dependencyUpdateToolConfigured/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: dependencyUpdateToolConfigured +lifecycle: stable short: Check that a dependency update tool config is present. motivation: > Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks. diff --git a/probes/dismissesStaleReviews/def.yml b/probes/dismissesStaleReviews/def.yml index a642671bd1e..d915c29e119 100644 --- a/probes/dismissesStaleReviews/def.yml +++ b/probes/dismissesStaleReviews/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: dismissesStaleReviews +lifecycle: stable short: Check that the project dismisses stale reviews when new commits are pushed. motivation: > When a project does not dismiss stale reviews, contributors can bring their pull requests to an approved state and then make unreviewed commits. diff --git a/probes/fuzzed/def.yml b/probes/fuzzed/def.yml index c5cefdedfa9..f9c0dd4a0c0 100644 --- a/probes/fuzzed/def.yml +++ b/probes/fuzzed/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: fuzzed +lifecycle: stable short: Check that the project is fuzzed motivation: > Fuzzing, or fuzz testing, is the practice of feeding unexpected or random data into a program to expose bugs. diff --git a/probes/hasBinaryArtifacts/def.yml b/probes/hasBinaryArtifacts/def.yml index 84c699e3c55..8c2f2d837c1 100644 --- a/probes/hasBinaryArtifacts/def.yml +++ b/probes/hasBinaryArtifacts/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasBinaryArtifacts +lifecycle: stable short: Checks if the project has any binary files in its source tree. motivation: > Binary files are not human readable so users and reviewers can't easily see what they do. diff --git a/probes/hasDangerousWorkflowScriptInjection/def.yml b/probes/hasDangerousWorkflowScriptInjection/def.yml index 176cf4c0218..7c4f482ae0c 100644 --- a/probes/hasDangerousWorkflowScriptInjection/def.yml +++ b/probes/hasDangerousWorkflowScriptInjection/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasDangerousWorkflowScriptInjection +lifecycle: stable short: Check whether the project has GitHub Actions workflows that enable script injection. motivation: > Script injections allow attackers to use untrusted input to access privileged resources (code execution, secret exfiltration, etc.) diff --git a/probes/hasDangerousWorkflowUntrustedCheckout/def.yml b/probes/hasDangerousWorkflowUntrustedCheckout/def.yml index 00c480b8e4a..ca94cbd2be1 100644 --- a/probes/hasDangerousWorkflowUntrustedCheckout/def.yml +++ b/probes/hasDangerousWorkflowUntrustedCheckout/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasDangerousWorkflowUntrustedCheckout +lifecycle: stable short: Check whether the project has GitHub Actions workflows that does untrusted checkouts. motivation: > GitHub workflows triggered with pull_request_target or workflow_run have write permission to the target repository and access to target repository secrets. diff --git a/probes/hasFSFOrOSIApprovedLicense/def.yml b/probes/hasFSFOrOSIApprovedLicense/def.yml index 2d0ae3b1634..25da80850ed 100644 --- a/probes/hasFSFOrOSIApprovedLicense/def.yml +++ b/probes/hasFSFOrOSIApprovedLicense/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasFSFOrOSIApprovedLicense +lifecycle: stable short: Check that the project has an FSF or OSI approved license. motivation: > A license can give users information about how the source code may or may not be used. diff --git a/probes/hasLicenseFile/def.yml b/probes/hasLicenseFile/def.yml index 3cf96a4089b..eeca9bad8a8 100644 --- a/probes/hasLicenseFile/def.yml +++ b/probes/hasLicenseFile/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasLicenseFile +lifecycle: stable short: Check that the project has a license file motivation: > A license can give users information about how the source code may or may not be used. diff --git a/probes/hasNoGitHubWorkflowPermissionUnknown/def.yml b/probes/hasNoGitHubWorkflowPermissionUnknown/def.yml index fb22aa2bb42..a903440fbc1 100644 --- a/probes/hasNoGitHubWorkflowPermissionUnknown/def.yml +++ b/probes/hasNoGitHubWorkflowPermissionUnknown/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasNoGitHubWorkflowPermissionUnknown +lifecycle: experimental short: Checks that GitHub workflows have workflows with unknown permissions motivation: > Unknown permissions may be a result of a bug or another error from fetching the permission levels. diff --git a/probes/hasOSVVulnerabilities/def.yml b/probes/hasOSVVulnerabilities/def.yml index 26fd8a6b4d9..53f903819af 100644 --- a/probes/hasOSVVulnerabilities/def.yml +++ b/probes/hasOSVVulnerabilities/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasOSVVulnerabilities +lifecycle: stable short: Check whether the project has known vulnerabilities motivation: > This check determines whether the project has open, unfixed vulnerabilities in its own codebase or its dependencies using the OSV (Open Source Vulnerabilities) service. diff --git a/probes/hasOpenSSFBadge/def.yml b/probes/hasOpenSSFBadge/def.yml index 621fe4636c6..f558f098939 100644 --- a/probes/hasOpenSSFBadge/def.yml +++ b/probes/hasOpenSSFBadge/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasOpenSSFBadge +lifecycle: stable short: This check determines whether the project has an OpenSSF (formerly CII) Best Practices Badge. motivation: > The OpenSSF Best Practices badge indicates whether or not the project uses a set of security-focused best development practices for open source software. diff --git a/probes/hasPermissiveLicense/def.yml b/probes/hasPermissiveLicense/def.yml index bdacd4b19a0..d93aff76da2 100644 --- a/probes/hasPermissiveLicense/def.yml +++ b/probes/hasPermissiveLicense/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasPermissiveLicense +lifecycle: stable short: Check that the project has an permissive license. motivation: > A permissive license allows users to use the analyzed component to be used in derivative works. Non-permissive licenses (as copyleft licenses) might be a legal risk for potential users. diff --git a/probes/hasRecentCommits/def.yml b/probes/hasRecentCommits/def.yml index aba447fac4f..a7e495c80b8 100644 --- a/probes/hasRecentCommits/def.yml +++ b/probes/hasRecentCommits/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasRecentCommits +lifecycle: stable short: Check whether the project has at least one commit per week over the last 90 days. motivation: > A project which is not active might not be patched, have its dependencies patched, or be actively tested and used. diff --git a/probes/hasReleaseSBOM/def.yml b/probes/hasReleaseSBOM/def.yml index e8d911252b9..237671c3a6e 100644 --- a/probes/hasReleaseSBOM/def.yml +++ b/probes/hasReleaseSBOM/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasReleaseSBOM +lifecycle: experimental short: Check that the project publishes an SBOM as part of its release artifacts. motivation: > An SBOM can give users information about how the source code components and dependencies. They help facilitate sotware supplychain security and aid in identifying upstream vulnerabilities in a codebase. diff --git a/probes/hasSBOM/def.yml b/probes/hasSBOM/def.yml index d303b1ddcaa..2a7909565a2 100644 --- a/probes/hasSBOM/def.yml +++ b/probes/hasSBOM/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasSBOM +lifecycle: experimental short: Check that the project has an SBOM file motivation: > An SBOM can give users information about how the source code components and dependencies. They help facilitate sotware supplychain security and aid in identifying upstream vulnerabilities in a codebase. diff --git a/probes/hasUnverifiedBinaryArtifacts/def.yml b/probes/hasUnverifiedBinaryArtifacts/def.yml index ec4b1e1603a..bb887862587 100644 --- a/probes/hasUnverifiedBinaryArtifacts/def.yml +++ b/probes/hasUnverifiedBinaryArtifacts/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasUnverifiedBinaryArtifacts +lifecycle: stable short: Checks if the project has binary files in its source tree. The probe skips verified binary files which currently are gradle-wrappers. motivation: > Binary files are not human readable so users and reviewers can't easily see what they do. diff --git a/probes/issueActivityByProjectMember/def.yml b/probes/issueActivityByProjectMember/def.yml index afe9ae546e9..1154a0bf79b 100644 --- a/probes/issueActivityByProjectMember/def.yml +++ b/probes/issueActivityByProjectMember/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: issueActivityByProjectMember +lifecycle: stable short: Checks that a collaborator, member or owner has participated in issues in the last 90 days. motivation: > A project which does not respond to issues may not be actively maintained. diff --git a/probes/jobLevelPermissions/def.yml b/probes/jobLevelPermissions/def.yml index 398e8752026..6d83a1d6c52 100644 --- a/probes/jobLevelPermissions/def.yml +++ b/probes/jobLevelPermissions/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: jobLevelPermissions +lifecycle: experimental short: Checks that GitHub workflows do not have "write" permissions at the "job" level. motivation: > In some circumstances, having "write" permissions at the "job" level may enable attackers to escalate privileges. diff --git a/probes/packagedWithAutomatedWorkflow/def.yml b/probes/packagedWithAutomatedWorkflow/def.yml index 450c6ec7539..5eb3731b9cb 100644 --- a/probes/packagedWithAutomatedWorkflow/def.yml +++ b/probes/packagedWithAutomatedWorkflow/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: packagedWithAutomatedWorkflow +lifecycle: stable short: Checks whether the project uses automated packaging. motivation: > Packages give users of a project an easy way to download, install, update, and uninstall the software by a package manager. diff --git a/probes/pinsDependencies/def.yml b/probes/pinsDependencies/def.yml index a1ea8a5148e..e715b7b4ef7 100644 --- a/probes/pinsDependencies/def.yml +++ b/probes/pinsDependencies/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: pinsDependencies +lifecycle: stable short: Check that the project pins dependencies to a specific digest. motivation: > Pinned dependencies ensure that checking and deployment are all done with the same software, reducing deployment risks, simplifying debugging, and enabling reproducibility. They can help mitigate compromised dependencies from undermining the security of the project (in the case where you've evaluated the pinned dependency, you are confident it's not compromised, and a later version is released that is compromised). diff --git a/probes/releasesAreSigned/def.yml b/probes/releasesAreSigned/def.yml index 633b79ca915..825f4697971 100644 --- a/probes/releasesAreSigned/def.yml +++ b/probes/releasesAreSigned/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: releasesAreSigned +lifecycle: stable short: Check that the projects GitHub and GitLab releases are signed. motivation: > Signed releases allow consumers to verify their artifacts before consuming them. diff --git a/probes/releasesHaveProvenance/def.yml b/probes/releasesHaveProvenance/def.yml index fa2e2f659dc..8cd133a9121 100644 --- a/probes/releasesHaveProvenance/def.yml +++ b/probes/releasesHaveProvenance/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: releasesHaveProvenance +lifecycle: stable short: Check that the projects releases on GitHub and GitLab have provenance. motivation: > Provenance give users security-critical, verifiable information so that consumers can verify their artifacts before consuming them. diff --git a/probes/releasesHaveVerifiedProvenance/def.yml b/probes/releasesHaveVerifiedProvenance/def.yml index 698c520bf3d..977df01dc73 100644 --- a/probes/releasesHaveVerifiedProvenance/def.yml +++ b/probes/releasesHaveVerifiedProvenance/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: releasesHaveVerifiedProvenance +lifecycle: experimental short: Checks if the project releases with provenance attestations that have been verified motivation: > Package provenance attestations provide a greater guarantee of authenticity and integrity than package signatures alone, since the attestation can be performed over a hash of both the package contents and metadata. Developers can attest to particular qualities of the build, such as the build environment, build steps or builder identity. diff --git a/probes/requiresApproversForPullRequests/def.yml b/probes/requiresApproversForPullRequests/def.yml index 246563078e7..93a24667f1f 100644 --- a/probes/requiresApproversForPullRequests/def.yml +++ b/probes/requiresApproversForPullRequests/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: requiresApproversForPullRequests +lifecycle: stable short: Check that the project requires approvers for pull requests. motivation: > Requiring approvers for pull requests makes it harder to introduce vulnerable code to the project. diff --git a/probes/requiresCodeOwnersReview/def.yml b/probes/requiresCodeOwnersReview/def.yml index 12d1937ce33..978930cd7f6 100644 --- a/probes/requiresCodeOwnersReview/def.yml +++ b/probes/requiresCodeOwnersReview/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: requiresCodeOwnersReview +lifecycle: stable short: Check that the project requires dedicated code owners to review PRs. motivation: > Code owners are expected to have deep knowledge about a code; Having experienced reviewers for PRs is expected to prevent security issues. diff --git a/probes/requiresLastPushApproval/def.yml b/probes/requiresLastPushApproval/def.yml index d5b3350d3b5..e8bd9fcf7d4 100644 --- a/probes/requiresLastPushApproval/def.yml +++ b/probes/requiresLastPushApproval/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: requiresLastPushApproval +lifecycle: stable short: Check that the project requires approval of the most recent push. motivation: > Requiring approval of the most recent push prevents contributors from sneaking malicious commits into a PR after it has been approved. diff --git a/probes/requiresPRsToChangeCode/def.yml b/probes/requiresPRsToChangeCode/def.yml index 1c80b2f1d94..36a1eee176c 100644 --- a/probes/requiresPRsToChangeCode/def.yml +++ b/probes/requiresPRsToChangeCode/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: requiresPRsToChangeCode +lifecycle: stable short: Check that the project requires pull requests to change code. motivation: > Changing code through pull requests promotes testing and reviews of the suggested change. diff --git a/probes/requiresUpToDateBranches/def.yml b/probes/requiresUpToDateBranches/def.yml index e0690498c4c..db7dd19aa14 100644 --- a/probes/requiresUpToDateBranches/def.yml +++ b/probes/requiresUpToDateBranches/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: requiresUpToDateBranches +lifecycle: stable short: Check that the project requires PRs to be in sync with the base branch. motivation: > Requiring PRs to be in sync with the base branch is good practice. diff --git a/probes/runsStatusChecksBeforeMerging/def.yml b/probes/runsStatusChecksBeforeMerging/def.yml index 510150789a6..0809ea59cc6 100644 --- a/probes/runsStatusChecksBeforeMerging/def.yml +++ b/probes/runsStatusChecksBeforeMerging/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: runsStatusChecksBeforeMerging +lifecycle: stable short: Check that the project runs required status checks motivation: > Required status checks can check for common errors and resolve issues in PRs. diff --git a/probes/sastToolConfigured/def.yml b/probes/sastToolConfigured/def.yml index cfecd7bcd9d..7d8336d7d5b 100644 --- a/probes/sastToolConfigured/def.yml +++ b/probes/sastToolConfigured/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: sastToolConfigured +lifecycle: stable short: Check that the project uses a SAST tool motivation: > SAST is testing run on source code before the application is run. Using SAST tools can prevent known classes of bugs from being inadvertently introduced in the codebase. diff --git a/probes/sastToolRunsOnAllCommits/def.yml b/probes/sastToolRunsOnAllCommits/def.yml index bfe00129cc0..16bcb2b409a 100644 --- a/probes/sastToolRunsOnAllCommits/def.yml +++ b/probes/sastToolRunsOnAllCommits/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: sastToolRunsOnAllCommits +lifecycle: stable short: Checks that a SAST tool runs on all commits in the projects CI. motivation: > SAST is testing run on source code before the application is run. Using SAST tools can prevent known classes of bugs from being inadvertently introduced in the codebase. diff --git a/probes/securityPolicyContainsLinks/def.yml b/probes/securityPolicyContainsLinks/def.yml index d19fd1d1d71..8070f0bf460 100644 --- a/probes/securityPolicyContainsLinks/def.yml +++ b/probes/securityPolicyContainsLinks/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: securityPolicyContainsLinks +lifecycle: stable short: Check that the security policy contains web or email links. motivation: > URLs point users to additional information as well as online disclosure forms. diff --git a/probes/securityPolicyContainsText/def.yml b/probes/securityPolicyContainsText/def.yml index a3e2e764f25..1e3ed325374 100644 --- a/probes/securityPolicyContainsText/def.yml +++ b/probes/securityPolicyContainsText/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: securityPolicyContainsText +lifecycle: stable short: Check that the security policy contains enough text and not just links. motivation: > Telling security researchers how to privately disclose problems with your project is important. The more details available, the better. diff --git a/probes/securityPolicyContainsVulnerabilityDisclosure/def.yml b/probes/securityPolicyContainsVulnerabilityDisclosure/def.yml index 29b5d80f74a..1ae026e6632 100644 --- a/probes/securityPolicyContainsVulnerabilityDisclosure/def.yml +++ b/probes/securityPolicyContainsVulnerabilityDisclosure/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: securityPolicyContainsVulnerabilityDisclosure +lifecycle: stable short: Check that the security policy indicates a vulnerability disclosure process. motivation: > If someone finds a vulnerability in the project, it is important for them to be able to communicate it to the maintainers. diff --git a/probes/securityPolicyPresent/def.yml b/probes/securityPolicyPresent/def.yml index bb51cb0960f..3f3d9258b0d 100644 --- a/probes/securityPolicyPresent/def.yml +++ b/probes/securityPolicyPresent/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: securityPolicyPresent +lifecycle: stable short: Check if a security policy is defined in the repository or in the org's .github repository. motivation: > A security policy (typically a SECURITY.md file) can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. diff --git a/probes/testsRunInCI/def.yml b/probes/testsRunInCI/def.yml index 576cb8c2a2c..51f5ab84b7c 100644 --- a/probes/testsRunInCI/def.yml +++ b/probes/testsRunInCI/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: testsRunInCI +lifecycle: stable short: Checks that the project runs tests in the CI for example with GitHub Actions or Prow. motivation: > Running tests helps developers catch mistakes early on, which can reduce the number of vulnerabilities that find their way into a project. diff --git a/probes/topLevelPermissions/def.yml b/probes/topLevelPermissions/def.yml index ebc102abad7..d9c4cb0ed82 100644 --- a/probes/topLevelPermissions/def.yml +++ b/probes/topLevelPermissions/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: topLevelPermissions +lifecycle: experimental short: Checks that the project does not have any top-level write permissions in its workflows. motivation: > In some circumstances, having "write" permissions at the "top" level may enable attackers to escalate privileges. diff --git a/probes/webhooksUseSecrets/def.yml b/probes/webhooksUseSecrets/def.yml index ee26a05c72d..d0c1e40a7d2 100644 --- a/probes/webhooksUseSecrets/def.yml +++ b/probes/webhooksUseSecrets/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: webhooksUseSecrets +lifecycle: experimental short: This check determines whether the webhooks defined in the repository have secrets configured to authenticate the origins of requests. motivation: > Webhooks without secret authorization have the potential to make projects accessible to third-parties.