Skip to main content

Managed Security Review for GitHub

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

This page explains managed security reviews for GitHub provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.

To use managed security reviews

By applying Shisho Cloud workflows to your organization, you'll see security review results soon:

All managed review items

TitleRelated StandardsDefault SeverityID in Shisho Cloud
Ensure dependencies of GitHub Actions workflows are pinned to verified versions2.4.2 (CIS SCC v1.0.0)Lowdecision.api.shisho.dev/v1beta:github_actions_dependency_pinning
Ensure script evaluation by GitHub Actions workflows is validated2.4.3 (CIS SCC v1.0.0)Mediumdecision.api.shisho.dev/v1beta:github_actions_insecure_script_evaluation
Ensure explicit permissions for GitHub Actions workflows follow organization policies2.2.3 (CIS SCC v1.0.0)Lowdecision.api.shisho.dev/v1beta:github_actions_workflow_explicit_permissions
Ensure GitHub Actions workflows do not permit any script injections1.3.8 (CIS SCC v1.0.0)Mediumdecision.api.shisho.dev/v1beta:github_actions_workflow_script_injection_possibility
Ensure secrets do not appear in GitHub Actions Workflows directly1.5.1 (CIS SCC v1.0.0)Criticaldecision.api.shisho.dev/v1beta:github_actions_workflow_secret_handling
Ensure the deletion of protected branches is limited1.1.17 (CIS SCC v1.0.0)Mediumdecision.api.shisho.dev/v1beta:github_branch_deletion_policy
Ensure code owner’s review is required when a change affects owned code1.1.7 (CIS SCC v1.0.0)Lowdecision.api.shisho.dev/v1beta:github_code_owners_review_policy
Ensure verification of signed commits for new changes before merging1.1.12 (CIS SCC v1.0.0)Infodecision.api.shisho.dev/v1beta:github_commit_signature_policy
Keep a default branch protected by branch protection rule(s)1.1.14 (CIS SCC v1.0.0)Mediumdecision.api.shisho.dev/v1beta:github_default_branch_protection
Ensure force push code to branches is denied1.1.16 (CIS SCC v1.0.0)Lowdecision.api.shisho.dev/v1beta:github_force_push_policy
Ensure linear history is required1.1.13 (CIS SCC v1.0.0)Infodecision.api.shisho.dev/v1beta:github_linear_history_policy
Ensure any change to code receives the enough number of approvals by authenticated users1.1.3 (CIS SCC v1.0.0)Mediumdecision.api.shisho.dev/v1beta:github_minimum_approval_number_policy
Enforce two-factor authentication on GitHub organization(s)1.3.5 (CIS SCC v1.0.0)Lowdecision.api.shisho.dev/v1beta:github_org_2fa_status
Ensure strict base permissions are set for repositories1.3.8 (CIS SCC v1.0.0)Lowdecision.api.shisho.dev/v1beta:github_org_default_repository_permission
Ensure creation of GitHub public pages is restrictedLowdecision.api.shisho.dev/v1beta:github_org_members_permission_on_creating_public_pages
Ensure public repository creation is limited to specific members1.2.2 (CIS SCC v1.0.0)Lowdecision.api.shisho.dev/v1beta:github_org_members_permission_on_creating_public_repos
Ensure forking of GitHub repositories is restrictedLowdecision.api.shisho.dev/v1beta:github_org_members_permission_on_private_forking
Ensure minimum number of administrators are set for the organization1.3.3 (CIS SCC v1.0.0)Lowdecision.api.shisho.dev/v1beta:github_org_owners
Ensure branch protection rules are enforced for administrators1.1.14 (CIS SCC v1.0.0)Lowdecision.api.shisho.dev/v1beta:github_protection_enforcement_for_admins
Ensure minimum number of administrators are set for the GitHub repository1.3.7 (CIS SCC v1.0.0)Lowdecision.api.shisho.dev/v1beta:github_repo_admins
Ensure deletion of GitHub repositories is restricted1.2.3 (CIS SCC v1.0.0)Lowdecision.api.shisho.dev/v1beta:github_repo_members_permission_on_deleting_repository
Ensure previous approvals are dismissed when updates are introduced to a code change proposal1.1.4 (CIS SCC v1.0.0)Lowdecision.api.shisho.dev/v1beta:github_stale_review_policy