Skip to main content

Managed Security Review for GitHub


The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

This page explains managed security reviews for GitHub provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.

To use managed security reviews

By applying Shisho Cloud workflows to your organization, you'll see security review results soon:

All managed review items

TitleRelated StandardsDefault SeverityID in Shisho Cloud
Ensure dependencies of GitHub Actions workflows are pinned to verified versions2.4.2 (CIS SCC v1.0.0)
Ensure script evaluation by GitHub Actions workflows is validated2.4.3 (CIS SCC v1.0.0)
Ensure explicit permissions for GitHub Actions workflows follow organization policies2.2.3 (CIS SCC v1.0.0)
Ensure GitHub Actions workflows do not permit any script injections1.3.8 (CIS SCC v1.0.0)
Ensure secrets do not appear in GitHub Actions Workflows directly1.5.1 (CIS SCC v1.0.0)
Ensure the deletion of protected branches is limited1.1.17 (CIS SCC v1.0.0)
Ensure code owner’s review is required when a change affects owned code1.1.7 (CIS SCC v1.0.0)
Ensure verification of signed commits for new changes before merging1.1.12 (CIS SCC v1.0.0)
Keep a default branch protected by branch protection rule(s)1.1.14 (CIS SCC v1.0.0)
Ensure force push code to branches is denied1.1.16 (CIS SCC v1.0.0)
Ensure linear history is required1.1.13 (CIS SCC v1.0.0)
Ensure any change to code receives the enough number of approvals by authenticated users1.1.3 (CIS SCC v1.0.0)
Enforce two-factor authentication on GitHub organization(s)1.3.5 (CIS SCC v1.0.0)
Ensure strict base permissions are set for repositories1.3.8 (CIS SCC v1.0.0)
Ensure creation of GitHub public pages is
Ensure public repository creation is limited to specific members1.2.2 (CIS SCC v1.0.0)
Ensure forking of GitHub repositories is
Ensure minimum number of administrators are set for the organization1.3.3 (CIS SCC v1.0.0)
Ensure branch protection rules are enforced for administrators1.1.14 (CIS SCC v1.0.0)
Ensure minimum number of administrators are set for the GitHub repository1.3.7 (CIS SCC v1.0.0)
Ensure deletion of GitHub repositories is restricted1.2.3 (CIS SCC v1.0.0)
Ensure previous approvals are dismissed when updates are introduced to a code change proposal1.1.4 (CIS SCC v1.0.0)