Managed Security Review for GitHub
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page explains managed security reviews for GitHub provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.
To use managed security reviews
By applying Shisho Cloud workflows to your organization, you'll see security review results soon:
All managed review items
| Title | Related Standards | Default Severity | ID in Shisho Cloud |
|---|---|---|---|
| Ensure dependencies of GitHub Actions workflows are pinned to verified versions | 2.4.2 (CIS SCC v1.0.0) | Low | decision.api.shisho.dev/v1beta:github_actions_dependency_pinning |
| Ensure script evaluation by GitHub Actions workflows is validated | 2.4.3 (CIS SCC v1.0.0) | Medium | decision.api.shisho.dev/v1beta:github_actions_insecure_script_evaluation |
| Ensure explicit permissions for GitHub Actions workflows follow organization policies | 2.2.3 (CIS SCC v1.0.0) | Low | decision.api.shisho.dev/v1beta:github_actions_workflow_explicit_permissions |
| Ensure GitHub Actions workflows do not permit any script injections | 1.3.8 (CIS SCC v1.0.0) | Medium | decision.api.shisho.dev/v1beta:github_actions_workflow_script_injection_possibility |
| Ensure secrets do not appear in GitHub Actions Workflows directly | 1.5.1 (CIS SCC v1.0.0) | Critical | decision.api.shisho.dev/v1beta:github_actions_workflow_secret_handling |
| Ensure the deletion of protected branches is limited | 1.1.17 (CIS SCC v1.0.0) | Medium | decision.api.shisho.dev/v1beta:github_branch_deletion_policy |
| Ensure code owner’s review is required when a change affects owned code | 1.1.7 (CIS SCC v1.0.0) | Low | decision.api.shisho.dev/v1beta:github_code_owners_review_policy |
| Ensure verification of signed commits for new changes before merging | 1.1.12 (CIS SCC v1.0.0) | Info | decision.api.shisho.dev/v1beta:github_commit_signature_policy |
| Keep a default branch protected by branch protection rule(s) | 1.1.14 (CIS SCC v1.0.0) | Medium | decision.api.shisho.dev/v1beta:github_default_branch_protection |
| Ensure force push code to branches is denied | 1.1.16 (CIS SCC v1.0.0) | Low | decision.api.shisho.dev/v1beta:github_force_push_policy |
| Ensure linear history is required | 1.1.13 (CIS SCC v1.0.0) | Info | decision.api.shisho.dev/v1beta:github_linear_history_policy |
| Ensure any change to code receives the enough number of approvals by authenticated users | 1.1.3 (CIS SCC v1.0.0) | Medium | decision.api.shisho.dev/v1beta:github_minimum_approval_number_policy |
| Enforce two-factor authentication on GitHub organization(s) | 1.3.5 (CIS SCC v1.0.0) | Low | decision.api.shisho.dev/v1beta:github_org_2fa_status |
| Ensure strict base permissions are set for repositories | 1.3.8 (CIS SCC v1.0.0) | Low | decision.api.shisho.dev/v1beta:github_org_default_repository_permission |
| Ensure creation of GitHub public pages is restricted | Low | decision.api.shisho.dev/v1beta:github_org_members_permission_on_creating_public_pages | |
| Ensure public repository creation is limited to specific members | 1.2.2 (CIS SCC v1.0.0) | Low | decision.api.shisho.dev/v1beta:github_org_members_permission_on_creating_public_repos |
| Ensure forking of GitHub repositories is restricted | Low | decision.api.shisho.dev/v1beta:github_org_members_permission_on_private_forking | |
| Ensure minimum number of administrators are set for the organization | 1.3.3 (CIS SCC v1.0.0) | Low | decision.api.shisho.dev/v1beta:github_org_owners |
| Ensure branch protection rules are enforced for administrators | 1.1.14 (CIS SCC v1.0.0) | Low | decision.api.shisho.dev/v1beta:github_protection_enforcement_for_admins |
| Ensure minimum number of administrators are set for the GitHub repository | 1.3.7 (CIS SCC v1.0.0) | Low | decision.api.shisho.dev/v1beta:github_repo_admins |
| Ensure deletion of GitHub repositories is restricted | 1.2.3 (CIS SCC v1.0.0) | Low | decision.api.shisho.dev/v1beta:github_repo_members_permission_on_deleting_repository |
| Ensure previous approvals are dismissed when updates are introduced to a code change proposal | 1.1.4 (CIS SCC v1.0.0) | Low | decision.api.shisho.dev/v1beta:github_stale_review_policy |