Managed Security Review for CIS Software Supply Chain Security Guide v1.0.0
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page explains managed security reviews on CIS AWS Foundations Benchmark v1.5.0 provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.
To use managed security reviews
By applying Shisho Cloud workflows to your organization, you'll see security review results soon:
All managed review items
| Title | Item in Standard | Default Severity | ID in Shisho Cloud |
|---|---|---|---|
| Manage sources with a version control system | 1.1.1 | Info | decision.api.shisho.dev/v1beta:version_control |
| Ensure any change to code receives the enough number of approvals by authenticated users | 1.1.3 | Medium | decision.api.shisho.dev/v1beta:github_minimum_approval_number_policy |
| Ensure previous approvals are dismissed when updates are introduced to a code change proposal | 1.1.4 | Low | decision.api.shisho.dev/v1beta:github_stale_review_policy |
| Ensure code owner’s review is required when a change affects owned code | 1.1.7 | Low | decision.api.shisho.dev/v1beta:github_code_owners_review_policy |
| Ensure verification of signed commits for new changes before merging | 1.1.12 | Info | decision.api.shisho.dev/v1beta:github_commit_signature_policy |
| Ensure linear history is required | 1.1.13 | Info | decision.api.shisho.dev/v1beta:github_linear_history_policy |
| Ensure branch protection rules are enforced for administrators | 1.1.14 | Low | decision.api.shisho.dev/v1beta:github_protection_enforcement_for_admins |
| Keep a default branch protected by branch protection rule(s) | 1.1.14 | Medium | decision.api.shisho.dev/v1beta:github_default_branch_protection |
| Ensure force push code to branches is denied | 1.1.16 | Low | decision.api.shisho.dev/v1beta:github_force_push_policy |
| Ensure the deletion of protected branches is limited | 1.1.17 | Medium | decision.api.shisho.dev/v1beta:github_branch_deletion_policy |
| Ensure public repository creation is limited to specific members | 1.2.2 | Low | decision.api.shisho.dev/v1beta:github_org_members_permission_on_creating_public_repos |
| Ensure deletion of GitHub repositories is restricted | 1.2.3 | Low | decision.api.shisho.dev/v1beta:github_repo_members_permission_on_deleting_repository |
| Ensure minimum number of administrators are set for the organization | 1.3.3 | Low | decision.api.shisho.dev/v1beta:github_org_owners |
| Enforce two-factor authentication on GitHub organization(s) | 1.3.5 | Low | decision.api.shisho.dev/v1beta:github_org_2fa_status |
| Ensure minimum number of administrators are set for the GitHub repository | 1.3.7 | Low | decision.api.shisho.dev/v1beta:github_repo_admins |
| Ensure strict base permissions are set for repositories | 1.3.8 | Low | decision.api.shisho.dev/v1beta:github_org_default_repository_permission |
| Ensure GitHub Actions workflows do not permit any script injections | 1.3.8 | Medium | decision.api.shisho.dev/v1beta:github_actions_workflow_script_injection_possibility |
| Ensure secrets do not appear in GitHub Actions Workflows directly | 1.5.1 | Critical | decision.api.shisho.dev/v1beta:github_actions_workflow_secret_handling |
| Ensure explicit permissions for GitHub Actions workflows follow organization policies | 2.2.3 | Low | decision.api.shisho.dev/v1beta:github_actions_workflow_explicit_permissions |
| Ensure dependencies of GitHub Actions workflows are pinned to verified versions | 2.4.2 | Low | decision.api.shisho.dev/v1beta:github_actions_dependency_pinning |
| Ensure script evaluation by GitHub Actions workflows is validated | 2.4.3 | Medium | decision.api.shisho.dev/v1beta:github_actions_insecure_script_evaluation |
| Update packages with known vulnerabilities | 3.2.2 | Info | decision.api.shisho.dev/v1beta:package_known_vulnerability |