Skip to main content

Managed Security Review for CIS Software Supply Chain Security Guide v1.0.0


The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

This page explains managed security reviews on CIS AWS Foundations Benchmark v1.5.0 provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.

To use managed security reviews

By applying Shisho Cloud workflows to your organization, you'll see security review results soon:

All managed review items

TitleItem in StandardDefault SeverityID in Shisho Cloud
Manage sources with a version control
Ensure any change to code receives the enough number of approvals by authenticated
Ensure previous approvals are dismissed when updates are introduced to a code change
Ensure code owner’s review is required when a change affects owned
Ensure verification of signed commits for new changes before
Ensure linear history is
Ensure branch protection rules are enforced for
Keep a default branch protected by branch protection rule(s)
Ensure force push code to branches is
Ensure the deletion of protected branches is
Ensure public repository creation is limited to specific
Ensure deletion of GitHub repositories is
Ensure minimum number of administrators are set for the
Enforce two-factor authentication on GitHub organization(s)
Ensure minimum number of administrators are set for the GitHub
Ensure strict base permissions are set for
Ensure GitHub Actions workflows do not permit any script
Ensure secrets do not appear in GitHub Actions Workflows
Ensure explicit permissions for GitHub Actions workflows follow organization
Ensure dependencies of GitHub Actions workflows are pinned to verified
Ensure script evaluation by GitHub Actions workflows is
Update packages with known