Skip to main content

Managed Security Review for CIS Software Supply Chain Security Guide v1.0.0

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

This page explains managed security reviews on CIS AWS Foundations Benchmark v1.5.0 provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.

To use managed security reviews

By applying Shisho Cloud workflows to your organization, you'll see security review results soon:

All managed review items

TitleItem in StandardDefault SeverityID in Shisho Cloud
Manage sources with a version control system1.1.1Infodecision.api.shisho.dev/v1beta:version_control
Ensure any change to code receives the enough number of approvals by authenticated users1.1.3Mediumdecision.api.shisho.dev/v1beta:github_minimum_approval_number_policy
Ensure previous approvals are dismissed when updates are introduced to a code change proposal1.1.4Lowdecision.api.shisho.dev/v1beta:github_stale_review_policy
Ensure code owner’s review is required when a change affects owned code1.1.7Lowdecision.api.shisho.dev/v1beta:github_code_owners_review_policy
Ensure verification of signed commits for new changes before merging1.1.12Infodecision.api.shisho.dev/v1beta:github_commit_signature_policy
Ensure linear history is required1.1.13Infodecision.api.shisho.dev/v1beta:github_linear_history_policy
Ensure branch protection rules are enforced for administrators1.1.14Lowdecision.api.shisho.dev/v1beta:github_protection_enforcement_for_admins
Keep a default branch protected by branch protection rule(s)1.1.14Mediumdecision.api.shisho.dev/v1beta:github_default_branch_protection
Ensure force push code to branches is denied1.1.16Lowdecision.api.shisho.dev/v1beta:github_force_push_policy
Ensure the deletion of protected branches is limited1.1.17Mediumdecision.api.shisho.dev/v1beta:github_branch_deletion_policy
Ensure public repository creation is limited to specific members1.2.2Lowdecision.api.shisho.dev/v1beta:github_org_members_permission_on_creating_public_repos
Ensure deletion of GitHub repositories is restricted1.2.3Lowdecision.api.shisho.dev/v1beta:github_repo_members_permission_on_deleting_repository
Ensure minimum number of administrators are set for the organization1.3.3Lowdecision.api.shisho.dev/v1beta:github_org_owners
Enforce two-factor authentication on GitHub organization(s)1.3.5Lowdecision.api.shisho.dev/v1beta:github_org_2fa_status
Ensure minimum number of administrators are set for the GitHub repository1.3.7Lowdecision.api.shisho.dev/v1beta:github_repo_admins
Ensure GitHub Actions workflows do not permit any script injections1.3.8Mediumdecision.api.shisho.dev/v1beta:github_actions_workflow_script_injection_possibility
Ensure strict base permissions are set for repositories1.3.8Lowdecision.api.shisho.dev/v1beta:github_org_default_repository_permission
Ensure secrets do not appear in GitHub Actions Workflows directly1.5.1Criticaldecision.api.shisho.dev/v1beta:github_actions_workflow_secret_handling
Ensure explicit permissions for GitHub Actions workflows follow organization policies2.2.3Lowdecision.api.shisho.dev/v1beta:github_actions_workflow_explicit_permissions
Ensure dependencies of GitHub Actions workflows are pinned to verified versions2.4.2Lowdecision.api.shisho.dev/v1beta:github_actions_dependency_pinning
Ensure script evaluation by GitHub Actions workflows is validated2.4.3Mediumdecision.api.shisho.dev/v1beta:github_actions_insecure_script_evaluation
Update packages with known vulnerabilities3.2.2Infodecision.api.shisho.dev/v1beta:package_known_vulnerability