# Managed Security Review for CIS Software Supply Chain Security Guide v1.0.0 This page explains _managed_ security reviews on CIS AWS Foundations Benchmark v1.5.0 provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans. ## To use managed security reviews By applying Shisho Cloud workflows to your organization, you'll see security review results soon: - [Workflows for CIS Software Supply Chain Security Guide v1.0.0](https://github.com/flatt-security/shisho-cloud-managed-workflows/tree/main/workflows/cis-benchmark/supplychain-v1.0.0) ## All managed review items | Title | Item in Standard | Default Severity | ID in Shisho Cloud | | --------------------------------------------------------------------------------------------- | ---------------- | ---------------- | --------------------------------------------------------------------------------------- | | Manage sources with a version control system | 1.1.1 | Info | `decision.api.shisho.dev/v1beta:version_control` | | Ensure any change to code receives the enough number of approvals by authenticated users | 1.1.3 | Medium | `decision.api.shisho.dev/v1beta:github_minimum_approval_number_policy` | | Ensure previous approvals are dismissed when updates are introduced to a code change proposal | 1.1.4 | Low | `decision.api.shisho.dev/v1beta:github_stale_review_policy` | | Ensure code owner’s review is required when a change affects owned code | 1.1.7 | Low | `decision.api.shisho.dev/v1beta:github_code_owners_review_policy` | | Ensure verification of signed commits for new changes before merging | 1.1.12 | Info | `decision.api.shisho.dev/v1beta:github_commit_signature_policy` | | Ensure linear history is required | 1.1.13 | Info | `decision.api.shisho.dev/v1beta:github_linear_history_policy` | | Keep a default branch protected by branch protection rule(s) | 1.1.14 | Medium | `decision.api.shisho.dev/v1beta:github_default_branch_protection` | | Ensure branch protection rules are enforced for administrators | 1.1.14 | Low | `decision.api.shisho.dev/v1beta:github_protection_enforcement_for_admins` | | Ensure force push code to branches is denied | 1.1.16 | Low | `decision.api.shisho.dev/v1beta:github_force_push_policy` | | Ensure the deletion of protected branches is limited | 1.1.17 | Medium | `decision.api.shisho.dev/v1beta:github_branch_deletion_policy` | | Ensure public repository creation is limited to specific members | 1.2.2 | Low | `decision.api.shisho.dev/v1beta:github_org_members_permission_on_creating_public_repos` | | Ensure deletion of GitHub repositories is restricted | 1.2.3 | Low | `decision.api.shisho.dev/v1beta:github_repo_members_permission_on_deleting_repository` | | Ensure minimum number of administrators are set for the organization | 1.3.3 | Low | `decision.api.shisho.dev/v1beta:github_org_owners` | | Enforce two-factor authentication on GitHub organization(s) | 1.3.5 | Low | `decision.api.shisho.dev/v1beta:github_org_2fa_status` | | Ensure minimum number of administrators are set for the GitHub repository | 1.3.7 | Low | `decision.api.shisho.dev/v1beta:github_repo_admins` | | Ensure strict base permissions are set for repositories | 1.3.8 | Low | `decision.api.shisho.dev/v1beta:github_org_default_repository_permission` |