OpenJS Security Compliance Checker

[RafaelGSS]

I'm placing the OpenJS Security Compliance here so we can evaluate if the Node.js project, and our packages, are following these practices.

Legend:

• ✅ Applicable and Applied
• 🟡 Non-Applicable
• ❌ Applicable and Not applied
• [] - Non-verified yet

---

1. User Authentication

Docs	Title	Verified?	Discussion
githubOrgMFA	Multi Factor Authentication (MFA) Enforced Across the Github Organization	✅	OpenPathfinder/visionBoard#43
npmOrgMFA	Multi Factor Authentication (MFA) Enforced Across the npm Organization	@mhdawson	OpenPathfinder/visionBoard#64
orgToolingMFA	Multi Factor Authentication (MFA) Enforced in All Tools Wherever Technically Feasible	?	OpenPathfinder/visionBoard#65
MFAImpersonationDefense	Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available	?	OpenPathfinder/visionBoard#66
SSHKeysRequired	Use SSH keys for developer access to source code repositories and use a passphrase	?	OpenPathfinder/visionBoard#71
useHwKeyGithubAccess	GitHub.com: Use a passkey (AAL2) or hardware key (AAL3) that activates with password/biometrics	🟡❌	OpenPathfinder/visionBoard#113
useHwKeyGithubNonInteractive	Non-Interactive GitHub: Use a passkey (AAL2) or hardware key (AAL3) that activates with password/biometrics	🟡❌	OpenPathfinder/visionBoard#114
useHwKeyOtherContexts	All Other Contexts: Use a passkey (AAL2) or hardware key (AAL3) that activates with password/biometrics	🟡❌	OpenPathfinder/visionBoard#115

---

2. User Account Permissions

Docs	Title	Verified?	Discussion
restrictedOrgPermissions	Default Github Org Member Permissions Should Be Restricted	✅	OpenPathfinder/visionBoard#74
adminRepoCreationOnly	Only Admins Should Be Able To Create Public Repositories	✅	OpenPathfinder/visionBoard#75
preventBranchProtectionBypass	Do not allow Admins to Bypass Branch Protection Settings	[ ]	OpenPathfinder/visionBoard#76
defineFunctionalRoles	Define roles aligned to functional responsibilities	[ ]	OpenPathfinder/visionBoard#77
githubWriteAccessRoles	Define Individuals/Teams who Write Access to a Github Repo	✅	OpenPathfinder/visionBoard#78
twoOrMoreOwnersForAccess	[For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity	[ ]	OpenPathfinder/visionBoard#79
activeAdminsSixMonths	Github Organization Admins Should Have Activity In The Last 6 Months	✅	OpenPathfinder/visionBoard#119
activeWritersSixMonths	Github Organization Members with Write Permissions Should Have Activity In The Last 6 Months	❌	OpenPathfinder/visionBoard#120
limitOrgOwners	Limit Number of Github Org Owners (ideally Fewer Than Three)	❌	OpenPathfinder/visionBoard#128
limitRepoAdmins	Limit Number of Github Repository Admins (ideally Fewer Than Three)	❌	OpenPathfinder/visionBoard#129

---

3. Service Authentication

Docs	Title	Verified?	Discussion
noSensitiveInfoInRepositories	No Secrets and Credentials in Source Code	✅	OpenPathfinder/visionBoard#67
injectedSecretsAtRuntime	Secrets are injected at runtime (e.g., environment variables or as a file using GitHub Secrets)	[ ]	OpenPathfinder/visionBoard#68
npmPublicationMFA	Publish to npm using an MFA-enabled account rather than single-factor or granular access tokens	[ ]	OpenPathfinder/visionBoard#72
githubWebhookSecrets	GitHub Webhooks Use Secrets	[ ]	OpenPathfinder/visionBoard#73

---

4. GitHub Workflows

Docs	Title	Verified?	Discussion
defaultTokenPermissionsReadOnly	GitHub Org Default Workflow Token Permissions are Set to Read Only	✅	OpenPathfinder/visionBoard#94
blockWorkflowPRApproval	Workflows are not Allowed To Create or Approve Pull Requests	[ ]	OpenPathfinder/visionBoard#95
restrictOrgSecrets	GitHub Organization Secrets are Restricted to Selected Repositories	[ ]	OpenPathfinder/visionBoard#99
verifiedActionsOnly	GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions	[ ]	OpenPathfinder/visionBoard#100
consistentBuildProcessDocs	Consistent and Automated Build Process is Documented and Used	[ ]	OpenPathfinder/visionBoard#105
noSelfHostedRunners	Disable use of Self-Hosted Runners in GitHub Org	[ ]	OpenPathfinder/visionBoard#101
noArbitraryCodeInPipeline	Build Pipeline Cannot Execute Arbitrary Code from Outside of a Build Script	[ ]	OpenPathfinder/visionBoard#102
limitWorkflowWritePermissions	Only Allow Workflows Write Permissions at the Job-Level	[ ]	OpenPathfinder/visionBoard#103
preventScriptInjection	Avoid Script Injection from Untrusted Context Variables	[ ]	OpenPathfinder/visionBoard#104
pinActionsToSHA	Pin Actions with Access to Secrets to a Full Length Commit SHA	✅	OpenPathfinder/visionBoard#53
forkWorkflowApproval	Limit changes from forks to workflows by requiring approval for all outside collaborators	[ ]	OpenPathfinder/visionBoard#116
workflowSecurityScanner	Use a Workflow Security Scanner	[ ]	OpenPathfinder/visionBoard#117
runnerSecurityScanner	Use a GitHub Runner Security Scanner	[ ]	OpenPathfinder/visionBoard#118

---

5. Vulnerability Management

Docs	Title	Verified?	Discussion
patchCriticalVulns30Days	Actively Exploited Critical Vulnerabilities Patched within 30 Days	[ ]	OpenPathfinder/visionBoard#80
patchNonCriticalVulns90Days	Non-Critical Exploitable Vulnerabilities Patched within 90 Days	[ ]	OpenPathfinder/visionBoard#81
upgradePathDocs	Commonly Used Older Versions Supported or Upgrade Path Provided/Documented	[ ]	OpenPathfinder/visionBoard#106
annualDependencyRefresh	A new release to refresh dependencies occurs at least annually	✅	OpenPathfinder/visionBoard#112
patchExploitableHighVulns14Days	Actively Exploited Critical and High Vulnerabilities Patched within 14 Days	[ ]	OpenPathfinder/visionBoard#130
patchExploitableNoncCriticalVulns60Days	Non-Critical Exploitable Vulnerabilities Patched within 60 Days	[ ]	OpenPathfinder/visionBoard#131

---

6. Coordinated Vulnerability Disclosure

Docs	Title	Verified?	Discussion
useCVDToolForVulns	Project Leverages a CVD Tool to Privately Receive/Manage External Vulnerability Reports (e.g., H1/GH PVR)	✅	OpenPathfinder/visionBoard#88
vulnResponse14Days	All External Vulnerability Reports Responded to <14 Days	✅	OpenPathfinder/visionBoard#89
incidentResponsePlan	Establish a Clear Communication and Incident Response Plan	✅	OpenPathfinder/visionBoard#90
assignCVEForKnownVulns	All Known Security Vulnerabilities are Issued a CVE	✅	OpenPathfinder/visionBoard#91
includeCVEInReleaseNotes	Release Notes must Include the CVE ID of Patched Security Vulnerabilities	✅	OpenPathfinder/visionBoard#92
securityMdMeetsOpenJSCVD	Security.md Meets OpenJS CVD Guidelines	[ ]	OpenPathfinder/visionBoard#87

---

7. Code Quality

Docs	Title	Verified?	Discussion
softwareDesignTraining	At least One Primary Maintainer has taken TBD Training on Secure Software Design	[ ]	OpenPathfinder/visionBoard#52
owaspTop10Training	At least One Primary Maintainer has taken TBD Training on OWASP Top 10 or Equivalent	[ ]	OpenPathfinder/visionBoard#63
scanCommitsForSensitiveInfo	All Commits are Scanned for Secrets and Credentials	[ ]	OpenPathfinder/visionBoard#69
preventLandingSensitiveCommits	New Commits Containing Secrets or Credentials are Blocked from Merging	[ ]	OpenPathfinder/visionBoard#70
staticCodeAnalysis	Use an Automated Static Code Analysis Tool (e.g.: ESLint)	[ ]	OpenPathfinder/visionBoard#83
resolveLinterWarnings	Compilers/Linter Warnings Addressed in order to Merge	[ ]	OpenPathfinder/visionBoard#84
staticAppSecTesting	All Commits are Scanned by a Static Application Security Testing Tool	[ ]	OpenPathfinder/visionBoard#85
commitStatusChecks	All Required Commit Status Checks must pass before Merging	[ ]	OpenPathfinder/visionBoard#86
regressionTestsForVulns	Regression Tests for => 50% of Bugs and 100% of Security Vulns	[ ]	OpenPathfinder/visionBoard#93

---

8. Code Review

Docs	Title	Verified?	Discussion
softwareArchitectureDocs	Document Software Architecture	[ ]	OpenPathfinder/visionBoard#107
requireTwoPartyReview	Require Two Party Review	✅	OpenPathfinder/visionBoard#125
requireCodeOwnersReviewForLargeTeams	Require Code Owners Review	✅	OpenPathfinder/visionBoard#126

---

9. Source Control

Docs	Title	Verified?	Discussion
noForcePushDefaultBranch	Prevent Force Push on Default Branch	❌	OpenPathfinder/visionBoard#96
preventDeletionDefaultBranch	Prevent Default Branch Deletion	[ ]	OpenPathfinder/visionBoard#97
upToDateDefaultBranchBeforeMerge	Default Branch must be Up to Date before Merging	[ ]	OpenPathfinder/visionBoard#98
ciAndCdPipelineAsCode	CI/CD steps should all be automated through a pipeline defined as code	[ ]	OpenPathfinder/visionBoard#108
PRsBeforeMerge	Require Pull Requests before Merging	🟡	OpenPathfinder/visionBoard#121
commitSignoffForWeb	GitHub Org Requires Commit Signoff for Web-Based Commits	[ ]	OpenPathfinder/visionBoard#122
requireSignedCommits	Require Signed Commits	🟡	OpenPathfinder/visionBoard#123
requirePRApprovalForMainline	Require Approved PRs for all commits to mainline branches	[ ]	OpenPathfinder/visionBoard#127

---

10. Dependencies

Docs	Title	Verified?	Discussion
automateDependencyManagement	Automated Process is Used to Monitor for and Maintain a List of Out of Date Dependencies	✅	OpenPathfinder/visionBoard#109
identifyModifiedDependencies	Modified dependencies are uniquely identified and distinct from origin dependency	[ ]	OpenPathfinder/visionBoard#111
automateVulnDetection	An automated process to identify dependencies with publicly disclosed vulnerabilities	✅	OpenPathfinder/visionBoard#82

[UlisesGascon]

I updated the tables to include the docs (with the relevant mapping, more details, etc...) and also the discussion on visionBoard so we can extend the discussion there 👍

BTW... here you have the demo of visionBoard to get more familiar with it. For the next meeting I will have the Node.js org scanned :)