diff --git a/README.md b/README.md index 57e8ab8..b679559 100644 --- a/README.md +++ b/README.md @@ -9,9 +9,9 @@ All definitions are maintained in YAML format for tandem machine and human readi Each entry has the following values: - **ID**: - - Entries 1-39 are reserved for maturity level 1 - - Entries 40-69 are reserved for maturity level 2 - - Entries 70-99 are reserved for maturity level 3 + - Entries are of the form OSPS-_Category_-_Index_ where + - *Category* is a two-letter abbreviated form of the categories listed below + - *Index* is a sequentially-assigned two-digit number. Numbers are unique within a category but not between categories - **Maturity Level**: - Level 1: for any code or non-code project with any number of maintainers or users - Level 2: for any code project that has at least 2 maintainers and a small number of consistent users diff --git a/baseline.yaml b/baseline.yaml index 05d6cbc..b2e9d94 100644 --- a/baseline.yaml +++ b/baseline.yaml @@ -10,9 +10,11 @@ # Citeria # # ID is a unique identifier for the requirement. -# 1-39 are resurved for maturity level 1, 40-69 -# are reserved for maturity level 2, and 70-99 are -# reserved for maturity level 3. +# The form is OSPS-- where +# - is a two-letter abbreviation of the +# category +# - is a sequentially-assigned two-digit +# number within a category # # maturity_level is the level of maturity for the # requirement. 1 is the lowest level of maturity, @@ -40,7 +42,7 @@ # recommendations or best practices. # criteria: - - id: OSPS-01 + - id: OSPS-AC-01 maturity_level: 1 category: Access Control criteria: | @@ -64,7 +66,7 @@ criteria: security_insights_value: # TODO scorecard_probe: - # None yet - - id: OSPS-02 + - id: OSPS-AC-02 maturity_level: 1 category: Access Control criteria: | @@ -85,7 +87,7 @@ criteria: security_insights_value: # TODO scorecard_probe: - # None yet - - id: OSPS-03 + - id: OSPS-AC-03 maturity_level: 1 category: Access Control criteria: | @@ -106,7 +108,7 @@ criteria: control_mappings: # TODO scorecard_probe: - blocksForcePushOnBranches - - id: OSPS-04 + - id: OSPS-AC-04 maturity_level: 1 category: Access Control criteria: | @@ -125,7 +127,7 @@ criteria: control_mappings: # TODO scorecard_probe: - blocksDeleteOnBranches - - id: OSPS-05 + - id: OSPS-BR-01 maturity_level: 1 category: Build & Release criteria: | @@ -144,7 +146,7 @@ criteria: control_mappings: # TODO scorecard_probe: - hasDangerousWorkflowScriptInjection - - id: OSPS-06 + - id: OSPS-BR-02 maturity_level: 1 # TODO: This should be lv2 category: Build & Release criteria: | @@ -169,7 +171,7 @@ criteria: security_insights_value: # TODO scorecard_probe: - # None, would need to be paired with SI - - id: OSPS-07 + - id: OSPS-BR-03 maturity_level: 1 category: Build & Release criteria: | @@ -191,7 +193,7 @@ criteria: security_insights_value: # TODO scorecard_probe: - # None, would need to be paired with SI - - id: OSPS-09 + - id: OSPS-DO-01 maturity_level: 1 category: Documentation criteria: | @@ -214,7 +216,7 @@ criteria: security_insights_value: # TODO scorecard_probe: - # None yet - - id: OSPS-10 + - id: OSPS-DO-02 maturity_level: 1 category: Documentation criteria: | @@ -235,7 +237,7 @@ criteria: security_insights_value: # TODO scorecard_probe: - # None, may not be suitable - - id: OSPS-11 + - id: OSPS-DO-03 maturity_level: 2 category: Documentation criteria: | @@ -255,7 +257,7 @@ criteria: available, include highly-visible warnings. control_mappings: # TODO security_insights_value: # TODO - - id: OSPS-12 + - id: OSPS-QA-01 maturity_level: 1 category: Quality criteria: | @@ -276,7 +278,7 @@ criteria: that would impact the repository URL. control_mappings: # TODO security_insights_value: # TODO - - id: OSPS-13 + - id: OSPS-QA-02 maturity_level: 1 category: Quality criteria: | @@ -297,7 +299,7 @@ criteria: author of any commits. control_mappings: # TODO security_insights_value: # TODO - - id: OSPS-14 + - id: OSPS-LE-01 maturity_level: 2 category: Legal criteria: | @@ -322,7 +324,7 @@ criteria: security_insights_value: # TODO scorecard_probe: - # None, may not be suitable - - id: OSPS-15 + - id: OSPS-LE-02 maturity_level: 1 category: Legal criteria: | @@ -354,7 +356,7 @@ criteria: security_insights_value: # TODO scorecard_probe: - hasPermissiveLicense # Check this - - id: OSPS-16 + - id: OSPS-LE-03 maturity_level: 1 category: Legal criteria: | @@ -378,7 +380,7 @@ criteria: security_insights_value: # TODO scorecard_probe: - hasLicenseFile - - id: OSPS-17 + - id: OSPS-LE-04 maturity_level: 1 category: Legal criteria: | @@ -410,7 +412,7 @@ criteria: security_insights_value: # TODO scorecard_probe: - # None, may need to be paired with SI - - id: OSPS-40 + - id: OSPS-AC-05 maturity_level: 2 category: Access Control criteria: | @@ -435,7 +437,7 @@ criteria: scorecard_probe: - topLevelPermissions - jobLevelPermissions - - id: OSPS-41 + - id: OSPS-AC-06 maturity_level: 2 category: Access Control criteria: | @@ -464,7 +466,7 @@ criteria: trusted organization. control_mappings: # TODO security_insights_value: # TODO - - id: OSPS-42 + - id: OSPS-BR-04 maturity_level: 2 category: Build & Release criteria: | @@ -484,7 +486,7 @@ criteria: processes. control_mappings: # TODO security_insights_value: # TODO - - id: OSPS-43 + - id: OSPS-BR-05 maturity_level: 2 category: Build & Release criteria: | @@ -509,7 +511,7 @@ criteria: security_insights_value: # TODO scorecard_probe: - # TODO - - id: OSPS-44 + - id: OSPS-BR-06 maturity_level: 2 category: Build & Release criteria: | @@ -534,7 +536,7 @@ criteria: security_insights_value: # TODO scorecard_probe: - # TODO, this might be possible if paired with SI to find the release location - - id: OSPS-45 + - id: OSPS-DO-04 maturity_level: 2 category: Documentation criteria: | @@ -560,7 +562,7 @@ criteria: scorecard_probe: - securityPolicyPresent - securityPolicyContainsVulnerabilityDisclosure - - id: OSPS-46 + - id: OSPS-DO-05 maturity_level: 2 category: Documentation criteria: | @@ -585,7 +587,7 @@ criteria: be triaged and resolved. control_mappings: # TODO security_insights_value: # TODO - - id: OSPS-47 + - id: OSPS-DO-06 maturity_level: 2 category: Documentation criteria: | @@ -611,7 +613,7 @@ criteria: approvers. control_mappings: # TODO security_insights_value: # TODO - - id: OSPS-48 + - id: OSPS-DO-07 maturity_level: 2 category: Documentation criteria: | @@ -632,7 +634,7 @@ criteria: influence another segment in the system. control_mappings: # TODO security_insights_value: # TODO - - id: OSPS-49 + - id: OSPS-QA-03 maturity_level: 2 category: Quality criteria: | @@ -666,7 +668,7 @@ criteria: - hasReleaseSBOM - # TODO: check for non-sbom dependency files - - id: OSPS-50 + - id: OSPS-QA-04 maturity_level: 2 category: Quality criteria: | @@ -696,7 +698,7 @@ criteria: scorecard_probe: - runsStatusChecksBeforeMerging - # TODO: check for checks passing? - - id: OSPS-51 + - id: OSPS-QA-05 maturity_level: 3 category: Quality criteria: | @@ -728,7 +730,7 @@ criteria: security_insights_value: # TODO scorecard_probe: - # TODO, this may be possible if paired with SI to find the subproject - - id: OSPS-52 + - id: OSPS-QA-06 maturity_level: 2 category: Quality criteria: | @@ -753,7 +755,7 @@ criteria: control_mappings: # TODO scorecard_probe: - hasBinaryArtifacts - - id: OSPS-70 + - id: OSPS-AC-07 maturity_level: 3 category: Access Control criteria: | @@ -778,7 +780,7 @@ criteria: security_insights_value: # TODO scorecard_probe: - # TODO - - id: OSPS-71 + - id: OSPS-BR-07 maturity_level: 3 category: Build & Release criteria: | @@ -800,7 +802,7 @@ criteria: security_insights_value: # TODO scorecard_probe: - # TODO: this is about policy, but we should also look for evidence of SCA - - id: OSPS-72 + - id: OSPS-DO-08 maturity_level: 3 category: Documentation criteria: | @@ -822,7 +824,7 @@ criteria: vulnerabilities. control_mappings: # TODO security_insights_value: # TODO - - id: OSPS-73 + - id: OSPS-DO-09 maturity_level: 3 category: Documentation criteria: |