---

Table of contents

• Default Branch Deletion Protection Should Be Enabled
• Default Branch Should Be Protected
• Default Branch Should Limit Code Review to Code-Owners
• Default Branch Should Not Allow Force Pushes
• Default Branch Should Require All Checks To Pass Before Merge
• Default Branch Should Require All Commits To Be Signed
• Default Branch Should Require All Conversations To Be Resolved Before Merge
• Default Branch Should Require Branches To Be Up To Date Before Merge
• Default Branch Should Require Code Review
• Default Branch Should Require Code Review By At Least Two Reviewers
• Default Branch Should Require Linear History
• Default Branch Should Require New Code Changes After Approval To Be Re-Approved
• Default Branch Should Restrict Who Can Dismiss Reviews
• Default Branch Should Restrict Who Can Push To It
• Default Workflow Token Permission Should Be Set To Read Only
• Forking Should Not Be Allowed for Private/Internal Repositories
• GitHub Advanced Security – Dependency Review Should Be Enabled For A Repository
• OSSF Scorecard Score Should Be Above 7
• Repository Secrets Should Be Updated At Least Yearly
• Repository Should Be Updated At Least Quarterly
• Repository Should Have A Low Admin Count
• Secret Scanning should be enabled
• Users Are Allowed To Bypass Ruleset Rules
• Vulnerability Alerts Should Be Enabled
• Webhooks Should Be Configured To Use SSL
• Webhooks Should Be Configured With A Secret
• Workflows Should Not Be Allowed To Approve Pull Requests