Skip to main content
Link
Menu
Expand
(external link)
Document
Search
Copy
Copied
Legitify
GitHub Policies
Actions Policies
Default Workflow Token Permission Should Be Read Only
GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions
GitHub Actions Should Be Restricted To Selected Repositories
Workflows Should Not Be Allowed To Approve Pull Requests
Enterprise Policies
Enterprise Should Automatically Enable Advanced Security Across All Organizations/Repositories
Enterprise Should Automatically Enable Secret Scanning Across All Organizations/Repositories
Enterprise Should Automatically Enable Secret Scanning Push Protection Across All Organizations/Repositories
Enterprise Should Define Base Permissions As 'No Permission' For All Members
Enterprise Should Prevent Members From Creating Public Repositories
Enterprise Should Prevent Members From Forking Internal And Private Repositories
Enterprise Should Prevent Members From Inviting Outside Collaborators
Enterprise Should Prevent Repository Admins From Changing Repository Visibility
Enterprise Should Prevent Repository Admins From Deleting Or Transferring Repositories
Enterprise Should Send Email Notifications Only To Verified Domains
Enterprise Should Use Single-Sign-On
Two-Factor Authentication Should Be Enforced For The Enterprise
Member Policies
Organization Admins Should Have Activity In The Last 6 Months
Organization Members Should Have Activity In The Last 6 Months
Organization Should Have Fewer Than Three Owners
Organization Policies
Default Member Permissions Should Be Restricted
Only Admins Should Be Able To Create Public Repositories
Organization Secrets Should Be Updated At Least Yearly
Organization Should Use Single-Sign-On
Two-Factor Authentication Should Be Enforced For The Organization
Webhooks Should Be Configured To Use SSL
Webhooks Should Be Configured With A Secret
Repository Policies
Default Branch Deletion Protection Should Be Enabled
Default Branch Should Be Protected
Default Branch Should Limit Code Review to Code-Owners
Default Branch Should Not Allow Force Pushes
Default Branch Should Require All Checks To Pass Before Merge
Default Branch Should Require All Commits To Be Signed
Default Branch Should Require All Conversations To Be Resolved Before Merge
Default Branch Should Require Branches To Be Up To Date Before Merge
Default Branch Should Require Code Review
Default Branch Should Require Code Review By At Least Two Reviewers
Default Branch Should Require Linear History
Default Branch Should Require New Code Changes After Approval To Be Re-Approved
Default Branch Should Restrict Who Can Dismiss Reviews
Default Branch Should Restrict Who Can Push To It
Default Workflow Token Permission Should Be Set To Read Only
Forking Should Not Be Allowed for Private/Internal Repositories
GitHub Advanced Security – Dependency Review Should Be Enabled For A Repository
OSSF Scorecard Score Should Be Above 7
Repository Secrets Should Be Updated At Least Yearly
Repository Should Be Updated At Least Quarterly
Repository Should Have A Low Admin Count
Secret Scanning should be enabled
Users Are Allowed To Bypass Ruleset Rules
Vulnerability Alerts Should Be Enabled
Webhooks Should Be Configured To Use SSL
Webhooks Should Be Configured With A Secret
Workflows Should Not Be Allowed To Approve Pull Requests
Runner_Group Policies
Runner Group Should Be Limited to Private Repositories
Runner Group Should Be Limited to Selected Repositories
GitLab Policies
Enterprise Policies
API Request Rate Limit Should Be Limited
Branch Protection Should Be Globally Enabled By Default
Creating Public Repositories Should Be Restricted To Admins
Default Group Visibility Should Not Be Public
Default Project Visibility Should Not Be Public
Password Authentication For Git Over HTTP(S) Should Not Be Enabled
Server Should Not Allow Access To Unauthenticated Users With Sign-Up
Sign-Up Confirmation Email Should Be Mandatory
Two-factor Authentication Should Be Globally Enforced
Unauthenticated Requests Rate Limit Should Be Enabled
Webhooks Should Not Be Allowed To Be Sent To The Local Network
Group Policies
Forking of Repositories to External Namespaces Should Be Disabled.
Group Should Enforce Branch Protection
Two-Factor Authentication Grace Period Should Not Be Longer Than One Week
Two-Factor Authentication Should Be Enforced For The Group
Webhooks Should Be Configured To Use SSL
Member Policies
Administrators Should Have Activity in the Last 6 Months
Two Factor Authentication Should Be Enabled for Collaborators
Two Factor Authentication Should Be Enabled for External Collaborators
Project Policies
Default Branch Should Be Protected
Default Branch Should Limit Code Review to Code-Owners
Default Branch Should Not Allow Force Pushes
Default Branch Should Require All Commits To Be Signed
Default Branch Should Require Code Review
Default Branch Should Require Code Review By At Least Two Reviewers
Default Branch Should Require New Code Changes After Approval To Be Re-Approved
Forking Should Not Be Allowed for Private/Internal Projects
Merge Request Authors Should Not Be Able To Override the Approvers List
Overriding predefined CI/CD variables should be restricted.
Project Should Be Updated At Least Quarterly
Project Should Have A Low Owner Count
Project Should Require All Conversations To Be Resolved Before Merge
Project Should Require All Pipelines to Succeed
Repository Should Not Allow Committer Approvals
Repository Should Not Allow Review Requester To Approve Their Own Request
Webhook Configured Without SSL Verification
Legitify on GitHub
Table of contents
Enterprise Policies
Group Policies
Member Policies
Project Policies