From 9ef4074e80e0f4048834c4277014e5e9ebadaf23 Mon Sep 17 00:00:00 2001 From: resheetk <108011346+resheetk@users.noreply.github.com> Date: Sun, 23 Oct 2022 18:21:34 +0300 Subject: [PATCH] Severity mapping to controls (#94) * severity mapping * fixes --- .../access-to-artifacts/rules.metadata.json | 2 + .../package-registries/rules.metadata.json | 1 + .../pipeline-instructions/rules.metadata.json | 4 ++ .../pipeline-integrity/rules.metadata.json | 2 + .../third-party-packages/rules.metadata.json | 1 + .../validate_packages/rules.metadata.json | 2 + .../code-changes/rules.metadata.json | 48 +++++++++++-------- .../contribution-access/rules.metadata.json | 15 +++--- .../repository-management/rules.metadata.json | 4 ++ 9 files changed, 53 insertions(+), 26 deletions(-) diff --git a/internal/checks/artifacts/access-to-artifacts/rules.metadata.json b/internal/checks/artifacts/access-to-artifacts/rules.metadata.json index d01d01c..a7762b6 100644 --- a/internal/checks/artifacts/access-to-artifacts/rules.metadata.json +++ b/internal/checks/artifacts/access-to-artifacts/rules.metadata.json @@ -5,6 +5,7 @@ "checks": { "4.2.3": { "title": "Ensure user's access to the package registry utilizes MFA", + "severity": "Critical", "type": "ARTIFACT", "entity": "PackageRegistry", "description": "Enforce Multi Factor Authentication for user access to the package registry.", @@ -14,6 +15,7 @@ }, "4.2.5": { "title": "Ensure anonymous access to artifacts is revoked", + "severity": "Critical", "type": "ARTIFACT", "entity": "PackageRegistry", "description": "Disable anonymous access to artifacts.", diff --git a/internal/checks/artifacts/package-registries/rules.metadata.json b/internal/checks/artifacts/package-registries/rules.metadata.json index dd628b5..b6f09bb 100644 --- a/internal/checks/artifacts/package-registries/rules.metadata.json +++ b/internal/checks/artifacts/package-registries/rules.metadata.json @@ -5,6 +5,7 @@ "checks": { "4.3.4": { "title": "Ensure webhooks of the package registry are secured", + "severity": "Critical", "type": "ARTIFACT", "entity": "PackageRegistry", "description": "Use secured webhooks of the package registry.", diff --git a/internal/checks/build-pipelines/pipeline-instructions/rules.metadata.json b/internal/checks/build-pipelines/pipeline-instructions/rules.metadata.json index 054c381..30cdfee 100644 --- a/internal/checks/build-pipelines/pipeline-instructions/rules.metadata.json +++ b/internal/checks/build-pipelines/pipeline-instructions/rules.metadata.json @@ -5,6 +5,7 @@ "checks": { "2.3.1": { "title": "Ensure all build steps are defined as code", + "severity": "High", "type": "BUILD", "entity": "Pipeline", "description": "Use Pipeline as Code for build pipelines and their defined steps.", @@ -14,6 +15,7 @@ }, "2.3.5": { "title": "Ensure access to the build process's triggering is minimized", + "severity": "Medium", "type": "BUILD", "entity": "Pipeline", "description": "Restrict access to the pipelines' triggers.", @@ -23,6 +25,7 @@ }, "2.3.7": { "title": "Ensure pipelines are automatically scanned for vulnerabilities", + "severity": "Critical", "type": "BUILD", "entity": "Pipeline", "description": "Scan pipelines for vulnerabilities. It is recommended to do that automatically.", @@ -32,6 +35,7 @@ }, "2.3.8": { "title": "Ensure scanners are in place to identify and prevent sensitive data in pipeline files", + "severity": "Critical", "type": "BUILD", "entity": "Pipeline", "description": "Detect and prevent sensitive data, such as confidential ID numbers, passwords, etc. in pipelines.", diff --git a/internal/checks/build-pipelines/pipeline-integrity/rules.metadata.json b/internal/checks/build-pipelines/pipeline-integrity/rules.metadata.json index c1ea638..f6b7542 100644 --- a/internal/checks/build-pipelines/pipeline-integrity/rules.metadata.json +++ b/internal/checks/build-pipelines/pipeline-integrity/rules.metadata.json @@ -5,6 +5,7 @@ "checks": { "2.4.2": { "title": "Ensure all external dependencies used in the build process are locked", + "severity": "Critical", "type": "BUILD", "entity": "Pipeline", "description": "External dependencies might be public packages needed in the pipeline or even the public image used for the build worker. Lock these external dependencies in every build pipeline.", @@ -14,6 +15,7 @@ }, "2.4.6": { "title": "Ensure pipeline steps produce an SBOM", + "severity": "High", "type": "BUILD", "entity": "Pipeline", "description": "SBOM (Software Bill Of Materials) is a file that specifies each component of software or a build process. Generate an SBOM after each run of a pipeline.", diff --git a/internal/checks/dependencies/third-party-packages/rules.metadata.json b/internal/checks/dependencies/third-party-packages/rules.metadata.json index 1e362b2..037248e 100644 --- a/internal/checks/dependencies/third-party-packages/rules.metadata.json +++ b/internal/checks/dependencies/third-party-packages/rules.metadata.json @@ -5,6 +5,7 @@ "checks": { "3.1.7": { "title": "Ensure dependencies are pinned to a specific, verified version", + "severity": "Critical", "type": "DEPENDENCIES", "entity": "Dependencies", "description": "Pin dependencies to a specific version. Avoid using the \"latest\" tag or broad version.", diff --git a/internal/checks/dependencies/validate_packages/rules.metadata.json b/internal/checks/dependencies/validate_packages/rules.metadata.json index ebbc7e3..26bd6d1 100644 --- a/internal/checks/dependencies/validate_packages/rules.metadata.json +++ b/internal/checks/dependencies/validate_packages/rules.metadata.json @@ -5,6 +5,7 @@ "checks": { "3.2.2": { "title": "Ensure packages are automatically scanned for known vulnerabilities", + "severity": "Critical", "type": "DEPENDENCIES", "entity": "Dependencies", "description": "Automatically scan every package for vulnerabilities.", @@ -14,6 +15,7 @@ }, "3.2.3": { "title": "Ensure packages are automatically scanned for license implications", + "severity": "High", "type": "DEPENDENCIES", "entity": "Dependencies", "description": "A software license is a document that provides legal conditions and guidelines for the use and distribution of software, usually defined by the author. It is recommended to scan for any legal implications automatically.", diff --git a/internal/checks/source-code/code-changes/rules.metadata.json b/internal/checks/source-code/code-changes/rules.metadata.json index d52fe3a..a012c6b 100644 --- a/internal/checks/source-code/code-changes/rules.metadata.json +++ b/internal/checks/source-code/code-changes/rules.metadata.json @@ -5,6 +5,7 @@ "checks": { "1.1.3": { "title": "Ensure any change to code receives approval of two strongly authenticated users", + "severity": "Medium", "type": "SCM", "entity": "Branch", "description": "Ensure that every code change is reviewed and approved by two authorized contributors who are strongly authenticated.", @@ -12,21 +13,23 @@ "scannerType": "Rego", "slsa_level": [ 4 - ], - "severity": "Medium" + ] + }, "1.1.4": { "title": "Ensure previous approvals are dismissed when updates are introduced to a code change proposal", + "severity": "High", "type": "SCM", "entity": "Branch", "description": "Ensure updates to a proposed code change require re-approval of reviewers", "remediation": "For each code repository in use, enforce an organization-wide policy to dismiss given approvals to code change suggestions if those suggestions were updated.", "scannerType": "Rego", - "slsa_level": [], - "severity": "High" + "slsa_level": [] + }, "1.1.5": { "title": "Ensure that there are restrictions on who can dismiss code change reviews", + "severity": "High", "type": "SCM", "entity": "Branch", "description": "Only trusted users should be allowed to dismiss code change reviews", @@ -36,6 +39,7 @@ }, "1.1.6": { "title": "Ensure code owners are set for extra sensitive code or configuration", + "severity": "Medium", "type": "SCM", "entity": "Branch", "description": "Code owners are trusted users that are responsible for reviewing and managing an important piece of code or configuration. Set code owners for every extremely sensitive code or configuration.", @@ -43,11 +47,12 @@ "scannerType": "Rego", "slsa_level": [ 4 - ], - "severity": "Medium" + ] + }, "1.1.8": { "title": "Ensure inactive branches are reviewed and removed periodically", + "severity": "Medium", "type": "SCM", "entity": "Repository", "description": "Keep track of code branches that are inactive for a period of time and remove them periodically.", @@ -57,6 +62,7 @@ }, "1.1.9": { "title": "Ensure all checks have passed before the merge of new code", + "severity": "High", "type": "SCM", "entity": "Branch", "description": "Before a code change request can be merged to the codebase, all pre-defined checks must successfully pass.", @@ -64,31 +70,32 @@ "scannerType": "Rego", "slsa_level": [ 4 - ], - "severity": "Medium" + ] + }, "1.1.10": { "title": "Ensure open git branches are up to date before they can be merged into codebase", + "severity": "High", "type": "SCM", "entity": "Branch", "description": "Organizations should make sure each suggested code change is in full sync with the existing state of its origin code repository, before allowing to merge it in.", "remediation": "For each code repository in use, enforce a policy to only allow merging open branches if they are current with the latest change from their origin repository.", "scannerType": "Rego", - "slsa_level": [], - "severity": "Medium" + "slsa_level": [] }, "1.1.11": { "title": "Ensure all open comments are resolved before allowing to merge code changes", + "severity": "Low", "type": "SCM", "entity": "Branch", "description": "Organizations should enforce a \"no open comments\" policy before allowing to merge code changes.", "remediation": "For each code repository in use, require open comments to be resolved before the relevant code change can be merged.", "scannerType": "Rego", - "slsa_level": [], - "severity": "Low" + "slsa_level": [] }, "1.1.12": { "title": "Ensure verifying signed commits of new changes before merging", + "severity": "High", "type": "SCM", "entity": "Branch", "description": "Ensure every commit in pull request is signed and verified before merge", @@ -96,11 +103,11 @@ "scannerType": "Rego", "slsa_level": [ 4 - ], - "severity": "High" + ] }, "1.1.13": { "title": "Ensure linear history is required", + "severity": "Low", "type": "SCM", "entity": "Repository", "description": "Linear history is the name for Git history where all of the commits come one after another. Such history exists if a pull request is merged either by rebase merge (re-order the commits history) or squash merge (squashes all commits to one). Ensure that linear history is required by enforcing the use of rebase or squash merge when merging a pull request.", @@ -109,11 +116,11 @@ "slsa_level": [ 3, 4 - ], - "severity": "Medium" + ] }, "1.1.14": { "title": "Ensure branch protection rules are enforced on administrators", + "severity": "High", "type": "SCM", "entity": "Repository", "description": "Ensure administrators are subject to branch protection rules.", @@ -125,6 +132,7 @@ }, "1.1.15": { "title": "Ensure pushing of new code is restricted to specific individuals or teams", + "severity": "Critical", "type": "SCM", "entity": "Repository", "description": "Enforce that only trusted users can push to protected branches.", @@ -132,11 +140,11 @@ "scannerType": "Rego", "slsa_level": [ 4 - ], - "severity": "Critical" + ] }, "1.1.16": { "title": "Ensure force pushes code to branches is denied", + "severity": "Critical", "type": "SCM", "entity": "Repository", "description": "The 'force push' option allows users with 'push' permissions to force their changes directly to the branch without PR and it should be disabled.", @@ -144,11 +152,11 @@ "scannerType": "Rego", "slsa_level": [ 4 - ], - "severity": "Critical" + ] }, "1.1.17": { "title": "Ensure branch deletions are denied", + "severity": "Critical", "type": "SCM", "entity": "Repository", "description": "Ensure that users with push access only can't delete a protected branch.", diff --git a/internal/checks/source-code/contribution-access/rules.metadata.json b/internal/checks/source-code/contribution-access/rules.metadata.json index 6591e4c..be8882d 100644 --- a/internal/checks/source-code/contribution-access/rules.metadata.json +++ b/internal/checks/source-code/contribution-access/rules.metadata.json @@ -5,6 +5,7 @@ "checks": { "1.3.1": { "title": "Ensure inactive users are reviewed and removed periodically", + "severity": "High", "type": "SCM", "entity": "Repository", "description": "Track inactive user accounts and periodically remove them.", @@ -12,11 +13,11 @@ "scannerType": "Rego", "slsa_level": [ 4 - ], - "severity": "High" + ] }, "1.3.3": { "title": "Ensure minimum admins are set for the organization", + "severity": "High", "type": "SCM", "entity": "Organization", "description": "Ensure the organization has a minimum number of admins.", @@ -28,6 +29,7 @@ }, "1.3.5": { "title": "Ensure the organization is requiring members to use MFA", + "severity": "Critical", "type": "SCM", "entity": "Organization", "description": "Require members of the organization to use Multi-Factor Authentication, in addition to using a standard user name and password, when authenticating to the source code management platform.", @@ -36,11 +38,11 @@ "slsa_level": [ 3, 4 - ], - "severity": "Critical" + ] }, "1.3.7": { "title": "Ensure 2 admins are set for each repository", + "severity": "High", "type": "SCM", "entity": "Repository", "description": "Ensure every repository has 2 users with admin permissions to it.", @@ -52,6 +54,7 @@ }, "1.3.8": { "title": "Ensure strict base permissions are set for repositories", + "severity": "High", "type": "SCM", "entity": "Organization", "description": "Base permissions define the permission level granted to all the organization members automatically. Define strict base access permissions for all of the repositories in the organization, which should apply to new ones as well.", @@ -59,11 +62,11 @@ "scannerType": "Rego", "slsa_level": [ 4 - ], - "severity": "Medium" + ] }, "1.3.9": { "title": "Ensure an organization's identity is confirmed with a Verified badge", + "severity": "High", "type": "SCM", "entity": "Organization", "description": "Verify the domains that the organization owns", diff --git a/internal/checks/source-code/repository-management/rules.metadata.json b/internal/checks/source-code/repository-management/rules.metadata.json index a9364e0..06b355f 100644 --- a/internal/checks/source-code/repository-management/rules.metadata.json +++ b/internal/checks/source-code/repository-management/rules.metadata.json @@ -5,6 +5,7 @@ "checks": { "1.2.1": { "title": "Ensure all public repositories contain a SECURITY.md file", + "severity": "Low", "type": "SCM", "entity": "Repository", "description": "SECURITY.md file is a security policy file, which gives people instructions when they are reporting security vulnerabilities in a project. When someone creates an issue in that project, a link to the SECURITY.md file will be shown.", @@ -14,6 +15,7 @@ }, "1.2.2": { "title": "Ensure repository creation is limited to specific members", + "severity": "Medium", "type": "SCM", "entity": "Organization", "description": "Limit the ability to create repositories to trusted users and teams.", @@ -23,6 +25,7 @@ }, "1.2.3": { "title": "Ensure repository deletion is limited to specific members", + "severity": "Medium", "type": "SCM", "entity": "Organization", "description": "Ensure only a limited number of trusted members can delete repositories.", @@ -32,6 +35,7 @@ }, "1.2.4": { "title": "Ensure issue deletion is limited to specific members", + "severity": "High", "type": "SCM", "entity": "Organization", "description": "Ensure only trusted an responsible members can delete issues.",