Security Posture

What is Security Posture?

Security posture is calculated by running a set of checks on the source code of each component.

This includes direct and transitive dependencies.

List of Security Posture Checks

• Branch Protection: Are the default and release branches protected with GitHub's branch protection settings?

• Pinned Dependencies: Has the project declared and pinned its dependencies?

• Dangerous Workflow: Does the project's GitHub Action workflows avoid dangerous patterns?

• Static Application Security Testing (SAST): Does the project use static code analysis?

• Dependency Update Tool: Does the project use a dependency update tool?

• Security Policy: Has the project published a security policy?

• Fuzzing: Does the project use fuzzing in OSS-Fuzz?

• Token Permissions: Is the project following the principle of least privilege?

• Packaging: Has the project been published as a package that others can easily download, install, update, and uninstall?

• Webhooks: Are the webhooks defined in the repository token configured?

Understanding Security Posture

• Count of components that have security posture issues is displayed towards left, along with the category of the components (open-source, private, third-party, unknown).

• The security posture issue count is displayed towards the right, grouped by severity (critical, high, medium, low).

• Each tile is clickable which will list down the components applicable to that filter in a table view. The details will list the component name, version and a capsule for security posture checks.

• By clicking the security posture checks capsule, next level details will be shown as below.

• By clicking on any row, the sidesheet shows up as shown below.