Security Posture

Security posture is calculated by running a set of checks on the source code of each component.

This includes direct and transitive dependencies.

List of Security Posture Checks

Branch Protection: Are the default and release branches protected with GitHub's branch protection settings?
Pinned Dependencies: Has the project declared and pinned its dependencies?
Dangerous Workflow: Does the project's GitHub Action workflows avoid dangerous patterns?
Static Application Security Testing (SAST): Does the project use static code analysis?
Dependency Update Tool: Does the project use a dependency update tool?
Security Policy: Has the project published a security policy?
Fuzzing: Does the project use fuzzing in OSS-Fuzz?
Token Permissions: Is the project following the principle of least privilege?
Packaging: Has the project been published as a package that others can easily download, install, update, and uninstall?
Webhooks: Are the webhooks defined in the repository token configured?

Count of components that have security posture issues is displayed towards left, along with the category of the components (open-source, private, third-party, unknown).
The security posture issue count is displayed towards the right, grouped by severity (critical, high, medium, low).
Each tile is clickable which will list down the components applicable to that filter in a table view. The details will list the component name, version and a capsule for security posture checks.
By clicking the security posture checks capsule, next level details will be shown as below.
By clicking on any row, the sidesheet shows up as shown below.

Last updated 11 months ago