Lineaje Learning Center
  • About Lineaje
  • Lineaje Product Offering
  • Getting started
    • Create an account
      • Configure Azure AD for sso
      • Configure Okta for sso
    • Onboarding workflow
  • SBOM360, OSM
    • Generate an SBOM
      • Source Code Management (SCM) As Source
        • Public Code Repositories
        • Private Code Repositories
          • Configure GitHub credentials
          • Configure Bitbucket credentials
          • Configure Gitlab credentials
          • Configure Git credentials
          • Configure Azure Repo
        • Frequently Asked Questions
      • Container Image As Source
        • Public Container Image
        • Private Container Image
          • Configure AWS Elastic Container Registry
          • Configure Google Container Registry
          • Configure Docker Hub
          • Configure Generic OCI Registry
          • Configure Azure Container Registry
        • Frequently Asked Questions
      • Existing SBOM As Source
        • EO 14028 checks
      • Manifest file As Source
      • Android Package Kit (APK)
      • Using Lineaje CLI
    • Explore Your SBOM
      • Info
      • Attestation
      • IRL
      • Dependencies
      • Provenance
      • Vulnerabilities
      • Mitigations
      • Security Posture
      • Code Quality
      • Suppliers & Licenses
      • Findings
    • Manage Your SBOM
    • Dashboard
    • Search
    • Policies and Gates
    • Organization and User Management
      • Organization example
    • Lineaje AI
    • AI Plan and AI Remediate
      • JIRA Integration
  • SBOM360 Hub
    • My Products
    • My SBOMS
    • Find & Review SBOMs
    • Manage Your Repository
    • Request and Share SBOMS
    • Settings
    • User Roles
  • Lineaje CLI
    • System Configuration
    • Toolset Configuration
    • CLI Installation
    • CLI Usage
    • Troubleshooting CLI issues
    • Support matrix
  • Integration with CICD pipeline
    • Pre-Requisites
    • Generate Project from source code
      • Project creation using Lineaje cloud
  • Abbreviations and Descriptions
  • Release Notes
    • Unified Scanner for AWS
Powered by GitBook
On this page
  • What is Security Posture?
  • Understanding Security Posture
  1. SBOM360, OSM
  2. Explore Your SBOM

Security Posture

PreviousMitigationsNextCode Quality

Last updated 11 months ago

What is Security Posture?

Security posture is calculated by running a set of checks on the source code of each component.

This includes direct and transitive dependencies.

List of Security Posture Checks

  • Branch Protection: Are the default and release branches protected with GitHub's branch protection settings?

  • Pinned Dependencies: Has the project declared and pinned its dependencies?

  • Dangerous Workflow: Does the project's GitHub Action workflows avoid dangerous patterns?

  • Static Application Security Testing (SAST): Does the project use static code analysis?

  • Dependency Update Tool: Does the project use a dependency update tool?

  • Security Policy: Has the project published a security policy?

  • Fuzzing: Does the project use fuzzing in OSS-Fuzz?

  • Token Permissions: Is the project following the principle of least privilege?

  • Packaging: Has the project been published as a package that others can easily download, install, update, and uninstall?

  • Webhooks: Are the webhooks defined in the repository token configured?

Understanding Security Posture

  • Count of components that have security posture issues is displayed towards left, along with the category of the components (open-source, private, third-party, unknown).

  • The security posture issue count is displayed towards the right, grouped by severity (critical, high, medium, low).

  • Each tile is clickable which will list down the components applicable to that filter in a table view. The details will list the component name, version and a capsule for security posture checks.

  • By clicking the security posture checks capsule, next level details will be shown as below.

  • By clicking on any row, the sidesheet shows up as shown below.