Security Posture

What is Security Posture?

Security posture is calculated by running a set of checks on the source code of each component.

This includes direct and transitive dependencies.

List of Security Posture Checks

  • Branch Protection: Are the default and release branches protected with GitHub's branch protection settings?

  • Pinned Dependencies: Has the project declared and pinned its dependencies?

  • Dangerous Workflow: Does the project's GitHub Action workflows avoid dangerous patterns?

  • Static Application Security Testing (SAST): Does the project use static code analysis?

  • Dependency Update Tool: Does the project use a dependency update tool?

  • Security Policy: Has the project published a security policy?

  • Fuzzing: Does the project use fuzzing in OSS-Fuzz?

  • Token Permissions: Is the project following the principle of least privilege?

  • Packaging: Has the project been published as a package that others can easily download, install, update, and uninstall?

  • Webhooks: Are the webhooks defined in the repository token configured?

Understanding Security Posture

  • Count of components that have security posture issues is displayed towards left, along with the category of the components (open-source, private, third-party, unknown).

  • The security posture issue count is displayed towards the right, grouped by severity (critical, high, medium, low).

  • Each tile is clickable which will list down the components applicable to that filter in a table view. The details will list the component name, version and a capsule for security posture checks.

  • By clicking the security posture checks capsule, next level details will be shown as below.

  • By clicking on any row, the sidesheet shows up as shown below.

Last updated