baseline.yaml

# baseline.yaml should be used as the source of
# truth for the Open Source Project Security
# Baseline. This data should be used to generate
# supplemental user-facing assets.
#
# max-line-length 52 for optimized github diff
#
# # # #
#
# criterion
#
# ID is a unique identifier for the requirement.
# The form is OSPS-<CAT>-<NUM> where
# - <CAT> is a two-letter abbreviation of the
#   category
# - <NUM> is a sequentially-assigned two-digit
#   number within a category
#
# maturity_level is the level of maturity for the
# requirement. 1 is the lowest level of maturity,
# and 3 is the highest level of maturity.
#
# category is the area of focus for the
# requirement. This could be Access Control, Build
# & Release, Documentation, Quality, or Legal.
#
# criterion should be a concise statement of the
# requirement. It should contain MUST or MUST NOT
# and be written in present tense. The first term
# should be the subject of the requirement, and
# the terms following MUST/MUST NOT should describe
# the required behavior.
#
# rationale should be a concise statement of the
# goal of the requirement. It should be written in
# present tense and describe the desired outcome.
#
# details should be a concise statement of
# how to meet the requirement. It should be written
# in present tense and describe the steps to take
# to meet the requirement. It may include
# recommendations or best practices.
#
criteria:

  - id: OSPS-AC-01
    maturity_level: 1
    category: Access Control
    criterion: |
      The project's version control system MUST
      require multi-factor authentication for
      collaborators modifying the project
      repository settings or accessing sensitive
      data.
    rationale: |
      Protect against unauthorized access to
      sensitive areas of the project's repository,
      reducing the risk of account compromise or
      insider threats. Passwords are often easily captured,
      either during communication or on servers,
      so depending solely on passwords is a weaker
      form of authentication.
    details: |
      Require multi-factor authentication (MFA) for the
      project's version control system, requiring
      collaborators to provide a second form of
      authentication when accessing sensitive data
      or modifying repository settings.
      For purposes of this criterion passkeys are considered
      details mechanism even though some detailss
      [might not strictly meet the MFA definition](https://www.passkeys.com/passkey-vs-mfa), as they require something have the private key
      (something you have) and often require some additional
      mechanism to enable.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - # None yet

  - id: OSPS-AC-02
    maturity_level: 1
    category: Access Control
    criterion: |
      The project's version control system MUST
      restrict collaborator permissions to the
      lowest available privileges by default.
    rationale: |
      Reduce the risk of unauthorized access to
      the project's repository by limiting the
      permissions granted to collaborators.
    details: |
      Configure the project's version control
      system to assign the lowest available
      permissions to collaborators by default when
      added, granting additional permissions only
      when necessary.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - # None yet

  - id: OSPS-AC-03
    maturity_level: 1
    category: Access Control
    criterion: |
      The project's version control system MUST
      prevent unintentional direct commits against
      the primary branch.
    rationale: |
      Reduce the risk of accidental changes to the
      primary branch of the project's repository,
      ensuring that due diligence is done before
      commits are merged.
    implementation: |
      If the VCS is centralized,
      set branch protection on the primary branch
      in the project's VCS
    details: |
      Set branch protection on the primary branch
      in the project's version control system
      requiring changes to be made through
      pull/merge requests or other review
      mechanisms.
      Alternatively, use a decentralized approach
      (like the Linux kernel's) where changes are
      first proposed in another repository, and
      merging changes into the primary repository
      requires a specific separate act.
    control_mappings: # TODO
    scorecard_probe:
      - blocksForcePushOnBranches

  - id: OSPS-AC-04
    maturity_level: 1
    category: Access Control
    criterion: |
      The project's version control system MUST
      prevent unintentional deletion of the
      primary branch.
    rationale: |
      Protect the primary branch of the project's
      repository from accidental deletion,
      ensuring that the project's history and
      codebase are preserved.
    details: |
      Set branch protection on the primary branch
      in the project's version control system to
      prevent deletion.
    control_mappings: # TODO
    scorecard_probe:
      - blocksDeleteOnBranches

  - id: OSPS-AC-05
    maturity_level: 2
    category: Access Control
    criterion: |
      The project's permissions in CI/CD pipelines
      MUST be configured to the lowest available
      privileges except when explicitly elevated.
    rationale: |
      Reduce the risk of unauthorized access to
      the project's build and release processes by
      limiting the permissions granted to steps
      within the CI/CD pipelines.
    details: |
      Configure the project's CI/CD pipelines to
      assign the lowest available permissions to
      users and services by default, elevating
      permissions only when necessary for specific
      tasks. In some version control systems, this
      may be possible at the organizational or
      repository level. If not, set permissions at
      the top level of the pipeline.
    control_mappings: # TODO
    scorecard_probe:
      - topLevelPermissions
      - jobLevelPermissions

  - id: OSPS-AC-07
    maturity_level: 3
    category: Access Control
    criterion: |
      The project's version control system MUST
      require multi-factor authentication that
      does not include SMS for users when
      modifying the project repository settings or
      accessing sensitive data.
    rationale: |
      Ensure that multi-factor authentication
      does not allow SMS as a factor, because
      SMS lacks encryption and may be vulnerable
      to attacks via Signaling System 7,
      social engineering, or SIM-swapping.
    details: | # NOTE: I don't think this is currently possible in GitHub
      Require multi-factor authentication methods
      that do not include SMS for users. Common
      alternatives include hardware tokens, mobile
      authenticator apps, or biometric
      authentication.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - # TODO

  - id: OSPS-BR-01
    maturity_level: 1
    category: Build & Release
    criterion: |
      The project's build and release pipelines
      MUST NOT execute arbitrary code that is
      input from outside of the build script.
    rationale: |
      Reduce the risk of code injection or other
      security vulnerabilities in the project's
      build and release processes by restricting
      the execution of external code.
    details: |
      Ensure that the project's build and release
      pipelines do not execute arbitrary code
      provided from external sources.
    control_mappings: # TODO
    scorecard_probe:
      - hasDangerousWorkflowScriptInjection

  - id: OSPS-BR-02
    maturity_level: 1 # TODO: This should be lv2
    category: Build & Release
    criterion: |
      All releases and released software assets
      MUST be assigned a unique version
      identifier for each release intended to be
      used by users.
    rationale: |
      Ensure that each software asset produced by
      the  project is uniquely identified,
      enabling users to track changes and updates
      to the project over time.
    details: |
      Assign a unique version identifier to each
      release and associated software asset
      produced by the project, following a
      consistent naming convention or numbering
      scheme.
      Examples include SemVer, CalVer, or
      git commit id.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - # None, would need to be paired with SI

  - id: OSPS-BR-03
    maturity_level: 1
    category: Build & Release
    criterion: |
      Any websites, API responses or other
      services involved in the project development
      and release MUST be delivered using SSH,
      HTTPS or other encrypted channels.
    rationale: |
      Protect the confidentiality and integrity
      of data transmitted between the project's
      services and users, reducing the risk of
      eavesdropping or data tampering.
    details: |
      Configure the project's websites, API
      responses, and other services to use
      encrypted channels such as SSH or HTTPS for
      data transmission.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - # None, would need to be paired with SI

  - id: OSPS-BR-04
    maturity_level: 2
    category: Build & Release
    criterion: |
      All released software assets MUST be created
      with consistent, automated build and release
      pipelines.
    rationale: |
      Ensure that the project's software assets
      are built and released using consistent and
      automated processes, reducing the risk of
      errors or inconsistencies in the deployment
      and distribution of the software.
    details: |
      VCS-integrated pipelines are
      recommended to ensure consistency and
      automation in the build and release
      processes.
    control_mappings: # TODO
    security_insights_value: # TODO

  - id: OSPS-BR-05
    maturity_level: 2
    category: Build & Release
    criterion: |
      All build and release pipelines MUST use
      standardized tooling where available to
      ingest dependencies at build time.
    rationale: |
      Ensure that the project's build and release
      pipelines use standardized tools and
      processes to manage dependencies, reducing
      the risk of compatibility issues or security
      vulnerabilities in the software.
    details: |
      Use a common tooling for your ecosystem,
      such as package managers or dependency
      management tools to ingest dependencies at
      build time. This may include using a
      dependency file, lock file, or manifest to
      specify the required dependencies, which are
      then pulled in by the build system.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - # TODO

  - id: OSPS-BR-06
    maturity_level: 2
    category: Build & Release
    criterion: |
      All releases MUST provide a descriptive log
      of functional and security modifications.
    rationale: |
      Provide transparency and accountability for
      changes made to the project's software
      releases, enabling users to understand the
      modifications and improvements included in
      each release.
    details: |
      Ensure that all releases include a
      descriptive change log. 

      It is recommended to ensure that the change
      log is human-readable and includes details
      beyond commit messages, such as descriptions 
      of the security impact or relevance to
      different use cases.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - # TODO, this might be possible if paired with SI to find the release location

  - id: OSPS-BR-08
    maturity_level: 2
    category: Build & Release
    criterion: |
      All released software assets MUST be signed
      or accounted for in a signed manifest
      including each asset's cryptographic hashes.
    rationale: |
      Provide users with a mechanism to verify the
      authenticity and integrity of released 
      software assets, reducing the risk of
      tampering or unauthorized modifications.
    details: |
      Sign all released software assets at build
      time with a cryptographic signature or
      attestations, such  as GPG or PGP signature,
      Sigstore signatures, SLSA provenance, or SLSA
      VSAs. Include the cryptographic hashes of
      each asset in a signed manifest or
      metadata file.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe: # TODO

  - id: OSPS-DO-01
    maturity_level: 1
    category: Documentation
    criterion: |
      The project MUST have one or more mechanisms
      for public discussions about proposed
      changes and usage obstacles.
    rationale: |
      Encourages open communication and
      collaboration within the project community,
      enabling users to provide feedback and
      discuss proposed changes or usage
      challenges.
    details: |
      Establish one or more mechanisms for public 
      discussions within the project, such as
      mailing lists, instant messaging, or issue
      trackers, to facilitate open communication
      and feedback.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - # None yet

  - id: OSPS-DO-02
    maturity_level: 1
    category: Documentation
    criterion: |
      The project documentation MUST include an
      explanation of the contribution process.
    rationale: |
      Provide guidance to new contributors on how
      to participate in the project, outlining the
      steps required to submit changes or
      enhancements to the project's codebase.
    details: |
      Create a CONTRIBUTING.md or CONTRIBUTING/
      directory to outline the contribution
      process including the steps for submitting
      changes, and engaging with the project
      maintainers.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - # None, may not be suitable

  - id: OSPS-DO-03
    maturity_level: 2
    category: Documentation
    criterion: |
      The project documentation MUST provide user
      guides for all basic functionality.
    rationale: |
      Ensure that users have a clear and
      comprehensive understanding of the project's
      current features in order to prevent damage
      from misuse or misconfiguration.
    details: |
      Create user guides or documentation for all
      basic functionality of the project,
      explaining how to install, configure, and
      use the project's features. If there are any
      known dangerous or destructive actions
      available, include highly-visible warnings.
    control_mappings: # TODO
    security_insights_value: # TODO

  - id: OSPS-DO-04
    maturity_level: 2
    category: Documentation
    criterion: |
      The project documentation MUST include a
      policy for coordinated vulnerability
      reporting, with a clear timeframe for
      response.
    rationale: |
      Establish a process for reporting and
      addressing vulnerabilities in the project,
      ensuring that security issues are handled
      promptly and transparently.
    details: |
      Create a SECURITY.md file at the root of the
      directory, outlining the project's policy
      for coordinated vulnerability reporting.
      Include a method for reporting
      vulnerabilities. Set expectations for the
      how the project will respond and address
      reported issues.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - securityPolicyPresent
      - securityPolicyContainsVulnerabilityDisclosure

  - id: OSPS-DO-05
    maturity_level: 2
    category: Documentation
    criterion: |
      The project documentation MUST include a
      mechanism for reporting defects.
    rationale: |
      Enable users and contributors to report
      defects or issues with the released software
      assets, facilitating communication and
      collaboration on defect fixes and
      improvements.
    details: |
      It is recommended that projects use their
      VCS default issue tracker. If an extarnal
      source is used, ensure that the project
      documentation and contributing guide clearly
      and visibly explain how to use the reporting
      system.

      It is recommended that project documentation
      also sets expectations for how defects will
      be triaged and resolved.
    control_mappings: # TODO
    security_insights_value: # TODO

  - id: OSPS-DO-06
    maturity_level: 2
    category: Documentation
    criterion: |
      The project documentation MUST include a
      guide for code contributors that includes
      requirements for acceptable contributions.
    rationale: |
      Provide guidance to code contributors on how
      to submit changes and enhancements to the
      project's codebase, outlining the standards
      and expectations for acceptable
      contributions.
    details: |
      Extend the CONTRIBUTING.md or CONTRIBUTING/
      contents in the project documentation to
      outline the requirements for acceptable
      contributions, including coding standards,
      testing requirements, and submission
      guidelines for code contributors.

      It is recommended that this guide is the
      source of truth for both contributors and
      approvers.
    control_mappings: # TODO
    security_insights_value: # TODO

  - id: OSPS-DO-07
    maturity_level: 2
    category: Documentation
    criterion: |
      The project documentation MUST provide
      design documentation demonstrating all
      actions and actors within the system.
    rationale: |
      Provide an overview of the project's design
      and architecture, illustrating the
      interactions and components of the system to
      help contributors and security reviewers
      understand the internal logic of the
      released software assets.
    details: |
      Include designs in the project documentation
      that explains the actions and actors. Actors
      include any subsystem or entity that can
      influence another segment in the system.
    control_mappings: # TODO
    security_insights_value: # TODO

  - id: OSPS-DO-08
    maturity_level: 3
    category: Documentation
    criterion: |
      The project documentation MUST include a
      policy that defines a threshold for remediation
      of SCA findings related to vulnerabilities and
      licenses.
    rationale: |
      Ensure that the project clearly communicates
      the threshold for remediation of SCA findings,
      including vulnerabilities and license issues
      in software dependencies.
    details: |
      Document a policy in the project that
      defines a threshold for remediation of SCA
      findings related to vulnerabilities and
      licenses. Include the process for
      identifying, prioritizing, and remediating
      these findings.
    control_mappings: # TODO
    security_insights_value: # TODO

  - id: OSPS-DO-09
    maturity_level: 3
    category: Documentation
    criterion: |
      The project documentation MUST include
      descriptions of all external input and output
      interfaces of the released software assets.
    rationale: |
      Provide users and developers with an
      understanding of how to interact with the
      project's software and integrate it with
      other systems, enabling them to use the
      software effectively.
    details: |
      Document all input and output interfaces of
      the released software assets, explaining how
      users can interact with the software and
      what data is expected or produced.
    control_mappings: # TODO
    security_insights_value: # TODO

  - id: OSPS-DO-10
    maturity_level: 3
    category: Documentation
    criterion: |
      The project documentation MUST include a
      policy to address SCA violations prior to any
      release.
    rationale: |
      Ensure that violations of your SCA policy
      are addressed before software releases,
      reducing the risk of shipping insecure or
      non-compliant software.
    details: |
      Document a policy in the project to address
      applicable Software Composition Analysis 
      results before any release, and add status
      checks that verify compliance with that 
      policy prior to release.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - # TODO: this is about policy, but we should also look for evidence of SCA

  - id: OSPS-DO-11
    maturity_level: 2
    category: Documentation
    criterion: |
      The project documentation MUST have a policy
      that code contributors are reviewed prior to
      granting escalated permissions to sensitive
      resources.
    rationale: |
      Ensure that code contributors are vetted and
      reviewed before being granted elevated
      permissions to sensitive resources within
      the project, reducing the risk of
      unauthorized access or misuse.
    details: |
      Publish an enforceable policy in the project
      documentation that requires code
      contributors to be reviewed and approved
      before being granted escalated permissions
      to sensitive resources, such as merge
      approval or access to secrets.

      It is recommended that vetting includes
      establishing a justifiable lineage of
      identity such as confirming the
      contributor's association with a known
      trusted organization.
    control_mappings: # TODO
    security_insights_value: # TODO

  - id: OSPS-DO-12
    maturity_level: 2
    category: Documentation
    criterion: |
      The project documentation MUST contain
      instructions to verify the integrity 
      and authenticity of the release assets,
      including the expected identity of the person
      or process authoring the software release.
    rationale: |
      Enable users to verify the authenticity and
      integrity of the project's released software
      assets, reducing the risk of using tampered
      or unauthorized versions of the software.
    details: |
      Instructions in the project should contain
      information about the technology used, the
      commands to run, and the expected output. The 
      expected identity may be in the form of key
      IDs used to sign, issuer and identity from a
      sigstore certificate, or other similar forms.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe: # TODO

  - id: OSPS-LE-01
    maturity_level: 2
    category: Legal
    criterion: |
      The version control system MUST require all
      code contributors to assert that they are
      legally authorized to commit the associated
      contributions on every commit.
    rationale: |
      Ensure that code contributors are aware of
      and acknowledge their legal responsibility
      for the contributions they make to the
      project, reducing the risk of intellectual
      property disputes.
    details: |
      Include a DCO or CLA in the project's
      repository, requiring code contributors to
      assert that they are legally authorized to
      commit the associated contributions on every
      commit. Use a status check to ensure the
      assertion is made.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - # None, may not be suitable

  - id: OSPS-LE-02
    maturity_level: 1
    category: Legal
    criterion: |
      The license for the source code MUST
      meet the OSI Open Source Definition or
      the FSF Free Software Definition.
    rationale: |
      Ensure that the project's source code is
      distributed under a recognized and legally
      enforceable open source software license,
      providing clarity on how the code
      can be used and shared by others.
    details: |
      Add a LICENSE file to the project's repo
      with a license that is
      an approved license by the
      Open Source Initiative (OSI), or
      a free license as approved by the
      Free Software Foundation (FSF).
      Examples of such licenses include the
      MIT, BSD 2-clause, BSD 3-clause revised,
      Apache 2.0, Lesser GNU General Public
      License (LGPL), and the
      GNU General Public License (GPL).
      Releasing to the public domain (e.g., CC0)
      meets this criterion if there are no
      other encumbrances (e.g., patents).
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - hasPermissiveLicense # Check this

  - id: OSPS-LE-03
    maturity_level: 1
    category: Legal
    criterion: |
      The license for the source code MUST be
      maintained in a standard location within
      the project's repository.
    rationale: |
      Ensure that the project's source code is
      distributed with the appropriate license
      terms, making it clear to users and
      contributors how the code can be used and
      shared.
    details: |
      Include the project's source code license in
      the project's LICENSE file, COPYING file,
      or LICENSE/
      directory to provide visibility and clarity
      on the licensing terms. The filename MAY
      have an extension.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - hasLicenseFile

  - id: OSPS-LE-04
    maturity_level: 1
    category: Legal
    criterion: |
      The license for the released software assets
      MUST meet the OSI Open Source Definition or
      the FSF Free Software Definition.
    rationale: |
      Ensure that the project's source code is
      distributed under a recognized and legally
      enforceable open source software license,
      providing clarity on how the code
      can be used and shared by others.
    details: |
      If a different license is included with
      released software assets, ensure it is
      an approved license by the
      Open Source Initiative (OSI), or
      a free license as approved by the
      Free Software Foundation (FSF).
      Examples of such licenses include the
      MIT, BSD 2-clause, BSD 3-clause revised,
      Apache 2.0, Lesser GNU General Public
      License (LGPL), and the
      GNU General Public License (GPL).
      Note that the license for the released
      software assets may be different than the
      source code.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - # None, may need to be paired with SI

  - id: OSPS-QA-01
    maturity_level: 1
    category: Quality
    criterion: |
      The project's source code MUST be publicly
      readable and have a static URL.
    rationale: |
      Enable users to access and review the
      project's source code and history, promoting
      transparency and collaboration within the
      project community.
    details: |
      Use a common VCS such as GitHub, GitLab, or
      Bitbucket. Ensure the repository is publicly
      readable. Avoid duplication or mirroring of
      repositories unless highly visible
      documentation clarifies the primary source.
      Avoid frequent changes to the repository
      that would impact the repository URL.
    control_mappings: # TODO
    security_insights_value: # TODO

  - id: OSPS-QA-02
    maturity_level: 1
    category: Quality
    criterion: |
      The version control system MUST contain a
      publicly readable record of all changes
      made, who made the changes, and when the
      changes were made.
    rationale: |
      Provide transparency and accountability for
      changes made to the project's codebase,
      enabling users to track modifications and
      understand the history of the project.
    details: |
      Use a common VCS such as GitHub, GitLab, or
      Bitbucket to maintain a publicly readable
      commit history. Avoid squashing or rewriting
      commits in a way that would obscure the
      author of any commits.
    control_mappings: # TODO
    security_insights_value: # TODO

  - id: OSPS-QA-03
    maturity_level: 2
    category: Quality
    criterion: |
      All released software assets MUST be
      delivered with a machine-readable list of
      all direct and transitive internal software
      dependencies with their associated version
      identifiers.
    rationale: |
      Provide transparency and accountability for
      the project's dependencies, enabling users
      and contributors to understand the
      software's dependencies and versions.
    details: |
      This may take the form of a software bill of
      materials (SBOM) or a dependency file that
      lists all direct and transitive dependencies
      such as package.json, Gemfile.lock, or
      go.sum.

      It is recommended to use a CycloneDX or SPDX
      file that is auto-generated at build time by
      a tool that has been vetted for accuracy.
      This enables users to ingest this data in a
      standardized approach alongside other
      projects in their environment.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - hasSBOM
      - hasReleaseSBOM
      - # TODO: check for non-sbom dependency files

  - id: OSPS-QA-04
    maturity_level: 2
    category: Quality
    criterion: |
      Any automated status checks for commits MUST
      pass or require manual acknowledgement prior to
      merge.
    rationale: |
      Ensure that the project's approvers do not
      become accustomed to tolerating failing
      status checks, even if arbitrary, because it
      increases the risk of overlooking security
      vulnerabilities or defects identified by
      automated checks.
    details: |
      Configure the project's version control
      system to require that all automated status
      checks pass or require manual acknowledgement
      before a commit can be merged into the
      primary branch.

      It is recommended that any optional
      status checks are NOT configured as a pass
      or fail requirement that approvers may be
      tempted to bypass.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - runsStatusChecksBeforeMerging
      - # TODO: check for checks passing?

  - id: OSPS-QA-05
    maturity_level: 3
    category: Quality
    criterion: |
      Any additional subproject code repositories
      produced by the project and compiled into a
      release MUST enforce security requirements as
      applicable to the status and intent of the
      respective codebase.
    rationale: |
      Ensure that additional code repositories or
      subprojects produced by the project are held
      to a standard that clear and appropriate
      for that codebase.
    details: |
      The parent project should maintain a list of
      any codebases that are considered
      subprojects or additional repositories.
      Collaborators on those repositories should
      identify the proper maturity level and apply
      the Open Source Project Security Baseline to
      the codebase. Any subproject or repository
      from the project which is compiled into the
      primary project must be held to the same 
      standard as the primary project. Others may
      be held to a lower standard if they have
      lower levels of adoption or are not intended
      for general use.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe:
      - # TODO, this may be possible if paired with SI to find the subproject

  - id: OSPS-QA-06
    maturity_level: 2
    category: Quality
    criterion: |
      The version control system MUST NOT contain
      generated executable artifacts.
    rationale: |
      Reduce the risk of including generated
      executable artifacts in the project's
      version control system, ensuring that only
      source code and necessary files are stored
      in the repository.
    details: |
      Remove generated executable artifacts
      in the project's version control system.

      It is recommended that any scenario where a
      generated executable artifact appears
      critical to a process such as testing, it
      should be instead be generated at build time
      or stored separately and fetched during a
      specific well-documented pipeline step.
    control_mappings: # TODO
    scorecard_probe:
      - hasBinaryArtifacts

  - id: OSPS-QA-07
    maturity_level: 3
    category: Quality
    criterion: |
      All proposed changes to the project's
      codebase must be automatically evaluated 
      against a documented policy for known
      vulnerabilities and blocked in the
      event of violations except when declared
      and supressed as non exploitable.
    rationale: |
      Identify and address defects and security weaknesses 
      in the project's codebase early in the 
      development process, reducing the risk of 
      shipping insecure software.
    details: |
      Create a status check in the project's
      version control system that runs a Static
      Application Security Testing (SAST) tool on
      all changes to the codebase. Require that the
      status check passes before changes can be
      merged.
    control_mappings: # TODO
    security_insights_value: # TODO
    scorecard_probe: # sastToolRunsOnAllCommits 

# # # #
#
# Lexicon
#
# The lexicon is a list of terms and their
# definitions as they are used throughout the Open
# Source Project Security Baseline.
#
# Synonyms are optional and can be included to
# streamline automation in the event that other
# words or phrases should link to the term.
#
lexicon:
  - term: Arbitrary Code
    definition: |
      Code provided by an external source that is
      executed by a system without validation or
      restriction.
  - term: Build and Release Pipeline
    definition: |
      A series of automated processes that compile
      and deploy software. Similar to the generic
      term CI/CD Pipelines, but this term excludes
      some pipelines, such as pre-merge status
      checks.
  - term: Change
    definition: |
      Any alteration of the project's codebase,
      CI/CD Pipelines, or documentation. This may
      include addition, deletion, or modification
      of content.
  - term: CI/CD Pipeline
    definition: |
      Automated pipelines for Continuous
      Integration and Continuous Delivery.
      Responsible for building, testing, and
      delivering changes. These pipelines integrate
      contributions frequently, enabling rapid and
      reliable software delivery. CI focuses on
      testing and building code, while CD delivers
      software to location such as a package
      registry.

      In the context of the Open Source Project
      Security Baseline, CD refers only to
      continuous delivery, not to continuous
      deployment, as sometimes used elsewhere.
  - term: Contributor
    definition: |
      Entities who commit code or documentation to
      the project. Code contributors include
      collaborators or external participants who
      submit changes.

      In the context of the Open Source Project
      Security Baseline, code contributors does not
      address non-code contributions such as
      designing, triaging, reviewing, or testing.
  - term: Codebase
    definition: |
      The collection of source code and related
      assets that make up the project. The codebase
      includes all files necessary to build and
      test the software. Lives in the repository,
      sometimes alongside documentation and CI/CD
      pipelines. The contents of the codebase are
      the primary deliverable in a release.
  - term: Collaborator
    definition: |
      A user with a role on the project's version
      control system who can approve changes or
      manage the repository settings. Collaborators
      may have varying permission levels based on
      their role in the project. This does not
      include contributors whose changes only
      originate through a request from a repository
      fork.
  - term: Commit
    definition: |
      A record of a single change submitted to the
      version control system. Each commit includes
      details such as the modifications made, the
      contributor who made them, and the timestamp
      of the change.
  - term: Defect
    definition: |
      Errors or flaws in the software that cause it
      to produce incorrect or unintended results, 
      or to behave in an unintended way. Defects
      can include bugs, vulnerabilities, or other
      issues that impact the software's
      functionality or security. Defects may have
      originally been intentional, but a change in
      environment or understanding has made them
      undesirable.
  - term: Exploitable Vulnerabilities
    definition: |
      Defects in the software that can be leveraged
      by attackers to gain unauthorized access,
      execute arbitrary code, or cause other
      undesired outcomes.
    synonyms:
      - Exploitable Vulnerability
  - term: License
    definition: |
      A legal document that defines the terms under
      which the software can be used, modified, and
      distributed. May be stored at the top level
      of the repository in a file named `LICENSE`
      or within files in a directory named
      `LICENSE/`. The license applies to repository
      contents and any released software assets,
      unless otherwise stated.
  - term: Known Vulnerabilities
    definition: |
      Publicly acknowledged exploitable
      vulnerabilities that have been identified
      within the software. These vulnerabilities
      often have associated advisories, patches, or
      recommended mitigations.

      All proposed changes to the project's
      codebase must be automatically evaluated 
      against a documented policy for known
      vulnerabilities and blocked in the
      event of violations.
    synonyms:
      - Known Vulnerability
  - term: Multi-factor Authentication
    definition: |
      An authentication method that requires two or
      more verification factors (e.g., a password
      and a token) to gain access to a resource.
      This method strengthens security by requiring
      multiple forms of identification.
    synonyms:
      - MFA
  - term: Primary Branch
    definition: |
      The main development branch in the version
      control system, representing the latest
      stable codebase. Releases are typically made
      from this branch. Commonly named `main` or
      `master`. In some situations where branches
      are not featured, a repository with forked
      repositories will have the original repo
      acting as an equivalent to the primary
      branch.
  - term: Project Documentation
    definition: |
      Written materials related to the project,
      such as user guides, developer guides, and
      contribution guidelines. These documents help
      users and developers understand, contribute
      to, and interact with the software. At
      release time, this may include provenance
      information, licensing details, and other
      metadata.
  - term: Software Provenance
    definition: |
      Information about the origin and history of
      the released software assets. This may
      include details about its development,
      dependencies, vulnerabilities, contributors,
      and licensing.
    synonyms:
      - Provenance
  - term: Release
    definition: |
      - _(verb)_ The process of making a version
      controlled bundle of assets available to
      users, such as through a package registry.
      - _(noun)_ A version-controlled bundle of
      code, documentation, and other assets made
      available to users. A release often includes
      release notes that describe the changes.
  - term: Released Software Asset
    definition: |
      Deliverables provided to users as part of a
      release. These assets can include binaries,
      libraries, or containers.
  - term: Repository
    definition: |
      A storage location managed by a version
      control system where the project's code,
      documentation, and other resources are
      stored. It tracks changes, manages
      collaborator permissions, and includes
      configuration options such as branch
      protection and access controls.
    synonyms:
      - Repo
      - Repositories
  - term: Software Composition Analysis
    definition: |
      The process of identifying and cataloging all
      components and dependencies in a software
      codebase. SCA is essential for managing
      security vulnerabilities and ensuring
      compliance with organizational policies.
    synonyms:
      - SCA
  - term: Status Check
    definition: |
      Automated tests or validations that run on
      commits before they are merged. Status checks
      ensure that any changes meet the project's
      quality and security standards.
  - term: Subproject
    definition: |
      A codebase that is part of the project but
      maintained in a separate repository.
      Subprojects may be compiled into the primary
      project or used as standalone components.
  - term: Version Identifier
    definition: |
      A label assigned to a specific release of the
      software, such as `v1.2.3`. Commonly
      recommended formats are Semantic Versioning
      or Calendar Versioning.
    synonyms:
  - term: Version Control System
    definition: |
      A tool that tracks changes to files over time
      and facilitates collaboration among
      contributors. Examples of version control
      systems include Git, Subversion, and
      Mercurial.
    synonyms:
      - VCS
  - term: Vulnerability Reporting
    definition: |
      The act of identifying and documenting
      exploitable vulnerabilities in released
      software assets. This may include privately
      or openly reporting vulnerabilities to
      maintainers, security teams, or the public,
      as well as tracking the resolution of these
      vulnerabilities.
    synonyms:
      - Coordinated Vulnerability Reporting