Checks

VisionBoard empowers organizations to streamline their security and compliance processes with a comprehensive collection of automated checks. These checks are designed to evaluate the health and security posture of your projects, ensuring alignment with industry standards.

While you can use checks individually, most users prefer to group them into Checklists tailored to specific standards or policies, such as OpenJS compliance frameworks. Checklists allow you to customize check priorities, adjust severity levels, and subscribe to specific compliance requirements for your projects.

Explore the full list of available checks below:

• useHwKeyGithubAccess: Use AAL2/3 passkeys for GitHub access
• vulnResponse14Days: Respond to external vulnerability reports in under 14 days
• patchExploitableHighVulns14Days: Patch critical/high vulnerabilities in 14 Days
• requirePRApprovalForMainline: Require approved PRs for mainline commits
• npmOrgMFA: Enforce MFA in npm organization(s)
• defaultTokenPermissionsReadOnly: Set default GitHub workflow token permissions to read-only
• machineReadableDependencies: Provide machine-readable dependency lists
• limitRepoAdmins: Limit GitHub repo admins to fewer than three
• identifyModifiedDependencies: Uniquely identify modified dependencies
• requireCodeOwnersReviewForLargeTeams: Require code owners review
• commitSignoffForWeb: Enforce commit sign-off for web based commits
• preventLandingSensitiveCommits: Block new commits with secrets or credentials
• blockWorkflowPRApproval: Prevent workflows from creating or approving PRs
• consistentBuildProcessDocs: Document consistent and automated build processes
• MFAImpersonationDefense: Use MFA against impersonation
• restrictOrgSecrets: Restrict GitHub organization secrets to specific repositories
• limitOrgOwners: Limit GitHub org owners to fewer than three
• noForcePushDefaultBranch: Disable force push on default branch
• assignCVEForKnownVulns: Assign CVEs to all known security vulnerabilities
• automateDependencyManagement: Automate monitoring of outdated dependencies
• activeAdminsSixMonths: Require active admins in GitHub organization (activity in 6 months)
• restrictedOrgPermissions: Restrict default GitHub Org member permissions
• requireTwoPartyReview: Require two-party review
• automateVulnDetection: Automate dependency vulnerability identification
• runnerSecurityScanner: Use GitHub runner security scanners
• githubWebhookSecrets: Secure GitHub Webhooks with secrets
• includePackageLock: Include package-lock.json in releases
• owaspTop10Training: Training on OWASP Top 10 or equivalent
• preventBranchProtectionBypass: Prevent admins from bypassing branch protection
• PRsBeforeMerge: Require pull requests before merging
• preventScriptInjection: Avoid script injection from untrusted variables
• SSHKeysRequired: Use SSH keys with passphrases for repository access
• noArbitraryCodeInPipeline: Restrict build pipeline code execution to build scripts
• noSelfHostedRunners: Disable self-hosted runners in GitHub organization
• upgradePathDocs: Support older versions or provide upgrade paths
• verifiedActionsOnly: Limit GitHub Actions to verified or trusted actions
• limitWorkflowWritePermissions: Limit workflow write permissions to job level
• annualDependencyRefresh: Refresh dependencies with annual releases
• includeCVEInReleaseNotes: Include CVE IDs in release notes for security fixes
• scanCommitsForSensitiveInfo: Ensure that all the commits are scanned
• noSensitiveInfoInRepositories: Check sensitive information
• upToDateDefaultBranchBeforeMerge: Require default branch updates before merging
• adminRepoCreationOnly: Allow only admins to create public repositories
• ciAndCdPipelineAsCode: Automate CI/CD steps in code-based pipelines
• commitStatusChecks: Require commit status checks to pass before merging
• npmPublicationMFA: Publish to npm using MFA-Enabled accounts
• patchExploitableNoncCriticalVulns60Days: Patch non-critical vulnerabilities in 60 Days
• forkWorkflowApproval: Require approval for forked workflow changes
• resolveLinterWarnings: Address compiler and linter warnings before merging
• activeWritersSixMonths: Require active members with write access (activity in 6 months)
• twoOrMoreOwnersForAccess: Configure two or more owners for access continuity
• staticAppSecTesting: Use static application security testing for all commits
• incidentResponsePlan: Define clear communication and incident response plans
• patchNonCriticalVulns90Days: Patch non-critical vulnerabilities within 90 days
• pinActionsToSHA: Pin actions with secrets to full-length commit SHAs
• softwareArchitectureDocs: Document software architecture
• githubOrgMFA: Enforce MFA in GitHub organization(s)
• defineFunctionalRoles: Define roles aligned to functional responsibilities
• preventDeletionDefaultBranch: Prevent deletion of default branch
• useCVDToolForVulns: Use CVD tools to manage vulnerability reports
• patchCriticalVulns30Days: Patch actively exploited critical vulnerabilities within 30 Days
• regressionTestsForVulns: Create regression tests for bugs and security vulnerabilities
• softwareDesignTraining: Training on secure software design
• orgToolingMFA: Enforce MFA in all the tools
• githubWriteAccessRoles: Define teams/individuals with write access to repositories
• requireSignedCommits: Require signed commits
• useHwKeyGithubNonInteractive: Use AAL2/3 passkeys for non-interactive GitHub access
• securityMdMeetsOpenJSCVD: Ensure Security.md meets OpenJS CVD guidelines
• staticCodeAnalysis: Use automated static code analysis tools
• useHwKeyOtherContexts: Use AAL2/3 passkeys in all other contexts
• workflowSecurityScanner: Use workflow security scanners
• injectedSecretsAtRuntime: Ensure that the secrets are injected at runtime