Policies for SCM posture management

Learn about the out of the box finding policies and templates for source code management.

Strong information security practices are necessary to secure your open source code used in your development and delivery infrastructure.

Endor Labs comes with the following out-of-the-box policies that help you determine the effectiveness of your security practices.

You can review the findings generated from these policies and take necessary actions.


Policy Name Description Severity
Contributors should not approve their own changes Robust code reviews are essential and contributors should not approve their own changes in a collaborative software development environment. Raises findings for repositories that do not enforce code reviews. High
Multi-Factor Authentication (MFA) should be required for external contributors Multi-Factor Authentication adds an additional layer of security to access accounts or systems and prevents unauthorized access to code repositories. Raises findings for repositories that do not enforce MFA for external contributors. High
Multi-Factor Authentication (MFA) should be required for organization members Multi-Factor Authentication adds an additional layer of security to access accounts or systems and prevents unauthorized access to code repositories. Raises findings for repositories that do not enforce MFA for members in their organization. High
Ensure branch protection is enforced for the default branch Branch protection rules allow you to set controls over your software development processes. The default branch for this repository has no branch protection rules and should be protected. High
Protected Branch Deletion should be blocked Protecting branch deletion, especially for critical branches, is a best practice in software development workflows. Raises findings for repositories that do not enforce rules around protected branch deletion. Medium
Dismissing Code Change Reviews should be restricted Restricting the ability to dismiss code change reviews is a best practice in software development workflows. Dismissing code change reviews should be limited to specific cases and authorized individuals to ensure accountability, maintain code quality, and promote a collaborative and transparent review process. Raises findings for repositories that do not enforce rules around dismissing code reviews. Medium
Force pushing code to protected branches should be restricted Restricting the ability to force push code to protected branches is a best practice in software development workflows. Restricting this action helps maintain code integrity, accountability, and collaboration. Raises findings for repositories that do not enforce rules around pushing code to protected branches. Medium
Authorization to push or merge to protected branches should be limited Limiting the authorization to push or merge code to protected branches is a best practice in software development workflows. By restricting access to protected branches, you maintain control over code changes and ensure that only authorized individuals can make modifications. Raises findings for repositories that do not enforce rules around merging code to protected branches. Medium
Status checks should pass before merging new code Ensuring that status checks pass before merging new code is a best practice in software development workflows. Status checks serve as automated checks or validations that assess the quality, integrity, and readiness of the code changes before they are merged into the main codebase. Raises findings for repositories that do not enforce status checks before merging new code. Medium
Branches should be up-to-date before merging Ensuring that branches are up-to-date before merging is a best practice in software development. It avoids conflicts, helps in the early detection of issues, and maintains code coherence. Raise findings for repositories that do not enforce rules on branches to be up-to-date before merging. Medium
Two informed reviews should be required for code changes Requiring two informed reviews for code changes is a best practice in software development. It helps ensure that code changes are thoroughly examined, promotes collaboration, and increases the overall quality of the codebase. Raises findings for repositories that do not enforce two reviews for code changes. Medium
Branch protection rules should be enforced on administrators Enforcing branch protection rules on administrators is a best practice in software development workflows. By applying branch protection rules to administrators, you ensure that even privileged individuals follow the established processes and adhere to the same standards as other team members. Raises findings for repositories that do not enforce branch protection rules. Medium
Commits should be signed for new changes Requiring commits to be signed for new changes is a best practice in software development workflows. Commit signing involves using digital signatures to verify the authenticity and integrity of the commit. Raises findings for repositories that do not enforce signed commits. Medium
Stale approvals should be dismissed Dismissing stale approvals is a best practice in software development workflows. Stale approvals refer to code review approvals that were granted but have become outdated due to subsequent changes or updates in the codebase. Dismissing these stale approvals helps ensure that the code review process remains accurate and up-to-date. Raises findings for repositories that do not enforce dismissal of stale approvals. Medium
Missing Source Code If you cannot audit the source code associated with a software component, there is limited visibility that can result in operational and security risks. Raises findings for packages with missing source code. Low
Code owner review is required when a change affects owned code Code owner review is a practice in software development where specific individuals or teams are designated as code owners for certain parts of the codebase. When a change is proposed that affects code owned by a particular individual or team, a code owner review is required before the change can be merged into the main codebase. Low
Code owner should be configured for sensitive code Code owner review is a best practice in software development workflows where specific individuals or teams are designated as code owners for certain parts of the codebase. When a change is proposed that affects code owned by a particular individual or team, a code owner review is required before the change can be merged into the main codebase. Raises findings for repositories that do not enforce code owner reviews. Low
Linear commit history should be required Linear comment history indicates a chronological sequence of commits made to a code repository. It provides a clear and chronological view of the code changes made to a repository, aiding in code navigation, collaboration, and bug tracking. Raises findings for repositories that do not have linear commit history. Low
Comments should be resolved before merging Resolving comments ensures that all feedback, questions, and issues raised during the code review process have been addressed satisfactorily before the code is considered ready for integration. Raises findings for repositories that do not resolve comments before merging. Low
Require a SECURITY.md file A SECURITY.md outlines security practices, reporting procedures, and guidelines for handling security-related issues within a project. It is included in the root directory of software repositories. Raise finings for repositories that do not include a SECURITY.md file. Low
Organizations should be verified The Organization Verified badge on GitHub is a visual indicator that signifies an organization’s authenticity and official status. It helps users identify legitimate and trusted organizations on the GitHub platform. Raise findings for organizations that are not verified. Low