Created
January 24, 2026 21:29
-
-
Save mlieberman85/722919a4f3b356697506697880672820 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # OpenSSF Baseline Framework Definition | |
| # Declarative configuration for OSPS v2025.10.10 compliance controls | |
| # | |
| # This file defines all 62 controls across 3 maturity levels. | |
| # Users can override settings via .baseline.toml in their repository. | |
| [metadata] | |
| name = "openssf-baseline" | |
| display_name = "OpenSSF Baseline" | |
| version = "0.1.0" | |
| schema_version = "0.1.0-alpha" # TOML config format version - expect breaking changes | |
| spec_version = "OSPS v2025.10.10" | |
| description = "OpenSSF Baseline security controls for open source projects" | |
| url = "https://baseline.openssf.org/" | |
| [defaults] | |
| check_adapter = "builtin" | |
| remediation_adapter = "builtin" | |
| # ============================================================================= | |
| # Templates for Remediation | |
| # ============================================================================= | |
| [templates.security_policy_standard] | |
| description = "Standard SECURITY.md template for vulnerability reporting" | |
| content = """# Security Policy | |
| ## Supported Versions | |
| | Version | Supported | | |
| | ------- | ------------------ | | |
| | latest | :white_check_mark: | | |
| ## Reporting a Vulnerability | |
| We take security vulnerabilities seriously. If you discover a security issue, | |
| please report it responsibly. | |
| ### How to Report | |
| **Please do NOT report security vulnerabilities through public GitHub issues.** | |
| Instead, please report security vulnerabilities by: | |
| 1. **GitHub Security Advisories**: Use the "Report a vulnerability" button in | |
| the Security tab of this repository (preferred) | |
| 2. **Email**: Send details to security@$OWNER.github.io | |
| ### What to Include | |
| Please include as much of the following information as possible: | |
| - Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting) | |
| - Full paths of source file(s) related to the issue | |
| - Location of the affected source code (tag/branch/commit or direct URL) | |
| - Step-by-step instructions to reproduce the issue | |
| - Proof-of-concept or exploit code (if possible) | |
| - Impact of the issue | |
| ### Response Timeline | |
| - **Initial Response**: Within 48 hours | |
| - **Status Update**: Within 7 days | |
| - **Resolution Target**: Within 90 days (depending on severity) | |
| ### Disclosure Policy | |
| - We will acknowledge receipt of your report | |
| - We will work with you to understand and resolve the issue | |
| - We will keep you informed of our progress | |
| - We will credit you in the security advisory (unless you prefer otherwise) | |
| ## Security Updates | |
| Security updates will be released as patch versions and announced via: | |
| - GitHub Security Advisories | |
| - Release notes | |
| """ | |
| [templates.security_policy_minimal] | |
| description = "Minimal SECURITY.md template" | |
| content = """# Security Policy | |
| ## Reporting a Vulnerability | |
| Please report security vulnerabilities by: | |
| - Using GitHub's "Report a vulnerability" feature in the Security tab | |
| - Or emailing security@$OWNER.github.io | |
| We will respond within 48 hours and work with you to resolve the issue. | |
| """ | |
| [templates.contributing_standard] | |
| description = "Standard CONTRIBUTING.md template" | |
| content = """# Contributing to $REPO | |
| Thank you for your interest in contributing! This document provides guidelines | |
| for contributing to this project. | |
| ## Code of Conduct | |
| Please read and follow our Code of Conduct to keep our community approachable | |
| and respectable. | |
| ## Getting Started | |
| 1. Fork the repository | |
| 2. Clone your fork: `git clone https://github.com/YOUR-USERNAME/$REPO.git` | |
| 3. Create a branch: `git checkout -b feature/your-feature-name` | |
| 4. Make your changes | |
| 5. Run tests: `make test` (or equivalent) | |
| 6. Commit your changes with a clear message | |
| 7. Push to your fork: `git push origin feature/your-feature-name` | |
| 8. Open a Pull Request | |
| ## Pull Request Guidelines | |
| - Ensure your code follows the existing style | |
| - Include tests for new functionality | |
| - Update documentation as needed | |
| - Keep PRs focused on a single change | |
| - Write clear commit messages | |
| ## Reporting Issues | |
| - Search existing issues before creating a new one | |
| - Use the issue templates when available | |
| - Provide as much context as possible | |
| ## Development Setup | |
| ```bash | |
| # Clone the repository | |
| git clone https://github.com/$OWNER/$REPO.git | |
| cd $REPO | |
| # Install dependencies | |
| # (Add project-specific setup instructions here) | |
| ``` | |
| ## Questions? | |
| Feel free to open an issue for any questions about contributing. | |
| """ | |
| [templates.bug_report_template] | |
| description = "GitHub issue template for bug reports" | |
| content = """--- | |
| name: Bug Report | |
| about: Create a report to help us improve | |
| title: '[BUG] ' | |
| labels: bug | |
| assignees: '' | |
| --- | |
| ## Describe the Bug | |
| A clear and concise description of what the bug is. | |
| ## To Reproduce | |
| Steps to reproduce the behavior: | |
| 1. Go to '...' | |
| 2. Click on '...' | |
| 3. See error | |
| ## Expected Behavior | |
| A clear and concise description of what you expected to happen. | |
| ## Actual Behavior | |
| What actually happened. | |
| ## Screenshots | |
| If applicable, add screenshots to help explain your problem. | |
| ## Environment | |
| - OS: [e.g., Ubuntu 22.04, macOS 14, Windows 11] | |
| - Version: [e.g., v1.2.3] | |
| - Other relevant info: | |
| ## Additional Context | |
| Add any other context about the problem here. | |
| """ | |
| [templates.branch_protection_payload] | |
| description = "JSON payload for GitHub branch protection API" | |
| content = """ | |
| { | |
| "enforce_admins": true, | |
| "required_pull_request_reviews": { | |
| "required_approving_review_count": 1, | |
| "dismiss_stale_reviews": true, | |
| "require_code_owner_reviews": false | |
| }, | |
| "required_status_checks": null, | |
| "restrictions": null, | |
| "required_linear_history": false, | |
| "allow_force_pushes": false, | |
| "allow_deletions": false | |
| } | |
| """ | |
| [templates.dependabot_config] | |
| description = "Dependabot configuration file" | |
| content = """version: 2 | |
| updates: | |
| - package-ecosystem: "github-actions" | |
| directory: "/" | |
| schedule: | |
| interval: "weekly" | |
| commit-message: | |
| prefix: "ci" | |
| # Add additional ecosystems as needed: | |
| # - package-ecosystem: "npm" | |
| # directory: "/" | |
| # schedule: | |
| # interval: "weekly" | |
| # commit-message: | |
| # prefix: "deps" | |
| """ | |
| # ============================================================================= | |
| # Level 1 Controls - Access Control (AC) | |
| # ============================================================================= | |
| [controls."OSPS-AC-01.01"] | |
| name = "RequireMFA" | |
| description = "Require multi-factor authentication for organization members" | |
| tags = { level = 1, domain = "AC", security_severity = 8.0, access-control = true, authentication = true } | |
| docs_url = "https://baseline.openssf.org/versions/2025-10-10#OSPS-AC-01.01" | |
| # ExecPass: Use gh CLI to check MFA requirement | |
| [controls."OSPS-AC-01.01".passes.exec] | |
| command = ["gh", "api", "/orgs/$OWNER"] | |
| pass_exit_codes = [0] | |
| fail_exit_codes = [1] | |
| output_format = "json" | |
| pass_if_json_path = "two_factor_requirement_enabled" | |
| pass_if_json_value = "true" | |
| timeout = 30 | |
| [controls."OSPS-AC-01.01".passes.manual] | |
| steps = [ | |
| "Navigate to Organization Settings → Security", | |
| "Verify 'Require two-factor authentication' is enabled", | |
| ] | |
| [controls."OSPS-AC-02.01"] | |
| name = "AllowForking" | |
| description = "Allow repository forking for public collaboration" | |
| tags = { level = 1, domain = "AC", access-control = true, collaboration = true } | |
| # ExecPass: Check if forking is allowed via GitHub API | |
| [controls."OSPS-AC-02.01".passes.exec] | |
| command = ["gh", "api", "/repos/$OWNER/$REPO"] | |
| pass_exit_codes = [0] | |
| fail_exit_codes = [1] | |
| output_format = "json" | |
| pass_if_json_path = "allow_forking" | |
| pass_if_json_value = "true" | |
| timeout = 30 | |
| [controls."OSPS-AC-02.01".passes.manual] | |
| steps = [ | |
| "Navigate to Repository Settings → General", | |
| "Under 'Features', verify 'Allow forking' is enabled", | |
| ] | |
| [controls."OSPS-AC-03.01"] | |
| name = "PreventDirectCommits" | |
| description = "Prevent direct commits to primary branch" | |
| tags = { level = 1, domain = "AC", security_severity = 7.5, access-control = true, branch-protection = true } | |
| docs_url = "https://baseline.openssf.org/versions/2025-10-10#OSPS-AC-03.01" | |
| # ExecPass: Use gh CLI to check branch protection | |
| [controls."OSPS-AC-03.01".passes.exec] | |
| command = ["gh", "api", "/repos/$OWNER/$REPO/branches/$BRANCH/protection"] | |
| pass_exit_codes = [0] | |
| fail_exit_codes = [1] | |
| output_format = "json" | |
| pass_if_json_path = "required_pull_request_reviews" | |
| timeout = 30 | |
| [controls."OSPS-AC-03.01".passes.manual] | |
| steps = [ | |
| "Navigate to Repository Settings → Branches", | |
| "Verify branch protection rule exists for main/master", | |
| "Check 'Require a pull request before merging' is enabled", | |
| ] | |
| [controls."OSPS-AC-03.01".remediation] | |
| handler = "enable_branch_protection" # Legacy handler for fallback | |
| safe = true | |
| requires_api = true | |
| dry_run_supported = true | |
| # Declarative API call remediation | |
| [controls."OSPS-AC-03.01".remediation.api_call] | |
| method = "PUT" | |
| endpoint = "/repos/$OWNER/$REPO/branches/$BRANCH/protection" | |
| payload_template = "branch_protection_payload" | |
| [controls."OSPS-AC-03.02"] | |
| name = "PreventBranchDeletion" | |
| description = "Prevent deletion of primary branch" | |
| tags = { level = 1, domain = "AC", access-control = true, branch-protection = true } | |
| # ExecPass: Check if branch deletion is prevented via branch protection | |
| [controls."OSPS-AC-03.02".passes.exec] | |
| command = ["gh", "api", "/repos/$OWNER/$REPO/branches/$BRANCH/protection"] | |
| pass_exit_codes = [0] | |
| fail_exit_codes = [1] | |
| output_format = "json" | |
| pass_if_json_path = "allow_deletions.enabled" | |
| pass_if_json_value = "false" | |
| timeout = 30 | |
| [controls."OSPS-AC-03.02".passes.manual] | |
| steps = [ | |
| "Navigate to Repository Settings → Branches", | |
| "Check branch protection rule for main/master", | |
| "Verify 'Allow deletions' is NOT checked", | |
| ] | |
| # ============================================================================= | |
| # Level 1 Controls - Build & Release (BR) | |
| # ============================================================================= | |
| [controls."OSPS-BR-01.01"] | |
| name = "SecureWorkflowInputs" | |
| description = "Workflows handle untrusted inputs safely" | |
| tags = { level = 1, domain = "BR", security_severity = 8.5, build = true, security = true, ci-cd = true } | |
| [controls."OSPS-BR-01.01".passes.pattern] | |
| files = [".github/workflows/*.yml", ".github/workflows/*.yaml"] | |
| pass_if_any = false | |
| [controls."OSPS-BR-01.01".passes.pattern.patterns] | |
| injection_risk = "\\$\\{\\{\\s*github\\.(event\\.issue|event\\.pull_request|head_ref)" | |
| [controls."OSPS-BR-01.02"] | |
| name = "SecureBranchNames" | |
| description = "Branch names are handled safely in workflows" | |
| tags = { level = 1, domain = "BR", build = true, security = true } | |
| [controls."OSPS-BR-03.01"] | |
| name = "SecureRepositoryURL" | |
| description = "Repository URL uses HTTPS" | |
| tags = { level = 1, domain = "BR", build = true, security = true } | |
| # ExecPass: Verify repository URL uses HTTPS | |
| [controls."OSPS-BR-03.01".passes.exec] | |
| command = ["gh", "api", "/repos/$OWNER/$REPO", "--jq", ".html_url"] | |
| pass_exit_codes = [0] | |
| fail_exit_codes = [1] | |
| output_format = "text" | |
| pass_if_output_matches = "^https://" | |
| timeout = 30 | |
| [controls."OSPS-BR-03.01".passes.manual] | |
| steps = [ | |
| "Verify the repository URL in your browser address bar starts with https://", | |
| "Confirm all git clone URLs use https:// or git@ (SSH)", | |
| ] | |
| [controls."OSPS-BR-07.01"] | |
| name = "GitignoreSecrets" | |
| description = "Secret files are properly gitignored" | |
| tags = { level = 1, domain = "BR", build = true, secrets = true } | |
| [controls."OSPS-BR-07.01".locator] | |
| project_path = "ci.gitignore" | |
| discover = [".gitignore"] | |
| kind = "file" | |
| [controls."OSPS-BR-07.01".passes] | |
| deterministic = { file_must_exist = [".gitignore"] } | |
| [controls."OSPS-BR-07.01".passes.pattern] | |
| files = [".gitignore"] | |
| [controls."OSPS-BR-07.01".passes.pattern.patterns] | |
| env_files = "\\.env" | |
| key_files = "\\*\\.key|\\*\\.pem" | |
| # ============================================================================= | |
| # Level 1 Controls - Documentation (DO) | |
| # ============================================================================= | |
| [controls."OSPS-DO-01.01"] | |
| name = "HasReadme" | |
| description = "Repository has a README file" | |
| tags = { level = 1, domain = "DO", documentation = true } | |
| [controls."OSPS-DO-01.01".locator] | |
| project_path = "documentation.readme" | |
| discover = ["README.md", "README.rst", "README.txt", "README", "readme.md"] | |
| kind = "file" | |
| [controls."OSPS-DO-01.01".passes] | |
| deterministic = { file_must_exist = [ | |
| "README.md", | |
| "README.rst", | |
| "README.txt", | |
| "README", | |
| "readme.md", | |
| ]} | |
| [controls."OSPS-DO-02.01"] | |
| name = "BugReportingProcess" | |
| description = "Document bug reporting process" | |
| tags = { level = 1, domain = "DO", documentation = true, issues = true } | |
| [controls."OSPS-DO-02.01".locator] | |
| project_path = "security.policy" | |
| discover = [".github/ISSUE_TEMPLATE/bug_report.md", ".github/ISSUE_TEMPLATE/bug_report.yml", ".github/ISSUE_TEMPLATE.md"] | |
| kind = "file" | |
| [controls."OSPS-DO-02.01".locator.llm_hints] | |
| search_for = "bug report, issue template, report bugs" | |
| check_files = ["README.md", "CONTRIBUTING.md"] | |
| look_for_urls = false | |
| [controls."OSPS-DO-02.01".passes.deterministic] | |
| file_must_exist = [".github/ISSUE_TEMPLATE/bug_report.md", ".github/ISSUE_TEMPLATE/bug_report.yml", ".github/ISSUE_TEMPLATE.md"] | |
| [controls."OSPS-DO-02.01".passes.pattern] | |
| files = ["README.md", "CONTRIBUTING.md"] | |
| [controls."OSPS-DO-02.01".passes.pattern.patterns] | |
| bug_reporting = "(report|submit).*(bug|issue)" | |
| [controls."OSPS-DO-02.01".remediation] | |
| handler = "create_bug_report_template" # Legacy handler for fallback | |
| safe = true | |
| dry_run_supported = true | |
| # Declarative file creation remediation | |
| [controls."OSPS-DO-02.01".remediation.file_create] | |
| path = ".github/ISSUE_TEMPLATE/bug_report.md" | |
| template = "bug_report_template" | |
| overwrite = false | |
| create_dirs = true | |
| # ============================================================================= | |
| # Level 1 Controls - Governance (GV) | |
| # ============================================================================= | |
| [controls."OSPS-GV-02.01"] | |
| name = "PublicDiscussion" | |
| description = "Enable public discussion mechanisms" | |
| tags = { level = 1, domain = "GV", governance = true, community = true } | |
| # ExecPass: Check if Issues or Discussions are enabled | |
| [controls."OSPS-GV-02.01".passes.exec] | |
| command = ["gh", "api", "/repos/$OWNER/$REPO", "--jq", ".has_issues or .has_discussions"] | |
| pass_exit_codes = [0] | |
| fail_exit_codes = [1] | |
| output_format = "text" | |
| pass_if_output_matches = "^true" | |
| timeout = 30 | |
| [controls."OSPS-GV-02.01".passes.manual] | |
| steps = [ | |
| "Navigate to Repository Settings → General → Features", | |
| "Verify 'Issues' or 'Discussions' is enabled", | |
| ] | |
| [controls."OSPS-GV-03.01"] | |
| name = "HasContributing" | |
| description = "Repository has contributing guidelines" | |
| tags = { level = 1, domain = "GV", governance = true, documentation = true } | |
| [controls."OSPS-GV-03.01".locator] | |
| project_path = "governance.contributing" | |
| discover = ["CONTRIBUTING.md", ".github/CONTRIBUTING.md", "docs/CONTRIBUTING.md"] | |
| kind = "file" | |
| [controls."OSPS-GV-03.01".locator.llm_hints] | |
| search_for = "contributing guidelines, contribution guide, how to contribute" | |
| check_files = ["README.md"] | |
| look_for_urls = false | |
| [controls."OSPS-GV-03.01".passes] | |
| deterministic = { file_must_exist = [ | |
| "CONTRIBUTING.md", | |
| ".github/CONTRIBUTING.md", | |
| "docs/CONTRIBUTING.md", | |
| ]} | |
| [controls."OSPS-GV-03.01".remediation] | |
| handler = "create_contributing" # Legacy handler for fallback | |
| safe = true | |
| dry_run_supported = true | |
| # Declarative file creation remediation | |
| [controls."OSPS-GV-03.01".remediation.file_create] | |
| path = "CONTRIBUTING.md" | |
| template = "contributing_standard" | |
| overwrite = false | |
| create_dirs = false | |
| # ============================================================================= | |
| # Level 1 Controls - Legal (LE) | |
| # ============================================================================= | |
| [controls."OSPS-LE-01.01"] | |
| name = "HasLicense" | |
| description = "Repository has a license file" | |
| tags = { level = 1, domain = "LE", legal = true, license = true } | |
| [controls."OSPS-LE-01.01".locator] | |
| project_path = "legal.license" | |
| discover = ["LICENSE", "LICENSE.md", "LICENSE.txt", "COPYING"] | |
| kind = "file" | |
| [controls."OSPS-LE-01.01".passes] | |
| deterministic = { file_must_exist = [ | |
| "LICENSE", | |
| "LICENSE.md", | |
| "LICENSE.txt", | |
| "COPYING", | |
| ]} | |
| [controls."OSPS-LE-02.01"] | |
| name = "OSIApprovedLicense" | |
| description = "License is OSI-approved" | |
| tags = { level = 1, domain = "LE", legal = true, license = true } | |
| # ExecPass: Check if license is OSI-approved via GitHub's license detection | |
| [controls."OSPS-LE-02.01".passes.exec] | |
| command = ["gh", "api", "/repos/$OWNER/$REPO", "--jq", ".license.spdx_id // \"none\""] | |
| pass_exit_codes = [0] | |
| fail_exit_codes = [1] | |
| output_format = "text" | |
| # Match common OSI-approved licenses (case-insensitive handled by spdx_id) | |
| pass_if_output_matches = "^(MIT|Apache-2\\.0|GPL-[23]\\.0|LGPL-[23]\\.[01]|BSD-[23]-Clause|MPL-2\\.0|ISC|Unlicense|0BSD|AGPL-3\\.0|EPL-[12]\\.0|CC0-1\\.0)$" | |
| timeout = 30 | |
| [controls."OSPS-LE-02.01".passes.manual] | |
| steps = [ | |
| "Navigate to repository main page", | |
| "Check license badge in repository sidebar", | |
| "Verify license is OSI-approved at https://opensource.org/licenses", | |
| ] | |
| [controls."OSPS-LE-02.02"] | |
| name = "ReleaseLicense" | |
| description = "Releases include license information" | |
| tags = { level = 1, domain = "LE", legal = true, license = true } | |
| [controls."OSPS-LE-03.01"] | |
| name = "LicenseInRepo" | |
| description = "License file present in repository root" | |
| tags = { level = 1, domain = "LE", legal = true, license = true } | |
| [controls."OSPS-LE-03.01".locator] | |
| project_path = "legal.license" | |
| discover = ["LICENSE", "LICENSE.md", "COPYING"] | |
| kind = "file" | |
| [controls."OSPS-LE-03.01".passes] | |
| deterministic = { file_must_exist = ["LICENSE", "LICENSE.md", "COPYING"] } | |
| [controls."OSPS-LE-03.02"] | |
| name = "LicenseInReleases" | |
| description = "License file included in releases" | |
| tags = { level = 1, domain = "LE", legal = true, license = true } | |
| # ============================================================================= | |
| # Level 1 Controls - Quality Assurance (QA) | |
| # ============================================================================= | |
| [controls."OSPS-QA-01.01"] | |
| name = "PublicRepository" | |
| description = "Repository is publicly accessible" | |
| tags = { level = 1, domain = "QA", quality = true, transparency = true } | |
| # ExecPass: Use gh CLI to check repository visibility | |
| [controls."OSPS-QA-01.01".passes.exec] | |
| command = ["gh", "api", "/repos/$OWNER/$REPO"] | |
| pass_exit_codes = [0] | |
| fail_exit_codes = [1] | |
| output_format = "json" | |
| pass_if_json_path = "private" | |
| pass_if_json_value = "false" | |
| timeout = 30 | |
| [controls."OSPS-QA-01.02"] | |
| name = "PublicCommitHistory" | |
| description = "Commit history is publicly visible" | |
| tags = { level = 1, domain = "QA", quality = true, transparency = true } | |
| [controls."OSPS-QA-02.01"] | |
| name = "DependencyManifest" | |
| description = "Project has dependency manifest files" | |
| tags = { level = 1, domain = "QA", quality = true, dependencies = true } | |
| [controls."OSPS-QA-02.01".locator] | |
| project_path = "dependencies.manifest" | |
| discover = [ | |
| "package.json", "requirements.txt", "pyproject.toml", | |
| "Cargo.toml", "go.mod", "pom.xml", "build.gradle", "Gemfile", | |
| ] | |
| kind = "file" | |
| [controls."OSPS-QA-02.01".passes] | |
| deterministic = { file_must_exist = [ | |
| "package.json", | |
| "requirements.txt", | |
| "pyproject.toml", | |
| "Cargo.toml", | |
| "go.mod", | |
| "pom.xml", | |
| "build.gradle", | |
| "Gemfile", | |
| ]} | |
| [controls."OSPS-QA-04.01"] | |
| name = "DocumentSubprojects" | |
| description = "Subprojects are documented" | |
| tags = { level = 1, domain = "QA", quality = true, documentation = true } | |
| [controls."OSPS-QA-05.01"] | |
| name = "NoGeneratedExecutables" | |
| description = "No generated executables in repository" | |
| tags = { level = 1, domain = "QA", quality = true, security = true } | |
| [controls."OSPS-QA-05.02"] | |
| name = "NoUnreviewableBinaries" | |
| description = "No unreviewable binary artifacts" | |
| tags = { level = 1, domain = "QA", quality = true, security = true } | |
| # ============================================================================= | |
| # Level 1 Controls - Vulnerability Management (VM) | |
| # ============================================================================= | |
| [controls."OSPS-VM-02.01"] | |
| name = "HasSecurityPolicy" | |
| description = "Repository has a security policy" | |
| tags = { level = 1, domain = "VM", security_severity = 7.0, security = true, vulnerability-management = true } | |
| [controls."OSPS-VM-02.01".locator] | |
| project_path = "security.policy" | |
| discover = ["SECURITY.md", ".github/SECURITY.md", "docs/SECURITY.md"] | |
| kind = "file" | |
| [controls."OSPS-VM-02.01".locator.llm_hints] | |
| search_for = "security policy, vulnerability reporting, security contact" | |
| check_files = ["README.md"] | |
| look_for_urls = true | |
| [controls."OSPS-VM-02.01".passes] | |
| deterministic = { file_must_exist = [ | |
| "SECURITY.md", | |
| ".github/SECURITY.md", | |
| "docs/SECURITY.md", | |
| ]} | |
| [controls."OSPS-VM-02.01".remediation] | |
| handler = "create_security_policy" # Legacy handler for fallback | |
| safe = true | |
| dry_run_supported = true | |
| # Declarative file creation remediation | |
| [controls."OSPS-VM-02.01".remediation.file_create] | |
| path = "SECURITY.md" | |
| template = "security_policy_standard" | |
| overwrite = false | |
| create_dirs = false | |
| # ============================================================================= | |
| # Level 2 Controls - Access Control (AC) | |
| # ============================================================================= | |
| [controls."OSPS-AC-04.01"] | |
| name = "ExplicitWorkflowPermissions" | |
| description = "Workflows define explicit permissions" | |
| tags = { level = 2, domain = "AC", security_severity = 6.5, access-control = true, ci-cd = true } | |
| [controls."OSPS-AC-04.01".passes.pattern] | |
| files = [".github/workflows/*.yml", ".github/workflows/*.yaml"] | |
| [controls."OSPS-AC-04.01".passes.pattern.patterns] | |
| permissions = "^permissions:" | |
| # ============================================================================= | |
| # Level 2 Controls - Governance (GV) | |
| # ============================================================================= | |
| [controls."OSPS-GV-01.01"] | |
| name = "HasGovernance" | |
| description = "Project has governance documentation" | |
| tags = { level = 2, domain = "GV", governance = true } | |
| [controls."OSPS-GV-01.01".locator] | |
| project_path = "governance.governance_doc" | |
| discover = ["GOVERNANCE.md", "MAINTAINERS.md", "CODEOWNERS", ".github/CODEOWNERS"] | |
| kind = "file" | |
| [controls."OSPS-GV-01.01".locator.llm_hints] | |
| search_for = "governance, maintainers, project leadership, decision making" | |
| check_files = ["README.md", "CONTRIBUTING.md"] | |
| look_for_urls = false | |
| [controls."OSPS-GV-01.01".passes] | |
| deterministic = { file_must_exist = [ | |
| "GOVERNANCE.md", | |
| "MAINTAINERS.md", | |
| "CODEOWNERS", | |
| ".github/CODEOWNERS", | |
| ]} | |
| [controls."OSPS-GV-01.01".remediation] | |
| handler = "create_governance_doc" | |
| safe = true | |
| [controls."OSPS-GV-01.02"] | |
| name = "DocumentedRoles" | |
| description = "Roles and responsibilities are documented" | |
| tags = { level = 2, domain = "GV", governance = true } | |
| [controls."OSPS-GV-01.02".passes.pattern] | |
| files = ["GOVERNANCE.md", "MAINTAINERS.md", "CONTRIBUTING.md"] | |
| [controls."OSPS-GV-01.02".passes.pattern.patterns] | |
| roles = "(maintainer|contributor|reviewer|owner)" | |
| responsibilities = "(responsibil|duties|role)" | |
| [controls."OSPS-GV-03.02"] | |
| name = "ContributionRequirements" | |
| description = "Contribution requirements are documented" | |
| tags = { level = 2, domain = "GV", governance = true, contributing = true } | |
| [controls."OSPS-GV-03.02".passes.pattern] | |
| files = ["CONTRIBUTING.md"] | |
| [controls."OSPS-GV-03.02".passes.pattern.patterns] | |
| requirements = "(requirement|must|should|need to)" | |
| process = "(pull request|PR|submit|review)" | |
| # ============================================================================= | |
| # Level 2 Controls - Quality Assurance (QA) | |
| # ============================================================================= | |
| [controls."OSPS-QA-03.01"] | |
| name = "RequiredStatusChecks" | |
| description = "Branch protection requires status checks" | |
| tags = { level = 2, domain = "QA", quality = true, ci-cd = true } | |
| # ExecPass: Use gh CLI to check required status checks | |
| [controls."OSPS-QA-03.01".passes.exec] | |
| command = ["gh", "api", "/repos/$OWNER/$REPO/branches/$BRANCH/protection"] | |
| pass_exit_codes = [0] | |
| fail_exit_codes = [1] | |
| output_format = "json" | |
| pass_if_json_path = "required_status_checks" | |
| timeout = 30 | |
| [controls."OSPS-QA-03.01".passes.manual] | |
| steps = [ | |
| "Navigate to Repository Settings → Branches", | |
| "Check branch protection rules", | |
| "Verify 'Require status checks to pass before merging' is enabled", | |
| ] | |
| [controls."OSPS-QA-06.01"] | |
| name = "AutomatedTests" | |
| description = "CI workflows include automated tests" | |
| tags = { level = 2, domain = "QA", quality = true, testing = true } | |
| [controls."OSPS-QA-06.01".passes.pattern] | |
| files = [".github/workflows/*.yml", ".github/workflows/*.yaml"] | |
| [controls."OSPS-QA-06.01".passes.pattern.patterns] | |
| test_command = "(npm test|pytest|go test|cargo test|mvn test|gradle test)" | |
| test_step = "(run.*test|Test|testing)" | |
| # ============================================================================= | |
| # Level 2 Controls - Vulnerability Management (VM) | |
| # ============================================================================= | |
| [controls."OSPS-VM-01.01"] | |
| name = "DisclosurePolicy" | |
| description = "Security policy includes disclosure process" | |
| tags = { level = 2, domain = "VM", security = true, vulnerability-management = true } | |
| [controls."OSPS-VM-01.01".locator] | |
| project_path = "security.policy" | |
| discover = ["SECURITY.md", ".github/SECURITY.md", "docs/SECURITY.md"] | |
| kind = "file" | |
| [controls."OSPS-VM-01.01".locator.llm_hints] | |
| search_for = "disclosure policy, vulnerability disclosure, responsible disclosure" | |
| check_files = ["README.md"] | |
| look_for_urls = true | |
| [controls."OSPS-VM-01.01".passes.pattern] | |
| files = ["SECURITY.md"] | |
| [controls."OSPS-VM-01.01".passes.pattern.patterns] | |
| disclosure = "(disclos|report|contact)" | |
| process = "(process|procedure|timeline)" | |
| [controls."OSPS-VM-03.01"] | |
| name = "PrivateReporting" | |
| description = "Private vulnerability reporting is enabled" | |
| tags = { level = 2, domain = "VM", security = true, vulnerability-management = true } | |
| [controls."OSPS-VM-03.01".locator] | |
| project_path = "security.policy" | |
| discover = ["SECURITY.md", ".github/SECURITY.md"] | |
| kind = "file" | |
| [controls."OSPS-VM-03.01".locator.llm_hints] | |
| search_for = "private reporting, security email, PGP key, confidential" | |
| check_files = ["README.md"] | |
| look_for_urls = false | |
| # PatternPass: Check for private contact methods in SECURITY.md | |
| [controls."OSPS-VM-03.01".passes.pattern] | |
| files = ["SECURITY.md", ".github/SECURITY.md"] | |
| [controls."OSPS-VM-03.01".passes.pattern.patterns] | |
| private_contact = "(private|confidential|security advisory|PGP|GPG|security@|email)" | |
| [controls."OSPS-VM-03.01".passes.manual] | |
| steps = [ | |
| "Verify SECURITY.md contains a private reporting mechanism", | |
| "Check for security email address or PGP key", | |
| "Confirm GitHub Security Advisories is enabled in Settings → Security", | |
| ] | |
| [controls."OSPS-VM-04.01"] | |
| name = "SecurityAdvisories" | |
| description = "Repository supports security advisories" | |
| tags = { level = 2, domain = "VM", security = true, vulnerability-management = true } | |
| # ExecPass: Check if security advisories are supported (requires Issues enabled) | |
| [controls."OSPS-VM-04.01".passes.exec] | |
| command = ["gh", "api", "/repos/$OWNER/$REPO", "--jq", ".has_issues"] | |
| pass_exit_codes = [0] | |
| fail_exit_codes = [1] | |
| output_format = "text" | |
| pass_if_output_matches = "^true" | |
| timeout = 30 | |
| [controls."OSPS-VM-04.01".passes.manual] | |
| steps = [ | |
| "Navigate to Repository Settings → General → Features", | |
| "Verify 'Issues' is enabled (required for Security Advisories)", | |
| "Check Security tab for advisory capability", | |
| ] | |
| # ============================================================================= | |
| # Level 3 Controls - Access Control (AC) | |
| # ============================================================================= | |
| [controls."OSPS-AC-04.02"] | |
| name = "ScopedPermissions" | |
| description = "Workflow permissions are appropriately scoped" | |
| tags = { level = 3, domain = "AC", security_severity = 7.0, access-control = true, ci-cd = true, least-privilege = true } | |
| [controls."OSPS-AC-04.02".passes.pattern] | |
| files = [".github/workflows/*.yml", ".github/workflows/*.yaml"] | |
| [controls."OSPS-AC-04.02".passes.pattern.patterns] | |
| scoped = "(contents:|issues:|pull-requests:|packages:)" | |
| read_only = "read(-only)?" | |
| # ============================================================================= | |
| # Level 3 Controls - Quality Assurance (QA) | |
| # ============================================================================= | |
| [controls."OSPS-QA-07.01"] | |
| name = "RequiredApprovals" | |
| description = "Pull requests require approval before merge" | |
| tags = { level = 3, domain = "QA", quality = true, code-review = true } | |
| # ExecPass: Check if branch protection requires approvals | |
| [controls."OSPS-QA-07.01".passes.exec] | |
| command = ["gh", "api", "/repos/$OWNER/$REPO/branches/$BRANCH/protection", "--jq", ".required_pull_request_reviews.required_approving_review_count >= 1"] | |
| pass_exit_codes = [0] | |
| fail_exit_codes = [1] | |
| output_format = "text" | |
| pass_if_output_matches = "^true" | |
| timeout = 30 | |
| [controls."OSPS-QA-07.01".passes.manual] | |
| steps = [ | |
| "Navigate to Repository Settings → Branches", | |
| "Check branch protection rule for main/master", | |
| "Verify 'Require approvals' is enabled with at least 1 required", | |
| ] | |
| [controls."OSPS-QA-07.01".remediation] | |
| handler = "enable_branch_protection" | |
| config = { required_approvals = 1 } | |
| requires_api = true | |
| [controls."OSPS-QA-06.02"] | |
| name = "DocumentedTesting" | |
| description = "Testing instructions are documented" | |
| tags = { level = 3, domain = "QA", quality = true, testing = true, documentation = true } | |
| [controls."OSPS-QA-06.02".passes.pattern] | |
| files = ["README.md", "CONTRIBUTING.md", "docs/testing.md"] | |
| [controls."OSPS-QA-06.02".passes.pattern.patterns] | |
| test_docs = "(run.*test|test.*instruction|how to test)" | |
| [controls."OSPS-QA-06.03"] | |
| name = "TestRequirements" | |
| description = "Test requirements for contributions are documented" | |
| tags = { level = 3, domain = "QA", quality = true, testing = true, contributing = true } | |
| [controls."OSPS-QA-06.03".passes.pattern] | |
| files = ["CONTRIBUTING.md"] | |
| [controls."OSPS-QA-06.03".passes.pattern.patterns] | |
| test_req = "(test.*required|must.*test|include.*test)" | |
| # ============================================================================= | |
| # Level 3 Controls - Vulnerability Management (VM) | |
| # ============================================================================= | |
| [controls."OSPS-VM-05.01"] | |
| name = "SCARemediationPolicy" | |
| description = "SCA remediation policy documented" | |
| tags = { level = 3, domain = "VM", security = true, dependencies = true } | |
| [controls."OSPS-VM-05.01".passes.pattern] | |
| files = ["SECURITY.md", "docs/security.md"] | |
| [controls."OSPS-VM-05.01".passes.pattern.patterns] | |
| sca_policy = "(dependency|SCA|software composition|remediat)" | |
| [controls."OSPS-VM-05.02"] | |
| name = "PreReleaseSCA" | |
| description = "Pre-release SCA workflow configured" | |
| tags = { level = 3, domain = "VM", security = true, ci-cd = true, dependencies = true } | |
| [controls."OSPS-VM-05.02".passes.pattern] | |
| files = [".github/workflows/*.yml", ".github/workflows/*.yaml"] | |
| [controls."OSPS-VM-05.02".passes.pattern.patterns] | |
| sca_tool = "(dependency-review-action|kusari|trivy|snyk|dependabot)" | |
| [controls."OSPS-VM-05.03"] | |
| name = "AutomatedDependencyScanning" | |
| description = "Automated dependency scanning configured" | |
| tags = { level = 3, domain = "VM", security = true, dependencies = true } | |
| [controls."OSPS-VM-05.03".locator] | |
| project_path = "ci.github.dependabot" | |
| discover = [".github/dependabot.yml", ".github/dependabot.yaml", "renovate.json", ".renovaterc"] | |
| kind = "file" | |
| [controls."OSPS-VM-05.03".passes] | |
| deterministic = { file_must_exist = [ | |
| ".github/dependabot.yml", | |
| ".github/dependabot.yaml", | |
| "renovate.json", | |
| ".renovaterc", | |
| ]} | |
| [controls."OSPS-VM-05.03".remediation] | |
| handler = "create_dependabot_config" # Legacy handler for fallback | |
| safe = true | |
| dry_run_supported = true | |
| # Declarative file creation remediation | |
| [controls."OSPS-VM-05.03".remediation.file_create] | |
| path = ".github/dependabot.yml" | |
| template = "dependabot_config" | |
| overwrite = false | |
| create_dirs = true | |
| [controls."OSPS-VM-06.01"] | |
| name = "SASTRemediationPolicy" | |
| description = "SAST remediation policy documented" | |
| tags = { level = 3, domain = "VM", security = true, code-analysis = true } | |
| [controls."OSPS-VM-06.01".passes.pattern] | |
| files = ["SECURITY.md"] | |
| [controls."OSPS-VM-06.01".passes.pattern.patterns] | |
| sast_policy = "(SAST|static analysis|code scan|remediat)" | |
| [controls."OSPS-VM-06.02"] | |
| name = "AutomatedSAST" | |
| description = "Automated SAST in CI pipeline" | |
| tags = { level = 3, domain = "VM", security = true, ci-cd = true, code-analysis = true } | |
| [controls."OSPS-VM-06.02".passes.pattern] | |
| files = [".github/workflows/*.yml", ".github/workflows/*.yaml"] | |
| [controls."OSPS-VM-06.02".passes.pattern.patterns] | |
| sast_tool = "(codeql|semgrep|sonar|bandit|gosec|brakeman)" | |
| # ============================================================================= | |
| # Level 3 Controls - Documentation (DO) | |
| # ============================================================================= | |
| [controls."OSPS-DO-03.01"] | |
| name = "SupportDocumentation" | |
| description = "Support documentation available" | |
| tags = { level = 3, domain = "DO", documentation = true, support = true } | |
| [controls."OSPS-DO-03.01".locator] | |
| project_path = "documentation.support" | |
| discover = ["SUPPORT.md", ".github/SUPPORT.md"] | |
| kind = "file" | |
| [controls."OSPS-DO-03.01".locator.llm_hints] | |
| search_for = "support, help, getting help, community support" | |
| check_files = ["README.md"] | |
| look_for_urls = true | |
| [controls."OSPS-DO-03.01".passes] | |
| deterministic = { file_must_exist = [ | |
| "SUPPORT.md", | |
| ".github/SUPPORT.md", | |
| ]} | |
| [controls."OSPS-DO-03.01".remediation] | |
| handler = "create_support_doc" | |
| safe = true | |
| [controls."OSPS-DO-05.01"] | |
| name = "EndOfSupportPolicy" | |
| description = "End-of-support policy documented" | |
| tags = { level = 3, domain = "DO", documentation = true, support = true } | |
| [controls."OSPS-DO-05.01".passes.pattern] | |
| files = ["SUPPORT.md", "SECURITY.md", "README.md"] | |
| [controls."OSPS-DO-05.01".passes.pattern.patterns] | |
| eol_policy = "(end.of.(life|support)|EOL|deprecat|sunset)" | |
| # ============================================================================= | |
| # Level 3 Controls - Governance (GV) | |
| # ============================================================================= | |
| [controls."OSPS-GV-04.01"] | |
| name = "CollaboratorReviewPolicy" | |
| description = "Collaborator review policy documented" | |
| tags = { level = 3, domain = "GV", governance = true, code-review = true } | |
| [controls."OSPS-GV-04.01".passes.pattern] | |
| files = ["GOVERNANCE.md", "CONTRIBUTING.md"] | |
| [controls."OSPS-GV-04.01".passes.pattern.patterns] | |
| review_policy = "(review|collaborator|maintainer).*(policy|process|requirement)" | |
| # ============================================================================= | |
| # Level 3 Controls - Security Assessment (SA) | |
| # ============================================================================= | |
| [controls."OSPS-SA-02.01"] | |
| name = "APIDocumentation" | |
| description = "API/interface documentation available" | |
| tags = { level = 2, domain = "SA", documentation = true, api = true } | |
| [controls."OSPS-SA-02.01".locator] | |
| project_path = "documentation.api" | |
| discover = ["API.md", "docs/api.md", "docs/api/", "openapi.yaml", "openapi.json", "swagger.yaml", "swagger.json"] | |
| kind = "file" | |
| [controls."OSPS-SA-02.01".locator.llm_hints] | |
| search_for = "API documentation, API reference, endpoints" | |
| check_files = ["README.md"] | |
| look_for_urls = true | |
| [controls."OSPS-SA-02.01".passes] | |
| # Check for API documentation in dedicated files OR README sections | |
| # The pattern pass looks for API/interface documentation headings | |
| [controls."OSPS-SA-02.01".passes.pattern] | |
| files = ["API.md", "docs/api.md", "README.md", "docs/README.md", "USAGE.md", "docs/getting-started.md", "openapi.yaml", "openapi.json", "swagger.yaml", "swagger.json"] | |
| pass_if_any = true | |
| [controls."OSPS-SA-02.01".passes.pattern.patterns] | |
| api_section = "(?mi)^#.*\\b(api|interface|usage|methods|functions|endpoints|cli|commands?)\\b" | |
| [controls."OSPS-SA-03.02"] | |
| name = "ThreatModel" | |
| description = "Threat model documentation available" | |
| tags = { level = 3, domain = "SA", security = true, threat-modeling = true } | |
| [controls."OSPS-SA-03.02".locator] | |
| project_path = "security.threat_model" | |
| discover = ["THREAT_MODEL.md", "docs/threat-model.md", "docs/security/threat-model.md"] | |
| kind = "file" | |
| [controls."OSPS-SA-03.02".locator.llm_hints] | |
| search_for = "threat model, security assessment, attack surface, STRIDE" | |
| check_files = ["SECURITY.md", "README.md"] | |
| look_for_urls = true | |
| [controls."OSPS-SA-03.02".passes] | |
| deterministic = { file_must_exist = [ | |
| "THREAT_MODEL.md", | |
| "docs/threat-model.md", | |
| "docs/security/threat-model.md", | |
| ]} | |
| [controls."OSPS-SA-03.02".passes.pattern] | |
| files = ["SECURITY.md", "docs/security.md"] | |
| [controls."OSPS-SA-03.02".passes.pattern.patterns] | |
| threat_model = "(threat model|STRIDE|attack surface|security assessment)" | |
| # ============================================================================= | |
| # MCP Server Configuration | |
| # ============================================================================= | |
| # This section defines the MCP tools that are exposed when running: | |
| # darnit serve openssf-baseline.toml | |
| [mcp] | |
| name = "openssf-baseline" | |
| description = "OpenSSF Baseline security compliance tools for MCP clients" | |
| [mcp.tools.audit_openssf_baseline] | |
| handler = "darnit_baseline.tools:audit_openssf_baseline" | |
| description = """Run OpenSSF Baseline audit on a repository. | |
| Supports filtering by: | |
| - level: Maximum maturity level (1, 2, or 3). Default: 3 | |
| - tags: Filter by domain, tags, or custom attributes (e.g., "domain=AC", "security", "severity>=7.0") | |
| Examples: | |
| - Level 1 only: level=1 | |
| - AC domain controls: tags="domain=AC" | |
| - Security-tagged level 2: level=2, tags="security" | |
| """ | |
| [mcp.tools.list_available_checks] | |
| handler = "darnit_baseline.tools:list_available_checks" | |
| description = "List all available OpenSSF Baseline checks organized by level" | |
| [mcp.tools.get_project_config] | |
| handler = "darnit_baseline.tools:get_project_config" | |
| description = "Get the current project configuration for OpenSSF Baseline" | |
| [mcp.tools.create_security_policy] | |
| handler = "darnit_baseline.tools:create_security_policy" | |
| description = "Create SECURITY.md file for vulnerability reporting" | |
| [mcp.tools.enable_branch_protection] | |
| handler = "darnit_baseline.tools:enable_branch_protection" | |
| description = "Enable branch protection rules on GitHub repository" | |
| [mcp.tools.init_project_config] | |
| handler = "darnit_baseline.tools:init_project_config" | |
| description = "Initialize a new .project.yaml configuration file" | |
| [mcp.tools.confirm_project_context] | |
| handler = "darnit_baseline.tools:confirm_project_context" | |
| description = "Record user-confirmed project context in .project.yaml" | |
| [mcp.tools.generate_threat_model] | |
| handler = "darnit_baseline.tools:generate_threat_model" | |
| description = "Generate a STRIDE-based threat model for a repository" | |
| [mcp.tools.generate_attestation] | |
| handler = "darnit_baseline.tools:generate_attestation" | |
| description = "Generate an in-toto attestation for OpenSSF Baseline compliance" | |
| [mcp.tools.remediate_audit_findings] | |
| handler = "darnit_baseline.tools:remediate_audit_findings" | |
| description = "Apply automated remediations for failed audit controls" | |
| [mcp.tools.create_remediation_branch] | |
| handler = "darnit_baseline.tools:create_remediation_branch" | |
| description = "Create a new branch for remediation work" | |
| [mcp.tools.commit_remediation_changes] | |
| handler = "darnit_baseline.tools:commit_remediation_changes" | |
| description = "Commit remediation changes with a descriptive message" | |
| [mcp.tools.create_remediation_pr] | |
| handler = "darnit_baseline.tools:create_remediation_pr" | |
| description = "Create a pull request for remediation changes" | |
| [mcp.tools.get_remediation_status] | |
| handler = "darnit_baseline.tools:get_remediation_status" | |
| description = "Get the current git status for remediation work" | |
| [mcp.tools.create_test_repository] | |
| handler = "darnit_baseline.tools:create_test_repository" | |
| description = "Create a minimal test repository that fails all OpenSSF Baseline controls" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment