Skip to main content

Standards and Rule Definitions

The Rule Definitions section offers a complete list of all the standards and associated rules supported by Harness SCS. These rules are applied to various target types, and the overall compliance posture is presented in the Compliance section of SCS. To learn more about managing the compliance status, refer to the document Manage Compliance Posture

The page offers details about the rule, including its description, severity (defined by Harness), the standard with the rule ID to which it belongs, and the target type to which it applies (e.g., code repository, artifact, CI/CD).

You can apply filters specific to standards to view the rules associated with those standards and use the search function to find specific rules.

note

In the future, Harness will allow you to modify the severity of a rule or even suppress any rules from being evaluated.

Supported Standards and Rules

Harness supports the following standards.

  • CIS Benchmarks for GitHub
  • OWASP Top 10 CI/CD Security Risks for GitHub
  • Harness Standards

CIS Benchmarks

The following CIS v1.0 rules are supported by Harness for the evaluations, and Harness will continue to add more rules across different target types. For more detailed information, refer to the official CIS documentation

CIS Benchmarks

Source Code

Rule IDNamePlatformType
1.1.3Automated Approval of Code ChangesGitHubCode Repository
1.1.4Dismissal of Previous Approvals on UpdatesGitHubCode Repository
1.1.5Restricted Dismissal of Code Change ReviewsGitHubCode Repository
1.1.6Code Owners for Sensitive CodeGitHubCode Repository
1.1.7Code Owner’s Review RequirementGitHubCode Repository
1.1.8Periodic Inactive Branch ReviewsGitHubCode Repository
1.1.9Checks Passing Before Merging New CodeGitHubCode Repository
1.1.10Up-to-Date Open Git BranchesGitHubCode Repository
1.1.11Resolved Comments Before MergingGitHubCode Repository
1.1.12Verification of Signed Commits for New Changes Before MergingGitHubCode Repository
1.1.13Linear History RequirementGitHubCode Repository
1.1.14Enforced Branch Protection Rules for AdministratorsGitHubCodeRepository
1.1.15Restricted Pushing/Merging of New CodeGitHubCode Repository
1.1.16Denied Force Pushing Code to BranchesGitHubCode Repository
1.1.17Denied Branch DeletionsGitHubCode Repository
1.2.1SECURITY.md in Public RepositoriesGitHubCode Repository
1.2.2Limited Repository CreationGitHubCode Repository
1.2.3Limited Repository DeletionGitHubCode Repository
1.2.4Limited Issue DeletionGitHubCode Repository
1.3.1Periodic Review and Removal of Inactive UsersGitHubCode Repository
1.3.3Minimum Number of Administrators Set for the OrganizationGitHubCode Repository
1.3.5Organization-Wide MFA RequirementGitHubCode Repository
1.3.7Two Administrators Set for Each RepositoryGitHubCode Repository
1.3.8Strict Base Permissions Set for RepositoriesGitHubCode Repository
1.3.9Organization Identity Confirmed with “Verified” BadgeGitHubCode Repository

Build Pipelines

Rule IDNamePlatformType
2.3.1Definition of All Build Steps as CodeGitHubCI/CD
2.3.5Minimized Access to Build Process TriggeringGitHubCI/CD
2.3.7Automated Vulnerability Scanning for PipelinesGitHubCI/CD
2.3.8Automated Scanning for Sensitive Data in Pipeline FilesGitHubCI/CD
2.4.2Locking of All External Dependencies Used in the Build ProcessGitHubCI/CD
2.4.6Production of SBOM in Pipeline StepsGitHubCI/CD

Dependencies

Rule IDNamePlatformType
3.1.7Pinning of Dependencies to Specific, Verified VersionsGitHubCI/CD
3.2.2Automatic Scanning for Known Vulnerabilities in PackagesGitHubCI/CD
3.2.3Automatic Scanning for License Implications in PackagesGitHubCI/CD

Artifacts

Rule IDNamePlatformType
4.2.3MFA for User Access to the Package RegistryGitHubArtifacts
4.2.5Revocation of Anonymous Access to ArtifactsGitHubArtifacts
4.3.4Security of Webhooks in the Package RegistryGitHubArtifacts

OWASP Top 10 CI/CD Security Risks

The following rules are supported by Harness to perform evaluations, and Harness will continue to add more rules across different target types. For more detailed information, refer to the official OWASP documentation.

OWASP Top 10 CI/CD Security Risks

CICD-SEC-1: Insufficient Flow Control Mechanisms

Rule IDNamePlatformTypeSeverity
1.1.3Automated Approval of Code ChangesGitHubCode RepositoryMEDIUM
1.1.4Dismissal of Previous Approvals on UpdatesGitHubCode RepositoryHIGH
1.1.5Restricted Dismissal of Code Change ReviewsGitHubCode RepositoryHIGH
1.1.6Code Owners Removed in GitHub repositoryGitHubCode RepositoryHIGH
1.1.7Code owners reviews are not required in GitHub before mergingGitHubCode RepositoryMEDIUM
1.1.9Checks Passing Before Merging New CodeGitHubCode RepositoryHIGH
1.1.10Up-to-Date Open Git BranchesGitHubCode RepositoryHIGH
1.1.11Resolved Comments Before MergingGitHubCode RepositoryLOW
1.1.13Linear History RequirementGitHubCode RepositoryLOW
1.1.14Enforced Branch Protection Rules for AdministratorsGitHubCode RepositoryHIGH
1.1.15Restricted Pushing/Merging of New CodeGitHubCode RepositoryCRITICAL
1.1.17Denied Branch DeletionsGitHubCode RepositoryCRITICAL
1.2.8Required reviews can be bypassed using GitHub Actions at Org levelGitHubCode RepositoryHIGH
1.2.9Required reviews can be bypassed using GitHub Actions at Repo levelGitHubCode RepositoryHIGH
1.3.9Organization Identity Confirmed with “Verified” BadgeGitHubCode RepositoryCode Repository
1.2.12Auto-merged enabled on the repositoryGitHubCode RepositoryHIGH

CICD-SEC-2: Inadequate Identity and Access Management

Rule IDNamePlatformTypeSeverity
1.3.1Excessive user permissions to a GitHub repositoryGitHubCode RepositoryHIGH
1.3.5GitHub User account is missing 2FAGitHubCode RepositoryHIGH
1.3.10GitHub inactive user account programmatic credentialsGitHubCode RepositoryMEDIUM
1.1.12Verification of Signed Commits for New Changes Before MergingGitHubCode RepositoryLOW
1.1.16Denied Force Pushing Code to BranchesGitHubCode RepositoryLOW
1.2.15Any organization member in GitHub can create private repositoriesGitHubCode RepositoryLOW
1.2.13GitHub organization members can create public repositoriesGitHubCode RepositoryLOW
1.2.18GitHub repository webhook SSL verification is disabledGitHubCode RepositoryLOW
1.3.12GitHub deploy key has a weak SSH signatureGitHubCode RepositoryLOW
1.2.19GitHub organization webhook SSL verification is disabledGitHubCode RepositoryLOW
1.3.11Unrotated GitHub deploy keysGitHubCode RepositoryLOW

CICD-SEC-4: Poisoned Pipeline Execution (PPE)

Rule IDNamePlatformTypeSeverity
1.2.6Forking of private repositories in the GitHub organization is allowedGitHubCode RepositoryMEDIUM
1.2.7Forking of a private GitHub repository is allowedGitHubCode RepositoryMEDIUM
2.1.5Pipeline vulnerable to command injectionHarnessCI/CDHigh

CICD-SEC-5: Insufficient PBAC (Pipeline-Based Access Controls)

Rule IDNamePlatformTypeSeverity
1.2.5Default GitHub Actions workflow permissions in the organization set to 'read and write'GitHubCode RepositoryMEDIUM
1.2.14Default GitHub Actions workflow permissions in the repository set to 'read and write'GitHubCode RepositoryMEDIUM
1.3.13GitHub deploy keys assigned with write permissionsGitHubCode RepositoryLOW

CICD-SEC-6: Insufficient Credential Hygiene

Rule IDNamePlatformTypeSeverity
1.2.20GitHub organization secret not scopedGitHubCode RepositoryMEDIUM
1.2.10Unrotated organization secrets in GitHub ActionsGitHubCode RepositoryMEDIUM
1.2.11Unrotated repository secrets in GitHub ActionsGitHubCode RepositoryMEDIUM
2.1.6Possible secrets baked into docker image layersHarnessCI/CDMEDIUM
2.3.9Authorization not enforced for custom triggersHarnessCI/CDHIGH

CICD-SEC-8: Ungoverned Usage of 3rd Party Services

Rule IDNamePlatformTypeSeverity
1.2.16Unrestricted usage of GitHub Actions allowed across the organizationGitHubCode RepositoryHIGH
1.2.17Unrestricted usage of GitHub Actions allowed in the repositoryGitHubCode RepositoryHIGH
2.4.2Unpinned GitHub ActionsGitHubCI/CDMEDIUM