Security Requirements
The following is a complete list of supported security requirements—
- Scan Code for Vulnerabilities
- Scan Code for Hard-Coded Secrets
- Scan Code Dependencies for Vulnerabilities
- Scan IaC for Static Misconfigurations
- Scan for Infrastructure Runtime Misconfigurations
- Ensure Your API is Secure
- Enable Automatic Security Scanning of Your Container Images
- Ensure IAM Roles are Least Privileged
- Require MFA for Cloud Providers
- Allow account direct deletion
- Store app Client ID and secret securely
- Encrypt any secret data
- Encrypt traffic in transit
- Delete Github user data within 30 days of deletion request
- Do not share account services across apps
- Grant access to production only to engineers and employees with admin duties
- Don't ask for the user Github password
- Use dedicated Github App for each device type (desktop/mobile)
- Use Github OAuth or Github App token to communicate with Github API
- Use Github App instead of Github OAuth app
- Follow Least Privilege Principle
- Implement RBAC in your app
- All services should have unique login and credentials
- Create Incident Response plan
- Add logging capability for your app
- Ensure log retention for 30 days
- Ensure log format includes critical fields
- Ensure your serverless functions are configured properly
- Ensure your logs are shipped to a central place
Updated 26 days ago
Did this page help you?