Skip to content

BoostSecurity Scanner


The BoostSecurity scanner supports the rules listed below.


CI/CD - Supply Chain


Name Id Description
CI/CD - Azure DevOps Project Limit Pipelines Authorization Scope cicd-azure-devops-missing-authz-for-project Ensure Azure DevOps projects limit autorization scope of Azure Pipelines.
CI/CD - Azure Pipeline Self-Hosted Agent Pools cicd-azure-devops-using-user-managed-agent-pools Ensure pipelines run using Microsoft-hosted agents
CI/CD - Limit Azure Pipelines Variables cicd-azure-devops-variables-settable-at-queue-time Ensure Azure Pipelines limit variables that can be set a queue time.
CI/CD - Binary Artifacts Stored in SCM cicd-binary-artifacts Ensure binary artifacts are not stored in source control management (SCM) systems to reduce repository size and improve security.
CI/CD - Branch Protection - Allows reviewer to self-review their own changes cicd-branch-protection Ensure that default repository branches are protected.
CI/CD - CircleCI Injection cicd-circleci-shell-injection Prevent shell injection attacks in CircleCI configurations by following secure scripting practices.
CI/CD - CircleCI Unversioned Orb Usage cicd-circleci-unversioned-orb Avoid using unversioned orbs in CircleCI to ensure pipeline stability and reproducibility.
CI/CD - GitHub Actions can approve pull requests cicd-gha-can-create-and-approve-pull-requests Ensure that GitHub Actions cannot approve Pull Requests automatically.
CI/CD - All GitHub Actions are allowed to run cicd-gha-org-allows-all-actions Ensure that not all GitHub Actions are allowed to run.
CI/CD - GitHub Organization Secret visible from public repositories cicd-gha-org-secret-publicly-visible Ensure that GitHub organizations do not have Organization-level secrets that can be accessed by workflows from public repositories.
CI/CD - GitHub Actions have Read / Write permissions cicd-gha-read-write-token-permissions Ensure that GitHub Actions do not have Read / Write permissions token.
CI/CD - GitHub Actions Unsecure Commands cicd-gha-unsecure-commands Avoid using unsecure commands in GitHub Actions workflows to prevent security vulnerabilities such as injection attacks.
CI/CD - GitHub Actions Workflow Dispatch Inputs cicd-gha-workflow-dispatch-inputs Ensure GitHub Actions workflows that use workflow dispatch include secure and validated inputs to prevent misuse or unexpected behavior.
CI/CD - GitLab Environment no approvals required for deployments cicd-gl-deployment-approval GitLab Environment does not require approvals for deployments.
CI/CD - Missing Software Composition Analysis (SCA) Scanning cicd-sca-scanning-absent Ensure that Software Composition Analysis (SCA) is performed.
CI/CD - Missing SCM 2FA Enforcement cicd-scm-2fa-enforcement-absent Ensure the SCM is enforcing that all members have 2FA enabled.
CI/CD - Elevated GitHub App Permissions cicd-scm-gh-app-with-elevated-permissions Checks for GitHub organizations with third-party applications that have elevated permissions.
CI/CD - Audit Log - Branch Protection Overriden by Admin cicd-scm-gh-audit-log-branch-protection-overriden Checks for GitHub repositories where an Audit Log event indicates that Branch Protection was overriden using administrator's privilege.
CI/CD - Audit Log - OAuth App Restriction Disabled cicd-scm-gh-audit-log-oauth-app-restriction-disabled Checks for GitHub organizations where an Audit Log event indicates that OAuth App restrictions were disabled.
CI/CD - GitHub Organization has Outside Collaborators cicd-scm-gh-org-has-outside-collaborators Checks for GitHub organizations with outside collaborators.
CI/CD - Privileged Default Member Permissions cicd-scm-gh-org-high-default-member-permissions Checks for GitHub organizations with privileged default member permissions.
CI/CD - Insecure GitHub Webhooks cicd-scm-gh-org-insecure-webhook Checks for GitHub organizations with insecure webhooks.
CI/CD - Invalid Number of GitHub Organization Owners cicd-scm-gh-org-number-of-owners Checks for the number of GitHub Organization owners
CI/CD - Invalid Number of GitHub Repository Admins cicd-scm-gh-repo-number-of-admins Checks for the number of GitHub Repository contributors with administrative privileges.
CI/CD - GitHub Repository with Privileged Outside Collaborators cicd-scm-gh-repo-outside-collaborator-admin-maintainer Checks for GitHub repositories with privileged outside collaborators
CI/CD - GitLab On Push Secret File Detection Missing cicd-scm-gl-on-push-secret-detection GitLab project does not have the push rule for secret file detection enabled.
CI/CD - Inactive SCM Members cicd-scm-inactive-members Checks for SCMs with inactive members.
CI/CD - SCM Repository Creation Not Restricted cicd-scm-limit-repo-creation Checks the creation of repositories is restricted.
CI/CD - SCM Organization Not Verified cicd-scm-org-verified Check the SCM organization has been verified.
CI/CD - SCM Private Forks cicd-scm-private-forks Ensure SCM does not allow private repository forks.
CI/CD - Restrict SCM Repository Creation cicd-scm-repo-creation-restricted Ensure source control management (SCM) systems restrict repository creation to authorized users to prevent unauthorized or unmonitored repositories.
CI/CD - Missing Lockfile resulting in unpinned dependencies cicd-unpinned-dependencies Checks for the absence of a lockfile.

OSS License


Name Id Description
Package with Unauthorized License use-of-forbidden-license Package with Unauthorized License

SCA From SBOM


Name Id Description
SBOM SCA - Dependency with Malicious Behaviour dependency-with-malicious-behaviour The dependency has been identified by the community to have malicious behaviour.

X509 Certficiates


Name Id Description
Cert Expired x509-cert-expired x509 certificate has expired and is no longer valid
Cert Expires Soon x509-cert-expires-soon x509 certificate will expire in the near future
Cert Insecure Signing Algorithm x509-cert-insecure-signing-algorithm x509 certificate uses a weak cryptographic algorithm
Cert Insufficient Key Length x509-cert-insufficient-key-length x509 certificate Public Key length that is considered insecure.