1metadata:
2 id: PVTR-BASELINE-SCAN
3 type: EvaluationLog
4 gemara-version: "1.1.0"
5 version: 1.0.0
6 description: PVTR baseline scan evaluation results
7 author:
8 id: pvtr
9 name: PVTR
10 type: Software
11result: Failed
12target:
13 id: github-repo
14 name: GitHub Repository
15 type: Software
16evaluations:
17- name: ''
18 assessment-logs:
19 - requirement:
20 entry-id: OSPS-AC-01.01
21 applicability:
22 - Maturity Level 1
23 - Maturity Level 2
24 - Maturity Level 3
25 steps:
26 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/access_control.orgRequiresMFA
27 description: When a user attempts to access a sensitive resource in the project's
28 version control system, the system MUST require the user to complete a multi-factor
29 authentication process.
30 result: Passed
31 message: Two-factor authentication is configured as required by the parent organization
32 steps-executed: 1
33 start: 2025-08-22T16:02:00.000000000Z
34 end: 2025-08-22T16:02:00.000003708Z
35 evidence:
36 - id: EV-AC-01-01
37 type: api-response
38 collected-at: 2025-08-22T16:02:00.000003000Z
39 payload:
40 login: revanite-io
41 two_factor_requirement_enabled: true
42 description: Organization settings showing org-wide MFA enforcement
43 control:
44 reference-id: OSPS-B
45 entry-id: OSPS-AC-01
46 result: Passed
47 message: Two-factor authentication is configured as required by the parent organization
48- name: ''
49 assessment-logs:
50 - requirement:
51 entry-id: OSPS-AC-02.01
52 applicability:
53 - Maturity Level 1
54 - Maturity Level 2
55 - Maturity Level 3
56 steps:
57 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.GithubBuiltIn
58 description: When a new collaborator is added, the version control system MUST
59 require manual permission assignment, or restrict the collaborator permissions
60 to the lowest available privileges by default.
61 result: Passed
62 message: This control is enforced by GitHub for all projects
63 steps-executed: 1
64 start: 2025-08-22T16:02:00.000000000Z
65 end: 2025-08-22T16:02:00.000001208Z
66 control:
67 reference-id: OSPS-B
68 entry-id: OSPS-AC-02
69 result: Passed
70 message: This control is enforced by GitHub for all projects
71- name: ''
72 assessment-logs:
73 - requirement:
74 entry-id: OSPS-AC-03.01
75 applicability:
76 - Maturity Level 1
77 - Maturity Level 2
78 - Maturity Level 3
79 steps:
80 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
81 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/access_control.branchProtectionRestrictsPushes
82 description: When a direct commit is attempted on the project's primary branch,
83 an enforcement mechanism MUST prevent the change from being applied.
84 result: Passed
85 message: Branch protection rule requires approving reviews
86 steps-executed: 2
87 start: 2025-08-22T16:02:00.000000000Z
88 end: 2025-08-22T16:02:00.000002750Z
89 - requirement:
90 entry-id: OSPS-AC-03.02
91 applicability:
92 - Maturity Level 1
93 - Maturity Level 2
94 - Maturity Level 3
95 steps:
96 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/access_control.branchProtectionPreventsDeletion
97 description: When an attempt is made to delete the project's primary branch, the
98 version control system MUST treat this as a sensitive activity and require explicit
99 confirmation of intent.
100 result: Passed
101 message: Branch protection rule prevents deletions
102 steps-executed: 1
103 start: 2025-08-22T16:02:00.000000000Z
104 end: 2025-08-22T16:02:00.000001167Z
105 control:
106 reference-id: OSPS-B
107 entry-id: OSPS-AC-03
108 result: Passed
109 message: Branch protection rule prevents deletions
110- name: ''
111 assessment-logs:
112 - requirement:
113 entry-id: OSPS-AC-04.01
114 applicability:
115 - Maturity Level 2
116 - Maturity Level 3
117 steps:
118 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/access_control.workflowDefaultReadPermissions
119 description: When a CI/CD task is executed with no permissions specified, the
120 project's version control system MUST default to the lowest available permissions
121 for all activities in the pipeline.
122 result: Not Run
123 message: '""'
124 steps-executed: 0
125 start: 2025-08-22T16:02:00.000000000Z
126 control:
127 reference-id: OSPS-B
128 entry-id: OSPS-AC-04
129 result: Not Run
130 message: '""'
131- name: ''
132 assessment-logs:
133 - requirement:
134 entry-id: OSPS-BR-01.01
135 applicability:
136 - Maturity Level 1
137 - Maturity Level 2
138 - Maturity Level 3
139 steps:
140 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
141 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.cicdSanitizedInputParameters
142 description: When a CI/CD pipeline accepts an input parameter, that parameter
143 MUST be sanitized and validated prior to use in the pipeline.
144 result: Passed
145 message: GitHub Workflows variables do not contain untrusted inputs
146 steps-executed: 2
147 start: 2025-08-22T16:02:00.000000000Z
148 end: 2025-08-22T16:02:01.711621250Z
149 - requirement:
150 entry-id: OSPS-BR-01.02
151 applicability:
152 - Maturity Level 1
153 - Maturity Level 2
154 - Maturity Level 3
155 steps:
156 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
157 description: When a CI/CD pipeline uses a branch name in its functionality, that
158 name value MUST be sanitized and validated prior to use in the pipeline.
159 result: Needs Review
160 message: Not implemented
161 steps-executed: 1
162 start: 2025-08-22T16:02:00.000000000Z
163 end: 2025-08-22T16:02:00.000000708Z
164 control:
165 reference-id: OSPS-B
166 entry-id: OSPS-BR-01
167 result: Needs Review
168 message: Not implemented
169- name: ''
170 assessment-logs:
171 - requirement:
172 entry-id: OSPS-BR-02.01
173 applicability:
174 - Maturity Level 2
175 - Maturity Level 3
176 steps:
177 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
178 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.releaseHasUniqueIdentifier
179 description: When an official release is created, that release MUST be assigned
180 a unique version identifier.
181 result: Not Run
182 message: '""'
183 steps-executed: 0
184 start: 2025-08-22T16:02:00.000000000Z
185 control:
186 reference-id: OSPS-B
187 entry-id: OSPS-BR-02
188 result: Not Run
189 message: '""'
190- name: ''
191 assessment-logs:
192 - requirement:
193 entry-id: OSPS-BR-03.01
194 applicability:
195 - Maturity Level 1
196 - Maturity Level 2
197 - Maturity Level 3
198 steps:
199 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
200 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.ensureInsightsLinksUseHTTPS
201 description: When the project lists a URI as an official project channel, that
202 URI MUST be exclusively delivered using encrypted channels.
203 result: Needs Review
204 message: All links use HTTPS
205 steps-executed: 2
206 start: 2025-08-22T16:02:00.000000000Z
207 end: 2025-08-22T16:02:00.000003417Z
208 - requirement:
209 entry-id: OSPS-BR-03.02
210 applicability:
211 - Maturity Level 1
212 - Maturity Level 2
213 - Maturity Level 3
214 steps:
215 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.distributionPointsUseHTTPS
216 description: When the project lists a URI as an official distribution channel,
217 that URI MUST be exclusively delivered using encrypted channels.
218 result: Passed
219 message: No official distribution points found in Security Insights data
220 steps-executed: 1
221 start: 2025-08-22T16:02:00.000000000Z
222 end: 2025-08-22T16:02:00.000000584Z
223 control:
224 reference-id: OSPS-B
225 entry-id: OSPS-BR-03
226 result: Needs Review
227 message: No official distribution points found in Security Insights data
228- name: ''
229 assessment-logs:
230 - requirement:
231 entry-id: OSPS-BR-04.01
232 applicability:
233 - Maturity Level 2
234 - Maturity Level 3
235 steps:
236 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
237 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.ensureLatestReleaseHasChangelog
238 description: When an official release is created, that release MUST contain a
239 descriptive log of functional and security modifications.
240 result: Not Run
241 message: '""'
242 steps-executed: 0
243 start: 2025-08-22T16:02:00.000000000Z
244 control:
245 reference-id: OSPS-B
246 entry-id: OSPS-BR-04
247 result: Not Run
248 message: '""'
249- name: ''
250 assessment-logs:
251 - requirement:
252 entry-id: OSPS-BR-05.01
253 applicability:
254 - Maturity Level 2
255 - Maturity Level 3
256 steps:
257 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
258 description: When a build and release pipeline ingests dependencies, it MUST use
259 standardized tooling where available.
260 result: Not Run
261 message: '""'
262 steps-executed: 0
263 start: 2025-08-22T16:02:00.000000000Z
264 control:
265 reference-id: OSPS-B
266 entry-id: OSPS-BR-05
267 result: Not Run
268 message: '""'
269- name: ''
270 assessment-logs:
271 - requirement:
272 entry-id: OSPS-BR-06.01
273 applicability:
274 - Maturity Level 2
275 - Maturity Level 3
276 steps:
277 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
278 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
279 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/build_release.insightsHasSlsaAttestation
280 description: When an official release is created, that release MUST be signed
281 or accounted for in a signed manifest including each asset's cryptographic hashes.
282 result: Not Run
283 message: '""'
284 steps-executed: 0
285 start: 2025-08-22T16:02:00.000000000Z
286 control:
287 reference-id: OSPS-B
288 entry-id: OSPS-BR-06
289 result: Not Run
290 message: '""'
291- name: ''
292 assessment-logs:
293 - requirement:
294 entry-id: OSPS-DO-01.01
295 applicability:
296 - Maturity Level 1
297 - Maturity Level 2
298 - Maturity Level 3
299 steps:
300 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
301 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
302 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.hasUserGuides
303 description: When the project has made a release, the project documentation MUST
304 include user guides for all basic functionality.
305 result: Failed
306 message: User guide was NOT specified in Security Insights data
307 steps-executed: 3
308 start: 2025-08-22T16:02:00.000000000Z
309 control:
310 reference-id: OSPS-B
311 entry-id: OSPS-DO-01
312 result: Failed
313 message: User guide was NOT specified in Security Insights data
314- name: ''
315 assessment-logs:
316 - requirement:
317 entry-id: OSPS-DO-02.01
318 applicability:
319 - Maturity Level 1
320 - Maturity Level 2
321 - Maturity Level 3
322 steps:
323 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
324 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasIssuesOrDiscussionsEnabled
325 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.acceptsVulnReports
326 description: When the project has made a release, the project documentation MUST
327 include a guide for reporting defects.
328 result: Failed
329 message: Repository does not accept vulnerability reports
330 steps-executed: 3
331 start: 2025-08-22T16:02:00.000000000Z
332 control:
333 reference-id: OSPS-B
334 entry-id: OSPS-DO-02
335 result: Failed
336 message: Repository does not accept vulnerability reports
337- name: ''
338 assessment-logs:
339 - requirement:
340 entry-id: OSPS-DO-03.01
341 applicability:
342 - Maturity Level 3
343 steps:
344 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
345 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
346 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.hasSignatureVerificationGuide
347 description: When the project has made a release, the project documentation MUST
348 contain instructions to verify the integrity and authenticity of the release
349 assets.
350 result: Not Run
351 message: '""'
352 steps-executed: 0
353 start: 2025-08-22T16:02:00.000000000Z
354 control:
355 reference-id: OSPS-B
356 entry-id: OSPS-DO-03
357 result: Not Run
358 message: '""'
359- name: ''
360 assessment-logs:
361 - requirement:
362 entry-id: OSPS-DO-04.01
363 applicability:
364 - Maturity Level 3
365 steps:
366 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.hasSupportDocs
367 description: When the project has made a release, the project documentation MUST
368 include a descriptive statement about the scope and duration of support for
369 each release.
370 result: Not Run
371 message: '""'
372 steps-executed: 0
373 start: 2025-08-22T16:02:00.000000000Z
374 control:
375 reference-id: OSPS-B
376 entry-id: OSPS-DO-04
377 result: Not Run
378 message: '""'
379- name: ''
380 assessment-logs:
381 - requirement:
382 entry-id: OSPS-DO-05.01
383 applicability:
384 - Maturity Level 3
385 steps:
386 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.hasSupportDocs
387 description: When the project has made a release, the project documentation MUST
388 provide a descriptive statement when releases or versions will no longer receive
389 security updates.
390 result: Not Run
391 message: '""'
392 steps-executed: 0
393 start: 2025-08-22T16:02:00.000000000Z
394 control:
395 reference-id: OSPS-B
396 entry-id: OSPS-DO-05
397 result: Not Run
398 message: '""'
399- name: ''
400 assessment-logs:
401 - requirement:
402 entry-id: OSPS-DO-06.01
403 applicability:
404 - Maturity Level 2
405 - Maturity Level 3
406 steps:
407 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
408 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasMadeReleases
409 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
410 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/docs.hasDependencyManagementPolicy
411 description: When the project has made a release, the project documentation MUST
412 include a description of how the project selects, obtains, and tracks its dependencies.
413 result: Not Run
414 message: '""'
415 steps-executed: 0
416 start: 2025-08-22T16:02:00.000000000Z
417 control:
418 reference-id: OSPS-B
419 entry-id: OSPS-DO-06
420 result: Not Run
421 message: '""'
422- name: ''
423 assessment-logs:
424 - requirement:
425 entry-id: OSPS-GV-01.01
426 applicability:
427 - Maturity Level 2
428 - Maturity Level 3
429 steps:
430 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
431 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsActive
432 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/governance.coreTeamIsListed
433 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/governance.projectAdminsListed
434 description: While active, the project documentation MUST include a list of project
435 members with access to sensitive resources.
436 result: Not Run
437 message: '""'
438 steps-executed: 0
439 start: 2025-08-22T16:02:00.000000000Z
440 - requirement:
441 entry-id: OSPS-GV-01.02
442 applicability:
443 - Maturity Level 2
444 - Maturity Level 3
445 steps:
446 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/governance.hasRolesAndResponsibilities
447 description: While active, the project documentation MUST include descriptions
448 of the roles and responsibilities for members of the project.
449 result: Not Run
450 message: '""'
451 steps-executed: 0
452 start: 2025-08-22T16:02:00.000000000Z
453 control:
454 reference-id: OSPS-B
455 entry-id: OSPS-GV-01
456 result: Not Run
457 message: '""'
458- name: ''
459 assessment-logs:
460 - requirement:
461 entry-id: OSPS-GV-02.01
462 applicability:
463 - Maturity Level 1
464 - Maturity Level 2
465 - Maturity Level 3
466 steps:
467 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasIssuesOrDiscussionsEnabled
468 description: While active, the project MUST have one or more mechanisms for public
469 discussions about proposed changes and usage obstacles.
470 result: Passed
471 message: Issues are enabled for the repository
472 steps-executed: 1
473 start: 2025-08-22T16:02:00.000000000Z
474 end: 2025-08-22T16:02:00.000000292Z
475 control:
476 reference-id: OSPS-B
477 entry-id: OSPS-GV-02
478 result: Passed
479 message: Issues are enabled for the repository
480- name: ''
481 assessment-logs:
482 - requirement:
483 entry-id: OSPS-GV-03.01
484 applicability:
485 - Maturity Level 1
486 - Maturity Level 2
487 - Maturity Level 3
488 steps:
489 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/governance.hasContributionGuide
490 description: While active, the project documentation MUST include an explanation
491 of the contribution process.
492 result: Needs Review
493 message: '"Contributing guide was found via GitHub API (Recommendation: Add code
494 of conduct location to Security Insights data)"'
495 steps-executed: 1
496 start: 2025-08-22T16:02:00.000000000Z
497 end: 2025-08-22T16:02:00.000000792Z
498 - requirement:
499 entry-id: OSPS-GV-03.02
500 applicability:
501 - Maturity Level 2
502 - Maturity Level 3
503 steps:
504 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
505 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
506 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsActive
507 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/governance.hasContributionReviewPolicy
508 description: While active, the project documentation MUST include a guide for
509 code contributors that includes requirements for acceptable contributions.
510 result: Not Run
511 message: '""'
512 steps-executed: 0
513 start: 2025-08-22T16:02:00.000000000Z
514 control:
515 reference-id: OSPS-B
516 entry-id: OSPS-GV-03
517 result: Needs Review
518 message: '"Contributing guide was found via GitHub API (Recommendation: Add code
519 of conduct location to Security Insights data)"'
520- name: ''
521 assessment-logs:
522 - requirement:
523 entry-id: OSPS-GV-04.01
524 applicability:
525 - Maturity Level 3
526 steps:
527 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
528 description: While active, the project documentation MUST have a policy that code
529 contributors are reviewed prior to granting escalated permissions to sensitive
530 resources.
531 result: Not Run
532 message: '""'
533 steps-executed: 0
534 start: 2025-08-22T16:02:00.000000000Z
535 control:
536 reference-id: OSPS-B
537 entry-id: OSPS-GV-04
538 result: Not Run
539 message: '""'
540- name: ''
541 assessment-logs:
542 - requirement:
543 entry-id: OSPS-LE-01.01
544 applicability:
545 - Maturity Level 2
546 - Maturity Level 3
547 steps:
548 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.GithubTermsOfService
549 description: While active, the version control system MUST require all code contributors
550 to assert that they are legally authorized to make the associated contributions
551 on every commit.
552 result: Not Run
553 message: '""'
554 steps-executed: 0
555 start: 2025-08-22T16:02:00.000000000Z
556 control:
557 reference-id: OSPS-B
558 entry-id: OSPS-LE-01
559 result: Not Run
560 message: '""'
561- name: ''
562 assessment-logs:
563 - requirement:
564 entry-id: OSPS-LE-02.01
565 applicability:
566 - Maturity Level 1
567 - Maturity Level 2
568 - Maturity Level 3
569 steps:
570 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/legal.foundLicense
571 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/legal.goodLicense
572 description: While active, the license for the source code MUST meet the OSI Open
573 Source Definition or the FSF Free Software Definition.
574 result: Needs Review
575 message: All license found are OSI or FSF approved
576 steps-executed: 2
577 start: 2025-08-22T16:02:00.000000000Z
578 end: 2025-08-22T16:02:00.269504834Z
579 control:
580 reference-id: OSPS-B
581 entry-id: OSPS-LE-02
582 result: Needs Review
583 message: All license found are OSI or FSF approved
584- name: ''
585 assessment-logs:
586 - requirement:
587 entry-id: OSPS-LE-03.01
588 applicability:
589 - Maturity Level 1
590 - Maturity Level 2
591 - Maturity Level 3
592 steps:
593 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/legal.foundLicense
594 description: While active, the license for the source code MUST be maintained
595 in the corresponding repository's LICENSE file, COPYING file, or LICENSE/ directory.
596 result: Passed
597 message: License was found in a well known location via the GitHub API
598 steps-executed: 1
599 start: 2025-08-22T16:02:00.000000000Z
600 end: 2025-08-22T16:02:00.000000875Z
601 - requirement:
602 entry-id: OSPS-LE-03.02
603 applicability:
604 - Maturity Level 1
605 - Maturity Level 2
606 - Maturity Level 3
607 steps:
608 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/legal.releasesLicensed
609 description: While active, the license for the released software assets MUST be
610 included in the released source code, or in a LICENSE file, COPYING file, or
611 LICENSE/ directory alongside the corresponding release assets.
612 result: Passed
613 message: GitHub releases include the license(s) in the released source code.
614 steps-executed: 1
615 start: 2025-08-22T16:02:00.000000000Z
616 end: 2025-08-22T16:02:00.000000375Z
617 control:
618 reference-id: OSPS-B
619 entry-id: OSPS-LE-03
620 result: Passed
621 message: GitHub releases include the license(s) in the released source code.
622- name: ''
623 assessment-logs:
624 - requirement:
625 entry-id: OSPS-QA-01.01
626 applicability:
627 - Maturity Level 1
628 - Maturity Level 2
629 - Maturity Level 3
630 steps:
631 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.repoIsPublic
632 description: While active, the project's source code repository MUST be publicly
633 readable at a static URL.
634 result: Passed
635 message: Repository is public
636 steps-executed: 1
637 start: 2025-08-22T16:02:00.000000000Z
638 end: 2025-08-22T16:02:00.000000958Z
639 - requirement:
640 entry-id: OSPS-QA-01.02
641 applicability:
642 - Maturity Level 1
643 - Maturity Level 2
644 - Maturity Level 3
645 steps:
646 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.GithubBuiltIn
647 description: The version control system MUST contain a publicly readable record
648 of all changes made, who made the changes, and when the changes were made.
649 result: Passed
650 message: This control is enforced by GitHub for all projects
651 steps-executed: 1
652 start: 2025-08-22T16:02:00.000000000Z
653 end: 2025-08-22T16:02:00.000000375Z
654 control:
655 reference-id: OSPS-B
656 entry-id: OSPS-QA-01
657 result: Passed
658 message: This control is enforced by GitHub for all projects
659- name: ''
660 assessment-logs:
661 - requirement:
662 entry-id: OSPS-QA-02.01
663 applicability:
664 - Maturity Level 1
665 - Maturity Level 2
666 - Maturity Level 3
667 steps:
668 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.verifyDependencyManagement
669 description: When the package management system supports it, the source code repository
670 MUST contain a dependency list that accounts for the direct language dependencies.
671 result: Passed
672 message: Found 8 dependency manifests from GitHub API
673 steps-executed: 1
674 start: 2025-08-22T16:02:00.000000000Z
675 end: 2025-08-22T16:02:00.000002667Z
676 - requirement:
677 entry-id: OSPS-QA-02.02
678 applicability:
679 - Maturity Level 3
680 steps:
681 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
682 description: When the project has made a release, all compiled released software
683 assets MUST be delivered with a software bill of materials.
684 result: Not Run
685 message: '""'
686 steps-executed: 0
687 start: 2025-08-22T16:02:00.000000000Z
688 control:
689 reference-id: OSPS-B
690 entry-id: OSPS-QA-02
691 result: Passed
692 message: Found 8 dependency manifests from GitHub API
693- name: ''
694 assessment-logs:
695 - requirement:
696 entry-id: OSPS-QA-03.01
697 applicability:
698 - Maturity Level 2
699 - Maturity Level 3
700 steps:
701 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.statusChecksAreRequiredByRulesets
702 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.statusChecksAreRequiredByBranchProtection
703 description: When a commit is made to the primary branch, any automated status
704 checks for commits MUST pass or be manually bypassed.
705 result: Not Run
706 message: '""'
707 steps-executed: 0
708 start: 2025-08-22T16:02:00.000000000Z
709 control:
710 reference-id: OSPS-B
711 entry-id: OSPS-QA-03
712 result: Not Run
713 message: '""'
714- name: ''
715 assessment-logs:
716 - requirement:
717 entry-id: OSPS-QA-04.01
718 applicability:
719 - Maturity Level 1
720 - Maturity Level 2
721 - Maturity Level 3
722 steps:
723 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
724 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
725 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsActive
726 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.insightsListsRepositories
727 description: While active, the project documentation MUST contain a list of any
728 codebases that are considered subprojects or additional repositories.
729 result: Failed
730 message: Insights does NOT contains a list of repositories
731 steps-executed: 4
732 start: 2025-08-22T16:02:00.000000000Z
733 control:
734 reference-id: OSPS-B
735 entry-id: OSPS-QA-04
736 result: Failed
737 message: Insights does NOT contains a list of repositories
738- name: ''
739 assessment-logs:
740 - requirement:
741 entry-id: OSPS-QA-05.01
742 applicability:
743 - Maturity Level 1
744 - Maturity Level 2
745 - Maturity Level 3
746 steps:
747 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.noBinariesInRepo
748 description: While active, the version control system MUST NOT contain generated
749 executable artifacts.
750 result: Passed
751 message: No common binary file extensions were found in the repository
752 steps-executed: 1
753 start: 2025-08-22T16:02:00.000000000Z
754 end: 2025-08-22T16:02:00.729000709Z
755 control:
756 reference-id: OSPS-B
757 entry-id: OSPS-QA-05
758 result: Passed
759 message: No common binary file extensions were found in the repository
760- name: ''
761 assessment-logs:
762 - requirement:
763 entry-id: OSPS-QA-06.01
764 applicability:
765 - Maturity Level 2
766 - Maturity Level 3
767 steps:
768 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
769 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.hasOneOrMoreStatusChecks
770 description: Prior to a commit being accepted, the project's CI/CD pipelines MUST
771 run at least one automated test suite to ensure the changes meet expectations.
772 result: Not Run
773 message: '""'
774 steps-executed: 0
775 start: 2025-08-22T16:02:00.000000000Z
776 - requirement:
777 entry-id: OSPS-QA-06.02
778 applicability:
779 - Maturity Level 3
780 steps:
781 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.documentsTestExecution
782 description: While active, project's documentation MUST clearly document when
783 and how tests are run.
784 result: Not Run
785 message: '""'
786 steps-executed: 0
787 start: 2025-08-22T16:02:00.000000000Z
788 - requirement:
789 entry-id: OSPS-QA-06.03
790 applicability:
791 - Maturity Level 3
792 steps:
793 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
794 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.documentsTestMaintenancePolicy
795 description: While active, the project's documentation MUST include a policy that
796 all major changes to the software produced by the project should add or update
797 tests of the functionality in an automated test suite.
798 result: Not Run
799 message: '""'
800 steps-executed: 0
801 start: 2025-08-22T16:02:00.000000000Z
802 control:
803 reference-id: OSPS-B
804 entry-id: OSPS-QA-06
805 result: Not Run
806 message: '""'
807- name: ''
808 assessment-logs:
809 - requirement:
810 entry-id: OSPS-QA-07.01
811 applicability:
812 - Maturity Level 3
813 steps:
814 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.requiresNonAuthorApproval
815 description: When a commit is made to the primary branch, the project's version
816 control system MUST require at least one non-author approval of the changes
817 before merging.
818 result: Not Run
819 message: '""'
820 steps-executed: 0
821 start: 2025-08-22T16:02:00.000000000Z
822 control:
823 reference-id: OSPS-B
824 entry-id: OSPS-QA-07
825 result: Not Run
826 message: '""'
827- name: ''
828 assessment-logs:
829 - requirement:
830 entry-id: OSPS-SA-01.01
831 applicability:
832 - Maturity Level 2
833 - Maturity Level 3
834 steps:
835 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
836 description: When the project has made a release, the project documentation MUST
837 include design documentation demonstrating all actions and actors within the
838 system.
839 result: Not Run
840 message: '""'
841 steps-executed: 0
842 start: 2025-08-22T16:02:00.000000000Z
843 control:
844 reference-id: OSPS-B
845 entry-id: OSPS-SA-01
846 result: Not Run
847 message: '""'
848- name: ''
849 assessment-logs:
850 - requirement:
851 entry-id: OSPS-SA-02.01
852 applicability:
853 - Maturity Level 2
854 - Maturity Level 3
855 steps:
856 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
857 description: When the project has made a release, the project documentation MUST
858 include descriptions of all external software interfaces of the released software
859 assets.
860 result: Not Run
861 message: '""'
862 steps-executed: 0
863 start: 2025-08-22T16:02:00.000000000Z
864 control:
865 reference-id: OSPS-B
866 entry-id: OSPS-SA-02
867 result: Not Run
868 message: '""'
869- name: ''
870 assessment-logs:
871 - requirement:
872 entry-id: OSPS-SA-03.01
873 applicability:
874 - Maturity Level 2
875 - Maturity Level 3
876 steps:
877 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
878 description: When the project has made a release, the project MUST perform a security
879 assessment to understand the most likely and impactful potential security problems
880 that could occur within the software.
881 result: Not Run
882 message: '""'
883 steps-executed: 0
884 start: 2025-08-22T16:02:00.000000000Z
885 - requirement:
886 entry-id: OSPS-SA-03.02
887 applicability:
888 - Maturity Level 3
889 steps:
890 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
891 description: When the project has made a release, the project MUST perform a threat
892 modeling and attack surface analysis to understand and protect against attacks
893 on critical code paths, functions, and interactions within the system.
894 result: Not Run
895 message: '""'
896 steps-executed: 0
897 start: 2025-08-22T16:02:00.000000000Z
898 control:
899 reference-id: OSPS-B
900 entry-id: OSPS-SA-03
901 result: Not Run
902 message: '""'
903- name: ''
904 assessment-logs:
905 - requirement:
906 entry-id: OSPS-VM-01.01
907 applicability:
908 - Maturity Level 2
909 - Maturity Level 3
910 steps:
911 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
912 description: While active, the project documentation MUST include a policy for
913 coordinated vulnerability reporting, with a clear timeframe for response.
914 result: Not Run
915 message: '""'
916 steps-executed: 0
917 start: 2025-08-22T16:02:00.000000000Z
918 control:
919 reference-id: OSPS-B
920 entry-id: OSPS-VM-01
921 result: Not Run
922 message: '""'
923- name: ''
924 assessment-logs:
925 - requirement:
926 entry-id: OSPS-VM-02.01
927 applicability:
928 - Maturity Level 1
929 steps:
930 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
931 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/vuln_management.hasSecContact
932 description: While active, the project documentation MUST contain security contacts.
933 result: Failed
934 message: Security contacts were not specified in Security Insights data
935 steps-executed: 2
936 start: 2025-08-22T16:02:00.000000000Z
937 control:
938 reference-id: OSPS-B
939 entry-id: OSPS-VM-02
940 result: Failed
941 message: Security contacts were not specified in Security Insights data
942- name: ''
943 assessment-logs:
944 - requirement:
945 entry-id: OSPS-VM-03.01
946 applicability:
947 - Maturity Level 2
948 - Maturity Level 3
949 steps:
950 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
951 description: While active, the project documentation MUST provide a means for
952 reporting security vulnerabilities privately to the security contacts within
953 the project.
954 result: Not Run
955 message: '""'
956 steps-executed: 0
957 start: 2025-08-22T16:02:00.000000000Z
958 control:
959 reference-id: OSPS-B
960 entry-id: OSPS-VM-03
961 result: Not Run
962 message: '""'
963- name: ''
964 assessment-logs:
965 - requirement:
966 entry-id: OSPS-VM-04.01
967 applicability:
968 - Maturity Level 2
969 - Maturity Level 3
970 steps:
971 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
972 description: While active, the project documentation MUST publicly publish data
973 about discovered vulnerabilities.
974 result: Not Run
975 message: '""'
976 steps-executed: 0
977 start: 2025-08-22T16:02:00.000000000Z
978 - requirement:
979 entry-id: OSPS-VM-04.02
980 applicability:
981 - Maturity Level 3
982 steps:
983 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
984 description: While active, any vulnerabilities in the software components not
985 affecting the project MUST be accounted for in a VEX document, augmenting the
986 vulnerability report with non-exploitability details.
987 result: Not Run
988 message: '""'
989 steps-executed: 0
990 start: 2025-08-22T16:02:00.000000000Z
991 control:
992 reference-id: OSPS-B
993 entry-id: OSPS-VM-04
994 result: Not Run
995 message: '""'
996- name: ''
997 assessment-logs:
998 - requirement:
999 entry-id: OSPS-VM-05.01
1000 applicability:
1001 - Maturity Level 3
1002 steps:
1003 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
1004 description: While active, the project documentation MUST include a policy that
1005 defines a threshold for remediation of SCA findings related to vulnerabilities
1006 and licenses.
1007 result: Not Run
1008 message: '""'
1009 steps-executed: 0
1010 start: 2025-08-22T16:02:00.000000000Z
1011 - requirement:
1012 entry-id: OSPS-VM-05.02
1013 applicability:
1014 - Maturity Level 3
1015 steps:
1016 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
1017 description: While active, the project documentation MUST include a policy to
1018 address SCA violations prior to any release.
1019 result: Not Run
1020 message: '""'
1021 steps-executed: 0
1022 start: 2025-08-22T16:02:00.000000000Z
1023 - requirement:
1024 entry-id: OSPS-VM-05.03
1025 applicability:
1026 - Maturity Level 3
1027 steps:
1028 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.NotImplemented
1029 description: While active, all changes to the project's codebase MUST be automatically
1030 evaluated against a documented policy for malicious dependencies and known vulnerabilities
1031 in dependencies, then blocked in the event of violations, except when declared
1032 and suppressed as non-exploitable.
1033 result: Not Run
1034 message: '""'
1035 steps-executed: 0
1036 start: 2025-08-22T16:02:00.000000000Z
1037 control:
1038 reference-id: OSPS-B
1039 entry-id: OSPS-VM-05
1040 result: Not Run
1041 message: '""'
1042- name: ''
1043 assessment-logs:
1044 - requirement:
1045 entry-id: OSPS-VM-06.01
1046 applicability:
1047 - Maturity Level 3
1048 steps:
1049 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasDependencyManagementPolicy
1050 description: While active, the project documentation MUST include a policy that
1051 defines a threshold for remediation of SAST findings.
1052 result: Not Run
1053 message: '""'
1054 steps-executed: 0
1055 start: 2025-08-22T16:02:00.000000000Z
1056 - requirement:
1057 entry-id: OSPS-VM-06.02
1058 applicability:
1059 - Maturity Level 3
1060 steps:
1061 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
1062 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.HasSecurityInsightsFile
1063 - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/vuln_management.sastToolDefined
1064 description: While active, all changes to the project's codebase MUST be automatically
1065 evaluated against a documented policy for security weaknesses and blocked in
1066 the event of violations except when declared and suppressed as non-exploitable.
1067 result: Not Run
1068 message: '""'
1069 steps-executed: 0
1070 start: 2025-08-22T16:02:00.000000000Z
1071 control:
1072 reference-id: OSPS-B
1073 entry-id: OSPS-VM-06
1074 result: Not Run
1075 message: '""'