Skip to content

The 28 GitHub security checks Black Cat runs

Black Cat SSPM evaluates 28 security policies against your GitHub configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

highOrg Default Permission Too Permissive

Set GitHub organization base permissions to Read or No permission to reduce default access

criticalRepo Branch Protection Disabled

Enable branch protection on the default GitHub branch to require pull request reviews

lowStale Organization Member

Remove stale GitHub organization members who no longer require access

highRepo Admins Bypass Branch Protection

Enable "Include administrators" on branch protection rules to prevent admins from bypassing reviews

mediumRepo Stale Reviews Not Dismissed

Enable dismissal of stale pull request reviews when new commits are pushed

mediumTeam Admin Permission

Reduce team repository permission from admin to write or maintain to follow least privilege

mediumOAuth App Broad Repository Access

Restrict GitHub App installation to selected repositories instead of all repositories

highGitHub Actions Can Approve Pull Requests

Prevent GitHub Actions from approving pull requests so workflows cannot bypass review

highGitHub Actions Default Workflow Permissions Read-Write

Set the default GITHUB_TOKEN workflow permissions to read-only

mediumOrg Members Can Fork Private Repos

Disable forking of private repositories by organization members

mediumOrg Members Can Create Public Repos

Restrict members from creating public repositories in the organization

mediumOrg Repository Creation Unrestricted

Restrict which members can create repositories in the organization

highRepo Branch Deletion Allowed

Disable branch deletion on the protected default branch

highRepo Force Pushes Allowed

Disable force pushes on the protected default branch

highRepo Insufficient Required Reviews

Require at least two pull request approvals on the protected default branch

configuration

highRepo Secret Scanning Disabled

Enable secret scanning and push protection on GitHub repositories to detect leaked credentials

mediumRepo Dependabot Disabled

Enable Dependabot alerts and security updates on GitHub repositories

mediumPublic Repo Without Security Policy

Add a SECURITY.md file to public GitHub repositories documenting vulnerability reporting

highActions Allow All External

Restrict GitHub Actions permissions to allow only GitHub-created or trusted actions

highWebhook Insecure URL

Update GitHub webhooks to use HTTPS URLs and add a secret for payload verification

mediumOrg Dependabot Alerts Disabled

Enable Dependabot alerts at the organization level so new repositories inherit vulnerability detection

highOrg Secret Scanning Disabled

Enable secret scanning at the organization level to detect leaked credentials in new repositories

highActions Runner Allows Public Repos

Disable public repository access on organization runner groups to prevent untrusted code execution

mediumGitHub Actions Enabled For All Repositories

Restrict GitHub Actions to selected repositories instead of all repositories

lowOrg Web Commit Signoff Not Required

Require web-based commit signoff for the organization

highRepo Secret Scanning Push Protection Disabled

Enable secret scanning push protection on the repository

mfa

criticalOrg 2FA Not Required

Require two-factor authentication for all GitHub organization members

highMember Without 2FA

Contact GitHub organization members who have not enabled 2FA and direct them to enroll

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial