The 28 GitHub security checks Black Cat runs
Black Cat SSPM evaluates 28 security policies against your GitHub configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Set GitHub organization base permissions to Read or No permission to reduce default access
Enable branch protection on the default GitHub branch to require pull request reviews
Remove stale GitHub organization members who no longer require access
Enable "Include administrators" on branch protection rules to prevent admins from bypassing reviews
Enable dismissal of stale pull request reviews when new commits are pushed
Reduce team repository permission from admin to write or maintain to follow least privilege
Restrict GitHub App installation to selected repositories instead of all repositories
Prevent GitHub Actions from approving pull requests so workflows cannot bypass review
Set the default GITHUB_TOKEN workflow permissions to read-only
Disable forking of private repositories by organization members
Restrict members from creating public repositories in the organization
Restrict which members can create repositories in the organization
Disable branch deletion on the protected default branch
Disable force pushes on the protected default branch
Require at least two pull request approvals on the protected default branch
configuration
Enable secret scanning and push protection on GitHub repositories to detect leaked credentials
Enable Dependabot alerts and security updates on GitHub repositories
Add a SECURITY.md file to public GitHub repositories documenting vulnerability reporting
Restrict GitHub Actions permissions to allow only GitHub-created or trusted actions
Update GitHub webhooks to use HTTPS URLs and add a secret for payload verification
Enable Dependabot alerts at the organization level so new repositories inherit vulnerability detection
Enable secret scanning at the organization level to detect leaked credentials in new repositories
Disable public repository access on organization runner groups to prevent untrusted code execution
Restrict GitHub Actions to selected repositories instead of all repositories
Require web-based commit signoff for the organization
Enable secret scanning push protection on the repository
mfa
Require two-factor authentication for all GitHub organization members
Contact GitHub organization members who have not enabled 2FA and direct them to enroll