AC-06 was actually a docs check (#101)

Signed-off-by: Eddie Knight <[email protected]>
ossf · Dec 5, 2024 · e641edc · e641edc
1 parent 16bd996
commit e641edc
Showing 1 changed file with 30 additions and 30 deletions.
diff --git a/baseline.yaml b/baseline.yaml
@@ -158,36 +158,6 @@ criteria:
       - topLevelPermissions
       - jobLevelPermissions
 
-  - id: OSPS-AC-06
-    maturity_level: 2
-    category: Access Control
-    criteria: |
-      The project documentation MUST have a policy
-      that code contributors are reviewed prior to
-      granting escalated permissions to sensitive
-      resources.
-    objective: |
-      Ensure that code contributors are vetted and
-      reviewed before being granted elevated
-      permissions to sensitive resources within
-      the project, reducing the risk of
-      unauthorized access or misuse.
-    implementation: |
-      Publish an enforceable policy in the project
-      documentation that requires code
-      contributors to be reviewed and approved
-      before being granted escalated permissions
-      to sensitive resources, such as merge
-      approval or access to secrets.
-
-      It is recommended that vetting includes
-      establishing a justifiable lineage of
-      identity such as confirming the
-      contributor's association with a known
-      trusted organization.
-    control_mappings: # TODO
-    security_insights_value: # TODO
-
   - id: OSPS-AC-07
     maturity_level: 3
     category: Access Control
@@ -592,6 +562,36 @@ criteria:
     scorecard_probe:
       - # TODO: this is about policy, but we should also look for evidence of SCA
 
+  - id: OSPS-DO-11
+    maturity_level: 2
+    category: Documentation
+    criteria: |
+      The project documentation MUST have a policy
+      that code contributors are reviewed prior to
+      granting escalated permissions to sensitive
+      resources.
+    objective: |
+      Ensure that code contributors are vetted and
+      reviewed before being granted elevated
+      permissions to sensitive resources within
+      the project, reducing the risk of
+      unauthorized access or misuse.
+    implementation: |
+      Publish an enforceable policy in the project
+      documentation that requires code
+      contributors to be reviewed and approved
+      before being granted escalated permissions
+      to sensitive resources, such as merge
+      approval or access to secrets.
+
+      It is recommended that vetting includes
+      establishing a justifiable lineage of
+      identity such as confirming the
+      contributor's association with a known
+      trusted organization.
+    control_mappings: # TODO
+    security_insights_value: # TODO
+
   - id: OSPS-LE-01
     maturity_level: 2
     category: Legal