From 35b59cd482b3360e0c9f62a597208728e6a33111 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adolfo=20Garc=C3=ADa=20Veytia=20=28Puerco=29?=
 <puerco@stacklok.com>
Date: Thu, 25 Jul 2024 20:56:14 -0600
Subject: [PATCH] Baseline: Enable binaries check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@stacklok.com>
---
 profiles/github/openssf_security_baseline.yaml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/profiles/github/openssf_security_baseline.yaml b/profiles/github/openssf_security_baseline.yaml
index b62c5ba..49a970d 100644
--- a/profiles/github/openssf_security_baseline.yaml
+++ b/profiles/github/openssf_security_baseline.yaml
@@ -74,10 +74,14 @@ repository:
     displayName: "Ensure there is a security policy file"
     def:
       filename: SECURITY.md
-      
+
+  # No checked-in binaries
+  - type: no_binaries_in_repo
+    name: no_binaries_in_repo
+    displayName: "Ensure that there are no binaries checked in the repository"
+
   # (TODO) No vulnerabilities
   # (TODO) 60 day SLA on HIGH/MED vulnerabilities
-  # (TODO) No checked-in binaries
   # (TODO) SBOM generated with releases
   # (TODO) SBOM conforms to NTIA minimal elements
   # (TODO) Artifacts are signed