Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: [2024-Q3] CI/CD Audit Story #26

Open
16 of 53 tasks
rbarkerSL opened this issue Jul 19, 2024 · 1 comment · Fixed by #43
Open
16 of 53 tasks

ci: [2024-Q3] CI/CD Audit Story #26

rbarkerSL opened this issue Jul 19, 2024 · 1 comment · Fixed by #43
Assignees
Labels
Audit Issues resulting from a code or process audit

Comments

@rbarkerSL
Copy link

rbarkerSL commented Jul 19, 2024

Contents

Administrative Audit Criteria

Check Actions State

  • Actions are enabled
  • Actions are disabled

Check if Actions should be disabled

If actions have not been run in the previous 6 months they should be disabled:

  • Actions have run in the last 6 months and shall remain enabled
  • Actions have been disabled on the inactive repository

Repository Settings Checks

  • Repository settings are configured per organization standard
  • Individual branch protections are turned off
  • Individual tag protections are turned off
  • The repository uses the current rulesets
  • Teams are assigned to the repository
  • Individual contributors that are part of assigned teams are removed from contributors list
  • All webhooks present are needed and in use

App Integrations

If actions are enabled:

  • Dependabot is enabled on the repository
  • Codecov is enabled on the repository

Security Checks

  • Snyk is enabled on the repository
  • Dependabot is configured to monitor all relevant ecosystems
    • npm
    • electron
    • github actions
    • etc.
  • Secrets Management
    • No hardcoded secrets in the workflow files or code
    • GitHub secrets are employed to store sensitive data
    • Secrets are referenced in CI via config files or environment variables
  • Tokens are stored securely as GitHub Secrets
  • Executable Path Integrity
    • Integrity checks for executables are implemented
      • integrity checks should use either checksums or cryptographic hashes for verification
    • Checksums/hashes are verified during CI process to detect unathorized changes
    • Expected checksums/hashes are stored securely and referenced through the CI pipeline
  • Code Coverage Reporting - Configure codecov on the repository
  • CodeQL is enabled on the repository
  • npx playwright install deps is used to install OS dependencies instead of aptitude
  • Code Formatting
    • ESLint rules are applied to the codebase
    • Prettier Formatting rules are applied to the codebase

Custom Properties

  • Custom properties: last-ci-review-by-team is set
  • Custom properties: last-ci-review-date is set (Use format: YYYY-MM-DD)

Non-Administrative Audit Criteria

Dependabot

  • dependabot.yml is up to date

Workflow checks

  • Appropriate permissions are set within the github workflows
  • All steps are named
  • All workflow actions are using pinned commits
  • The Step-Security Hardened Security action is enabled on each workflow job
  • Ensure no hard-coded keys in workflows
    • Alert devops-ci administrative team if new github secrets are needed to resolve hard-coded keys

Self Hosted Runners

  • The Repository is using the latitude runner group label for the runs-on stanza

CODEOWNERS

  • .github/CODEOWNERS is valid and up-to-date

Other

  • If Applicable: Alert repository owners of software versions that are no longer supported
  • If Applicable: Alert repository owners when software versions are within 3 months of losing support

Repository Settings

  • Require contributors to sign off on web-based commits
  • Features: Issues
  • Features: Preserve this Repository
  • Features: Discussions
  • Features: Projects
  • Pull Requests: Allow Squash Merging
  • Pull Requests: Always suggest updating pull request branches
  • Pull Requests: Automatically delete head branches
  • Pushes: Limit how many branches and tags can be updated in a single push

Acceptance Criteria

  • All Audit Criteria have been met
@rbarkerSL rbarkerSL added the Audit Issues resulting from a code or process audit label Jul 19, 2024
@mishomihov00 mishomihov00 self-assigned this Oct 30, 2024
@mishomihov00 mishomihov00 linked a pull request Oct 30, 2024 that will close this issue
@mishomihov00
Copy link
Contributor

@andrewb1269hg assigning over to you.
NOTE: I haven't updated the runners to a latitude runner, because no "Actions" tab is available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Audit Issues resulting from a code or process audit
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants