Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: [2024-Q3] CI/CD Audit Story #363

Closed
49 of 59 tasks
rbarker-dev opened this issue Jul 19, 2024 · 3 comments · Fixed by #405
Closed
49 of 59 tasks

ci: [2024-Q3] CI/CD Audit Story #363

rbarker-dev opened this issue Jul 19, 2024 · 3 comments · Fixed by #405
Assignees
@andrewb1269hg @mishomihov00
Labels
Audit

Comments

@rbarker-dev
Copy link
Contributor

rbarker-dev commented Jul 19, 2024
edited by andrewb1269hg
Loading

Administrative Audit Criteria

Actions State

If actions have not been run in the previous 6 months they should be disabled:

  • Actions are/have been disabled

If actions have run in the last 6 months then actions shall remain enabled:

  • Actions are enabled

Settings Window

General Tab

  • Require contributors to sign off on web-based commits

Features Section:

  • Disable Wiki
    • If it is in use, leave Wiki enabled. If not in use, remove functionality (uncheck Wiki option). Should be disabled whenever possible.
  • Enable Issues
  • Enable Preserve this Repository
  • Enable Discussions
  • Enable Projects

Pull Requests Section:

  • Enable Allow Squash Merging
  • Enable Always suggest updating pull request branches
  • Enable Automatically delete head branches

Pushes Section:

  • Pushes: Limit how many branches and tags can be updated in a single push (Default # is 5)

Collaborators and Teams Tab

  • Teams are assigned to the repository
  • Individual contributors that are part of assigned teams are removed from contributors list

Branches Tab

  • Individual branch protections are turned off

Tags Tab

  • Individual tag protections are turned off

Rules/Rulesets Tab

  • The repository uses the current rulesets

Actions Tab

If actions are enabled:

  • Dependabot is enabled on the repository
  • Codecov is enabled on the repository

Webhooks Tab

  • All webhooks present are needed and in use
  • Snyk is enabled on the repo (check to see if the webhook exists and is in use)

Secrets and Variables Tab

  • GitHub secrets are employed to store sensitive data
  • Tokens are stored securely as GitHub Secrets

App Integrations

  • Dependabot is configured to monitor all relevant ecosystems
    • npm
    • electron
    • github actions
    • etc.
  • Code Coverage Reporting - Configure codecov on the repository
  • CodeQL is enabled on the repository

Security Checks in Repo

  • Secrets Management
    • No hardcoded secrets in the workflow files or code
    • Secrets are referenced in CI via config files or environment variables
  • Executable Path Integrity
    • Integrity checks for executables are implemented
      • integrity checks should use either checksums or cryptographic hashes for verification
    • Checksums/hashes are verified during CI process to detect unauthorized changes
    • Expected checksums/hashes are stored securely and referenced through the CI pipeline
  • npx playwright install deps is used to install OS dependencies instead of aptitude

Code Formatting

  • NodeJS Projects use ESLint/Prettier formatting
  • Java Projects use Checkstyle/Spotless formatting

Custom Properties

  • Custom properties: last-ci-review-by-team is set
  • Custom properties: last-ci-review-date is set (Use format: YYYY-MM-DD)

Non-Administrative Audit Criteria

Dependabot

  • dependabot.yml is up to date

Workflow checks

  • Appropriate permissions are set within the github workflows
  • All steps are named
  • All workflow actions are using pinned commits
  • The Step-Security Hardened Security action is enabled on each workflow job
  • Ensure no hard-coded keys in workflows
    • Alert devops-ci administrative team if new github secrets are needed to resolve hard-coded keys

Self Hosted Runners

  • The Repository is using the latitude runner group label for the runs-on stanza

CODEOWNERS

  • .github/CODEOWNERS is valid and up-to-date

Other

  • If Applicable: Alert repository owners of software versions that are no longer supported
  • If Applicable: Alert repository owners when software versions are within 3 months of losing support

Repository Settings

  • Require contributors to sign off on web-based commits
  • Features: Issues
  • Features: Preserve this Repository
  • Features: Discussions
  • Features: Projects
  • Pull Requests: Allow Squash Merging
  • Pull Requests: Always suggest updating pull request branches
  • Pull Requests: Automatically delete head branches
  • Pushes: Limit how many branches and tags can be updated in a single push

Acceptance Criteria

  • All Audit Criteria have been met
@mishomihov00 mishomihov00 self-assigned this Oct 30, 2024
@mishomihov00 mishomihov00 linked a pull request Oct 30, 2024 that will close this issue
ci: Update per Q3 audit findings #405
Merged
2 tasks
@mishomihov00 mishomihov00 mentioned this issue Oct 30, 2024
Merged
2 tasks
@mishomihov00
Copy link
Contributor

Non-administrative checks are done. @andrewb1269hg assigning over to you.

@rbarker-dev rbarker-dev reopened this Nov 5, 2024
@andrewb1269hg
Copy link
Contributor

andrewb1269hg commented Dec 16, 2024
edited
Loading

  • Codecov needs to be enabled on the repo.
  • CodeQL needs to be enabled on the repo.

@andrewb1269hg
Copy link
Contributor

Codecov and CodeQL will not be enabled on this repo until the repo moves to hiero.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewb1269hg andrewb1269hg

@mishomihov00 mishomihov00

Labels
Audit
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ci: Update per Q3 audit findings hiero-ledger/hiero-sdk-swift
3 participants
@rbarker-dev @andrewb1269hg @mishomihov00