You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Purpose to improve code quality and security for the Mojaloop project. Includes analysis and introduction of new open sources tools, process improvments, gates checks (w/in pull requests and builds) along with documentation.
Scope: project is focused on quality and security but can lead to other areas such as test automation and DevOps automation and tools.
## OutPut (phase one by end of January):
- Implementation and analysis of new OSS tools
- Update Release Scripts: Security aspects need to be embedded in release/devops (CI/CD)
- Update rules for Pull Requests: Security aspects embedded in pull requests (before check-ins)
- Update documentations: Standards and contribution guides
Slack Channel:#code_security
## Discussions:
### Implement changes at the Dockerfile and CI/CD build process to help bolster our container security
- Create a non-root user within the Dockerfile
- Enable docker-content-trust on the docker host (this will be inside CircleCI)
- Run builds with --no-cache during CircleCI step to ensure that we are pulling in any new security patches each time (I don’t think this is a major issue since we don’t have CircleCI docker image caching on anyway
### Move from Javascript to Typescript
- Transition to typescript (mix and match js and ts) for more security/quality
- Typescript is preferred but not required: https://github.com/mojaloop/template-typescript-public
