diff --git a/handbook/security.md b/handbook/security.md index cb7239818b..5e8b1896de 100644 --- a/handbook/security.md +++ b/handbook/security.md @@ -392,7 +392,7 @@ Because our code is open source, we are much more concerned about the integrity This is why our configuration aims to protect what is in the code, but we spend no effort preventing "leaks" since almost everything is public anyway. -If you are reading this from another organization that makes code that is not open-source, we +If you are reading this from another organization that makes code that is not open source, we recommend checking out [this guide](https://oops.computer/posts/safer-github-setup/). ### Authentication @@ -408,7 +408,7 @@ not, we would enforce Single Sign-On (SSO) to access our organization. We enable *Require two-factor authentication* for everyone in the organization. Fleet requires two-factor authentication for everyone in the organization. We do not require Single Sign-on (SSO) - -as most of the software we work on is open-source and accessible to external collaborators. If you can imagine, GitHub +as most of the software we work on is open source and accessible to external collaborators. If you can imagine, GitHub charges a [4x premium](https://sso.tax/) for this feature. ### Code security and analysis @@ -436,13 +436,13 @@ charges a [4x premium](https://sso.tax/) for this feature. | Allow members to change repository visibilities for this organization | 🚫 | Most of our repos are public, but for the few that are private we want to require org admin privileges to make them public | | Allow members to delete or transfer repositories for this organization | 🚫 | We want to require org admin privileges to be able to delete or transfer any repository. | | Allow repository administrators to delete issues for this organization | 🚫 | We want to require org admin privileges to be able to delete issues, which is something that is very rarely needed but could be, for example, if we received GitHub issue spam. | -| Allow members to see comment author's profile name in private repositories | 🚫 | We barely use private repositories, and have no need for this. | +| Allow members to see the comment author's profile name in private repositories | 🚫 | We barely use private repositories and have no need for this. | | Allow users with read access to create discussions | 🚫 | We do not currently use discussions and want people to use issues as much as possible. | | Allow members to create teams | 🚫 | We automate the management of GitHub teams with the [GitHub Terraform provider](https://github.com/integrations/terraform-provider-github). | ### Team Discussions We do not use team discussions and therefore have disabled them. This is simply to avoid discussions -being located in too many places and not security-related. +located in too many places and not security-related. ### Repository Security @@ -455,7 +455,7 @@ Located in the Branches section of repository settings, we create a rule for **m | ---------------------------------------------------------------- | ----- | --------------------------------------------------------------------------------------------------------------------- | | Require a pull request before merging | ✅ | We enforce code reviews, which require PRs. | | Require approvals | 1️⃣ | We require approval from one person in the team. | -| Dismiss stale pull request approvals when new commits are pushed | ✅ | Without this, someone could get approval for a small, very nice PR then change everything about it! | +| Dismiss stale pull request approvals when new commits are pushed | ✅ | Without this, someone could get approval for a small, very nice PR and then change everything about it! | | Require review from Code Owners | 🗓 | We are working towards enabling this as our team grows and allows for more flexibility | | Restrict who can dismiss pull request reviews | 🚫 | As we are a team working in multiple timezones, we want to allow dismissing reviews and getting another one. | | Allow specified actors to bypass required pull requests | 🚫 | We do not want anyone pushing directly to main. | @@ -476,7 +476,7 @@ Though not technically a part of GitHub itself, we feel like the security tools | --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | | [OSSF Scorecard](https://github.com/ossf/scorecard) | Scan our GitHub repository for best practices and send problems to GitHub Security. | [scorecard-analysis.yml](https://github.com/fleetdm/fleet/blob/main/.github/workflows/scorecards-analysis.yml) | | [CodeQL](https://codeql.github.com/) | Discover vulnerabilities across our codebase, both in the backend and frontend code. | [codeql-analysis.yml](https://github.com/fleetdm/fleet/blob/main/.github/workflows/codeql-analysis.yml) | -| [gosec](https://github.com/securego/gosec) | Scan golang code for common security mistakes. We use gosec as one of the linters used by [golangci-lint](https://github.com/golangci/golangci-lint) | [golangci-lint.yml](https://github.com/fleetdm/fleet/blob/main/.github/workflows/golangci-lint.yml) | +| [gosec](https://github.com/securego/gosec) | Scan golang code for common security mistakes. We use gosec as one of the linters(static analysis tools used to identify problems in code) used by [golangci-lint](https://github.com/golangci/golangci-lint) | [golangci-lint.yml](https://github.com/fleetdm/fleet/blob/main/.github/workflows/golangci-lint.yml) | We are planning on adding [tfsec](https://github.com/aquasecurity/tfsec) to scan for configuration vulnerabilities in the Terraform code provided to deploy Fleet infrastructure in the cloud. Once we have full coverage from a static analysis point of view, we will evaluate dynamic analysis @@ -486,11 +486,11 @@ and fuzzing options. As described in *Code security and analysis*, we use Dependabot for security updates to libraries. Our [dependabot.yml](https://github.com/fleetdm/fleet/blob/main/.github/dependabot.yml) only mentions GitHub actions. Security updates to all other dependencies are performed by Dependabot automatically, even though we do not configure all package managers explicitly in the configuration file, as is specified in the repository configuration. As GitHub actions have no impact on the Fleet software itself, we are -simply more aggressive on updating actions even if the update does not resolve a vulnerability. +simply more aggressive in updating actions even if the update does not resolve a vulnerability. ### Actions configuration We configure GitHub Actions to have *Read repository contents permission* by default. This is -located in *organization/settings/actions*. As our code is open-source, we allow all GitHub actions +located in *organization/settings/actions*. As our code is open source, we allow all GitHub actions but limit their default privileges, so they do not create any additional risk. Additional permissions needed can be configured in the YAML file for each workflow.