Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 30

Handbook editor pass - Security - GitHub security (#6480)

Browse source 
This has been edited for copy.
This commit is contained in:
Desmi-Dizney 2022-07-05 12:07:57 -05:00 committed by GitHub
parent 996601b0a6
commit 88a98df023
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
handbook/security.md
View file

@ -410,11 +410,11 @@ security keys to generate a temporary code for the device that does not.
mobile, you'd need the keys to set up the app only.
## GitHub security
Since Fleet makes open source software, we need to host and collaborate on code. We do this using GitHub.
Since Fleet makes open source software; we need to host and collaborate on code. We do this using GitHub.
This section covers our GitHub configuration. Like everything we do, we aim for the right level of security and productivity.
Because our code is open source, we are much more concerned about the integrity of the code than its confidentiality.
Because our code is open source, we are much more concerned about its integrity than its confidentiality.
This is why our configuration aims to protect what is in the code, but we spend no
effort preventing "leaks" since almost everything is public anyway.
@ -453,16 +453,16 @@ charges a [4x premium](https://sso.tax/) for this feature.
| Base permissions | Write | Admin is too powerful, as it allows reconfiguring the repositories themselves. Selecting *Write* provides the perfect balance! |
| Repository creation | None | We want to limit repository creation and eventually automate it with the [GitHub Terraform provider](https://github.com/integrations/terraform-provider-github). |
| Repository forking | ✅ | By default, we allow repository forking. |
| Pages creation | None | We do not use GitHub pages, so we disable them to ensure people use our actual website or handbook, which are also in GitHub. |
| Pages creation | None | We do not use GitHub pages, so we disable them to make certain people use our actual website or handbook, which are also in GitHub. |
#### Admin repository permissions
| Admin privileges feature | Member privileges feature | Note |
| -------------------------------------------------------------------------- | ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Allow members to change repository visibilities for this organization | 🚫 | Most of our repos are public, but for the few that are private we want to require org admin privileges to make them public |
| Allow members to change repository visibilities for this organization | 🚫 | Most of our repos are public, but for the few that are private, we want to require org admin privileges to make them public |
| Allow members to delete or transfer repositories for this organization | 🚫 | We want to require org admin privileges to be able to delete or transfer any repository. |
| Allow repository administrators to delete issues for this organization | 🚫 | We want to require org admin privileges to be able to delete issues, which is something that is very rarely needed but could be, for example, if we received GitHub issue spam. |
| Allow members to see the comment author's profile name in private repositories | 🚫 | We barely use private repositories and have no need for this. |
| Allow members to see the comment author's profile name in private repositories | 🚫 | We barely use private repositories and do not need this. |
| Allow users with read access to create discussions | 🚫 | We do not currently use discussions and want people to use issues as much as possible. |
| Allow members to create teams | 🚫 | We automate the management of GitHub teams with the [GitHub Terraform provider](https://github.com/integrations/terraform-provider-github). |
@ -481,7 +481,7 @@ Located in the Branches section of repository settings, we create a rule for **m
| ---------------------------------------------------------------- | ----- | --------------------------------------------------------------------------------------------------------------------- |
| Require a pull request before merging | ✅ | We enforce code reviews, which require PRs. |
| Require approvals | 1⃣ | We require approval from one person in the team. |
| Dismiss stale pull request approvals when new commits are pushed | ✅ | Without this, someone could get approval for a small, very nice PR and then change everything about it! |
| Dismiss stale pull request approvals when new commits are pushed | ✅ | Without this, someone could get approval for a small, very nice PR and change everything about it! |
| Require review from Code Owners | 🗓 | We are working towards enabling this as our team grows and allows for more flexibility |
| Restrict who can dismiss pull request reviews | 🚫 | As we are a team working in multiple timezones, we want to allow dismissing reviews and getting another one. |
| Allow specified actors to bypass required pull requests | 🚫 | We do not want anyone pushing directly to main. |
@ -491,7 +491,7 @@ Located in the Branches section of repository settings, we create a rule for **m
| Require linear history | 🚫 | We do not currently use or enforce practices to generate a linear history. |
| Include administrators | ✅ | We want these rules to apply to *everyone*. |
| Restrict who can push to matching branches | 🚫 | Anyone in our organization should be able to merge PRs that get reviewed, and nobody should be able to push directly. |
| Allow force pushes | 🚫 | We do not have a need this, so we do not allow it. |
| Allow force pushes | 🚫 | We do not need this, so we do not allow it. |
| Allow deletions | 🚫 | We do not want ANYONE to be able to delete the *main* branch. |
### Scanning tools
@ -511,13 +511,13 @@ and fuzzing options.
#### Dependabot
As described in *Code security and analysis*, we use Dependabot for security updates to libraries.
Our [dependabot.yml](https://github.com/fleetdm/fleet/blob/main/.github/dependabot.yml) only
mentions GitHub actions. Security updates to all other dependencies are performed by Dependabot automatically, even though we do not configure all package managers explicitly in the configuration file, as is specified in the repository configuration. As GitHub actions have no impact on the Fleet software itself, we are
mentions GitHub actions. Security updates to all other dependencies are performed by Dependabot automatically, even though we do not configure all package managers explicitly in the configuration file, as specified in the repository configuration. As GitHub actions have no impact on the Fleet software itself, we are
simply more aggressive in updating actions even if the update does not resolve a vulnerability.
### Actions configuration
We configure GitHub Actions to have *Read repository contents permission* by default. This is
located in *organization/settings/actions*. As our code is open source, we allow all GitHub actions
but limit their default privileges, so they do not create any additional risk. Additional permissions
but limit their default privileges so they do not create any additional risk. Additional permissions
needed can be configured in the YAML file for each workflow.
We pin actions to specific versions using a complete hash.
@ -526,7 +526,7 @@ We pin actions to specific versions using a complete hash.
We manage our GitHub configuration, creation of repositories, and team memberships manually. In the
future, we will consider automating most of it using the [Terraform
provider](https://github.com/integrations/terraform-provider-github) for GitHub. Our strategy for
this will be similar to what is described in [this blog post](https://oops.computer/posts/github_automation/).
this will be similar to what [this blog post](https://oops.computer/posts/github_automation/) describes.
## Google Workspace security
Google Workspace is our collaboration tool and the source of truth for our user identities.