Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: [2024-Q3] CI/CD Audit Story #872

Closed
48 of 57 tasks
rbarkerSL opened this issue Jul 19, 2024 · 3 comments · Fixed by #1002
Closed
48 of 57 tasks

ci: [2024-Q3] CI/CD Audit Story #872

rbarkerSL opened this issue Jul 19, 2024 · 3 comments · Fixed by #1002
Assignees
@andrewb1269hg @mishomihov00
Labels
Audit
Milestone
0.11.0

Comments

@rbarkerSL
Copy link
Contributor

rbarkerSL commented Jul 19, 2024
edited by andrewb1269hg
Loading

CI/CD Repository Audit

Description:
Perform repository audit

Administrative Audit Criteria

Actions State

If actions have not been run in the previous 6 months they should be disabled:

  • Actions are/have been disabled

If actions have run in the last 6 months then actions shall remain enabled:

  • Actions are enabled

Settings Window

General Tab

  • Require contributors to sign off on web-based commits

Features Section:

  • Disable Wiki
    • If it is in use, leave Wiki enabled. If not in use, remove functionality (uncheck Wiki option). Should be disabled whenever possible.
  • Enable Issues
  • Enable Preserve this Repository
  • Enable Discussions
  • Enable Projects

Pull Requests Section:

  • Enable Allow Squash Merging
  • Enable Always suggest updating pull request branches
  • Enable Automatically delete head branches

Pushes Section:

  • Pushes: Limit how many branches and tags can be updated in a single push (Default # is 5)

Collaborators and Teams Tab

  • Teams are assigned to the repository
  • Individual contributors that are part of assigned teams are removed from contributors list

Branches Tab

  • Individual branch protections are turned off

Tags Tab

  • Individual tag protections are turned off

Rules/Rulesets Tab

  • The repository uses the current rulesets

Actions Tab

If actions are enabled:

  • Dependabot is enabled on the repository
  • Codecov is enabled on the repository

Webhooks Tab

  • All webhooks present are needed and in use
  • Snyk is enabled on the repo (check to see if the webhook exists and is in use)

Secrets and Variables Tab

  • GitHub secrets are employed to store sensitive data
  • Tokens are stored securely as GitHub Secrets

App Integrations

  • Dependabot is configured to monitor all relevant ecosystems
    • npm
    • electron
    • github actions
    • etc.
  • Code Coverage Reporting - Configure codecov on the repository
  • CodeQL is enabled on the repository

Security Checks in Repo

  • Secrets Management
    • No hardcoded secrets in the workflow files or code
    • Secrets are referenced in CI via config files or environment variables
  • Executable Path Integrity
    • Integrity checks for executables are implemented
      • integrity checks should use either checksums or cryptographic hashes for verification
    • Checksums/hashes are verified during CI process to detect unauthorized changes
    • Expected checksums/hashes are stored securely and referenced through the CI pipeline
  • npx playwright install deps is used to install OS dependencies instead of aptitude

Code Formatting

  • NodeJS Projects use ESLint/Prettier formatting
  • Java Projects use Checkstyle/Spotless formatting

Non-Administrative Audit Criteria

Dependabot

  • dependabot.yml is up to date

Workflow checks

  • Appropriate permissions are set within the github workflows
  • All steps are named
  • All workflow actions are using pinned commits
  • The Step-Security Hardened Security action is enabled on each workflow job
  • Ensure no hard-coded keys in workflows
    • Alert devops-ci administrative team if new github secrets are needed to resolve hard-coded keys

Self Hosted Runners

  • The Repository is using the latitude runner group label for the runs-on stanza

CODEOWNERS

  • .github/CODEOWNERS is valid and up-to-date

Other

  • If Applicable: Alert repository owners of software versions that are no longer supported
  • If Applicable: Alert repository owners when software versions are within 3 months of losing support

Repository Settings

  • Require contributors to sign off on web-based commits
  • Features: Issues
  • Features: Preserve this Repository
  • Features: Discussions
  • Features: Projects
  • Pull Requests: Allow Squash Merging
  • Pull Requests: Always suggest updating pull request branches
  • Pull Requests: Automatically delete head branches
  • Pushes: Limit how many branches and tags can be updated in a single push

Acceptance Criteria

  • All Audit Criteria have been met
@mishomihov00 mishomihov00 self-assigned this Oct 30, 2024
@mishomihov00 mishomihov00 mentioned this issue Oct 30, 2024
Closed
2 tasks
@mishomihov00 mishomihov00 linked a pull request Oct 30, 2024 that will close this issue
ci: Update per Q3 audit findings #998
Closed
2 tasks
@mishomihov00
Copy link
Contributor

Non-administrative checks are done. @andrewb1269hg assigning over to you.

@mishomihov00 mishomihov00 added this to the 0.11.0 milestone Oct 30, 2024
@andrewb1269hg
Copy link

Removed AlfredoG87, david-bakin-sl, ebadiere, quiet-node from the contributor list as they're included in the hedera-smart-contracts team.

Removed georgi-l95, Ivo-Yankov, konstantinabl, MiroslavGatsanoga, natanasow from the contributor list as they're included in the limechain-hedera team.

@andrewb1269hg
Copy link

Administrative items are cleaned up and complete.

Over to @mishomihov00 to close out PR #998 then close out this issue.

@mishomihov00 mishomihov00 linked a pull request Nov 1, 2024 that will close this issue
ci: Update per Q3 audit findings #1002
Merged
2 tasks
@mishomihov00 mishomihov00 mentioned this issue Nov 1, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewb1269hg andrewb1269hg

@mishomihov00 mishomihov00

Labels
Audit
Projects
None yet
Milestone
0.11.0
3 participants
@rbarkerSL @andrewb1269hg @mishomihov00