slsa icon indicating copy to clipboard operation
slsa copied to clipboard
verified publisher icon slsa-framework

Create SLSA GitHub Security Procedures

Open melba-lopez opened this issue 3 years ago • 2 comments

As a subgroup of OpenSSF, we must think about security first and foremost. I am recommending creating a standard for all of SLSA repositories, builds, and scanning. I know we won't get here overnight, but would be good to get started on some low hanging fruit! @slsa-framework @slsa-steering-committee

Proposal:

  • All Repositories must include open source Source Composition Analysis tools to assess vulnerabilities
  • All Repositories must include open source Static Application Security Testing to assess vulnerabilities.
  • All Repositories must include open source Dynamic Application Security Testing to assess vulnerabilities.
  • All Repositories must enable Branch Protections
  • All Repositories must enumerate direct/transitive dependencies via SBOM
  • All Repositories must enable Dependabot
  • All Repositories should assess themselves (periodically) against OpenSSF Scorecard and remediate any findings to ensure high scoring
  • All Repositories should obtain an OpenSSF Best Practices Badge (@david-a-wheeler as you are a main contributor to the documentation, this should be pretty easy for you to do ;) )
  • All Repositories should enable [OpenSSF AllStar project](repositories for adherence to security best practices.) for continuous compliance against security best practices
  • All code promotions must require 2+ reviewers (no forced changes)
  • SLSA Organization must setup Security Policies with contact information for responsible vulnerability disclosure
  • SLSA Organization should identify remediation times based on severity of vulnerabilities

Several of our working group members are part of these OpenSSF projects and can help guide/lead implementation if there are issues. Important part is to get started where we can.

melba-lopez avatar Jul 14 '22 20:07 melba-lopez

Allstar can be configured to enforce branch protection with 2+ reviews, and also the security policy check.

For anything that can be programatically detected, we would like to add to Allstar as a policy. Especially the first three, if there is an expected config file/workflow that we can look for, we can check that it is there and alert if not.

Dependabot can be setup at the org level like so: https://docs.github.com/en/code-security/getting-started/securing-your-organization#managing-dependabot-security-updates

jeffmendoza avatar Jul 15 '22 20:07 jeffmendoza

@jeffmendoza thanks for this!! i lost track of this issue (and now it is on my radar again) :)

melba-lopez avatar Aug 29 '22 14:08 melba-lopez