Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish the eng-pipes repo #112

Closed
26 tasks done
Tracked by #64
chadwhitacre opened this issue Mar 7, 2023 · 4 comments
Closed
26 tasks done
Tracked by #64

Publish the eng-pipes repo #112

chadwhitacre opened this issue Mar 7, 2023 · 4 comments
Assignees
@chadwhitacre

Comments

@chadwhitacre
Copy link
Member

chadwhitacre commented Mar 7, 2023
edited
Loading

The eng-pipes repo is one of two that OSPO engineers spend the most time in (the other is self-hosted). It's private only by historical accident, it really should be public. I want this especially because it will make hiring easier, we can link people to the repo and the best candidates can engage with us there as part of their application.

Security Review

  • Repo has a suitable license.
  • Dependabot is configured, if applicable.
    • Review current dependabot alerts and resolve all critical or high severity findings.
  • Code scanning (CodeQL) is enabled, if applicable.
    • CodeQL is typically not available (for free) to private repos, so enabling this may not be possible until the repo is public. Be prepared to submit a PR as soon as the repo is made public.
  • Secret scanning is enabled. (requires public repo or GHAS on private repos)
  • Review for any leaked secrets.
    • Run gitleaks and ensure there are no detected secrets.
    • Review any screenshots for potential captures of API tokens, session cookies, etc.
    • git log -p if the repo is small and manually scan for anything sensitive.
  • Review repo settings and environment variables.
    • Do all secrets exist under “Secrets” ?
  • Review any Github Actions.
    • Ensure there is no accidental printing of a secret value.
    • Ensure there is no basic encoding of a secret value that is printed (e.g. base64).
  • Review configured webhooks.
    • Are all URLs expected destinations?
    • Are they documented somewhere, either in Notion or the repo, and their purpose understood?
    • Do they use sufficiently strong secrets for signing.
  • Does the main branch have a protection rule in place requiring an approved PR to merge?
  • Review collaborators on the repo.
    • Are access levels properly scoped (e.g. least privilege)?
    • Are all collaborators Sentry employees?
@BYK
Copy link
Member

BYK commented Mar 7, 2023

UNLEASH THE KRAKEN! 🎉 🐙

This was referenced Mar 7, 2023
Merged
Closed
@chadwhitacre chadwhitacre self-assigned this Mar 15, 2023
@chadwhitacre
Copy link
Member Author

Security review submitted for Security review. ;)🤞

@mdtro
Copy link
Member

mdtro commented Mar 17, 2023

Security review. ✅

@chadwhitacre
Copy link
Member Author

Done! Announced internally and externally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chadwhitacre chadwhitacre

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@BYK @chadwhitacre @mdtro