Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Suggestion] Update security guidelines on contribute.cncf.io #1260

Open
linsun opened this issue May 29, 2024 · 6 comments
Open

[Suggestion] Update security guidelines on contribute.cncf.io #1260

linsun opened this issue May 29, 2024 · 6 comments
Labels
suggestion New suggestion for the CNCF sig-security group that don't fall into an existing category

Comments

@linsun
Copy link

linsun commented May 29, 2024

Could you update the security guidelines on contribute.cncf.io (https://github.com/cncf/tag-contributor-strategy/blob/main/website/content/maintainers/security/security-guidelines.md) to include configuration of repository settings which will require an approval from one of the repository owners/maintenance instead of starting a build for each created pull request?

Please refer to GitHub's details here: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories

This should be recommended as best practices for projects. Let me know if you have any questions. cc @TheFoxAtWork and @tpepper

@linsun linsun added suggestion New suggestion for the CNCF sig-security group that don't fall into an existing category triage-required Requires triage labels May 29, 2024
@eddie-knight
Copy link
Collaborator

A question was raised on today's TAG call:

Is this intended to be TAG Security guidance, or is this a call for contributions from STAG members?

@TheFoxAtWork
Copy link
Contributor

The security guidelines on the contribute.CNCF.io site were contributed by TAG Security to provide projects with guidance on securing their project and repo, it was intended to pull together elements from the self assessment and best practices in a central location for project maintainers.

This request to update those guidelines is, in addition to refreshing them for current best practices, intended to reduce the probability of uninformed security researchers or malicious entities from successfully exfiltrating secrets from projects leveraging GitHub actions. How the TAG chooses to facilitate this update is up to you all!

We would like to ensure project maintainers are receiving the benefit of the STAG's expertise in securing their codebase.

@eddie-knight does this additional context answer the question?

@eddie-knight
Copy link
Collaborator

Thanks for the quick reply @TheFoxAtWork

Per @mnm678, we'll reach out to TAGCS and then document the relationship somewhere, so that the work is tracked and can be maintained over time.

@TheFoxAtWork
Copy link
Contributor

Of course! some additional context:
All the security content (templates and guidance) were contributed by TAG Security previously (I did the templates when I was an active member, and @ragashreeshekar i believe worked on the guidance). The guidance was a request from the TOC liaison at the time (also me) to ensure projects had a central location (contribute.cncf.io) to get all their resources, guides, and templates for starting and maintaining their project rather than searching through TAG repos for content of interest/relevance that may not be written in a manner that is easily actionable.

@eddie-knight
Copy link
Collaborator

eddie-knight commented Jun 5, 2024

We just spoke with TAGCS and concluded that we will:

  • Copy maintainer recommendations to an appropriate location in this repo
  • Update recommendations
  • Populate recommendations to our website (Website Content Review #1257)
  • Update the TAGCS website with a general overview and a link to the detailed recommendation on our website.

@TheFoxAtWork
Copy link
Contributor

Awesome thank you for the follow-up!

eddie-knight added a commit to eddie-knight/tag-security that referenced this issue Jun 26, 2024
Signed-off-by: Eddie Knight <knight@linux.com>
jkjell pushed a commit to eddie-knight/tag-security that referenced this issue Jun 26, 2024
Signed-off-by: Eddie Knight <knight@linux.com>
jkjell added a commit that referenced this issue Jun 26, 2024
@eddie-knight eddie-knight removed the triage-required Requires triage label Sep 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
suggestion New suggestion for the CNCF sig-security group that don't fall into an existing category
Projects
None yet
Development

No branches or pull requests

3 participants