Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: [2024-Q3] CI/CD Audit Story #1007

Closed
17 of 53 tasks
rbarker-dev opened this issue Jul 19, 2024 · 4 comments · Fixed by #1123
Closed
17 of 53 tasks

ci: [2024-Q3] CI/CD Audit Story #1007

rbarker-dev opened this issue Jul 19, 2024 · 4 comments · Fixed by #1123
Assignees
@andrewb1269hg @mishomihov00
Labels
Audit

Comments

@rbarker-dev
Copy link
Member

rbarker-dev commented Jul 19, 2024
edited by mishomihov00
Loading

Contents

Administrative Audit Criteria

Check Actions State

  • Actions are enabled
  • Actions are disabled

Check if Actions should be disabled

If actions have not been run in the previous 6 months they should be disabled:

  • Actions have run in the last 6 months and shall remain enabled
  • Actions have been disabled on the inactive repository

Repository Settings Checks

  • Repository settings are configured per organization standard
  • Individual branch protections are turned off
  • Individual tag protections are turned off
  • The repository uses the current rulesets
  • Teams are assigned to the repository
  • Individual contributors that are part of assigned teams are removed from contributors list
  • All webhooks present are needed and in use

App Integrations

If actions are enabled:

  • Dependabot is enabled on the repository
  • Codecov is enabled on the repository

Security Checks

  • Snyk is enabled on the repository
  • Dependabot is configured to monitor all relevant ecosystems
    • npm
    • electron
    • github actions
    • etc.
  • Secrets Management
    • No hardcoded secrets in the workflow files or code
    • GitHub secrets are employed to store sensitive data
    • Secrets are referenced in CI via config files or environment variables
  • Tokens are stored securely as GitHub Secrets
  • Executable Path Integrity
    • Integrity checks for executables are implemented
      • integrity checks should use either checksums or cryptographic hashes for verification
    • Checksums/hashes are verified during CI process to detect unathorized changes
    • Expected checksums/hashes are stored securely and referenced through the CI pipeline
  • Code Coverage Reporting - Configure codecov on the repository
  • CodeQL is enabled on the repository
  • npx playwright install deps is used to install OS dependencies instead of aptitude
  • Code Formatting
    • ESLint rules are applied to the codebase
    • Prettier Formatting rules are applied to the codebase

Custom Properties

  • Custom properties: last-ci-review-by-team is set
  • Custom properties: last-ci-review-date is set (Use format: YYYY-MM-DD)

Non-Administrative Audit Criteria

Dependabot

  • dependabot.yml is up to date

Workflow checks

  • Appropriate permissions are set within the github workflows
  • All steps are named
  • All workflow actions are using pinned commits
  • The Step-Security Hardened Security action is enabled on each workflow job
  • Ensure no hard-coded keys in workflows
    • Alert devops-ci administrative team if new github secrets are needed to resolve hard-coded keys

Self Hosted Runners

  • The Repository is using the latitude runner group label for the runs-on stanza

CODEOWNERS

  • .github/CODEOWNERS is valid and up-to-date

Other

  • If Applicable: Alert repository owners of software versions that are no longer supported
  • If Applicable: Alert repository owners when software versions are within 3 months of losing support

Repository Settings

  • Require contributors to sign off on web-based commits
  • Features: Issues
  • Features: Preserve this Repository
  • Features: Discussions
  • Features: Projects
  • Pull Requests: Allow Squash Merging
  • Pull Requests: Always suggest updating pull request branches
  • Pull Requests: Automatically delete head branches
  • Pushes: Limit how many branches and tags can be updated in a single push

Acceptance Criteria

  • All Audit Criteria have been met
@mishomihov00 mishomihov00 self-assigned this Oct 30, 2024
@mishomihov00
Copy link
Contributor

@rbarkerSL @andrewb1269hg In the build.yml and main.yml workflows there are multiple places with a hard-coded key.

@mishomihov00 mishomihov00 linked a pull request Oct 30, 2024 that will close this issue
ci: Update per Q3 audit findings #1123
Merged
2 tasks
@mishomihov00 mishomihov00 mentioned this issue Oct 30, 2024
Merged
2 tasks
@mishomihov00
Copy link
Contributor

The non-administrative checks are done. @andrewb1269hg assigning over to you.

@mishomihov00 mishomihov00 reopened this Nov 7, 2024
@rbarker-dev
Copy link
Member Author

@rbarkerSL @andrewb1269hg In the build.yml and main.yml workflows there are multiple places with a hard-coded key.

We will need to add the keys as secrets and then open up a freshdesk ticket for regenerating the keys with the appropriate repository owners.

@andrewb1269hg
Copy link
Contributor

Closing as won't do since this has moved to the hiero-ledger project.

@andrewb1269hg andrewb1269hg closed this as not planned Won't fix, can't repro, duplicate, stale Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewb1269hg andrewb1269hg

@mishomihov00 mishomihov00

Labels
Audit
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ci: Update per Q3 audit findings hiero-ledger/hiero-sdk-go
3 participants
@rbarker-dev @andrewb1269hg @mishomihov00