Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a more thorough content to guidelines for secure coding #51

Open
mattaereal opened this issue Aug 24, 2024 · 0 comments
Open

Add a more thorough content to guidelines for secure coding #51

mattaereal opened this issue Aug 24, 2024 · 0 comments
Labels
good first collab Come do your first collaboration! modification Update or content modification request
Milestone
Public visibility...

Comments

@mattaereal
Copy link
Collaborator

mattaereal commented Aug 24, 2024
edited
Loading

What content are you looking to modify or update?

Guidelines for secure coding

Why do you think this update or modification is needed?

Right now it is too scarce and needs improvement.

Can you justify your argument and provide additional resources

Pull Request Approval Practices

  1. Require Approvals: Set up branch protection rules to require at least one approval from designated reviewers before merging a PR. This can be configured in the repository settings under the "Branches" tab. By selecting "Require approvals," you can specify the number of approvals needed, which enhances code quality and accountability.

  2. Code Owners: Utilize the CODEOWNERS file to designate specific team members as code owners for particular sections of the codebase. This ensures that the right individuals are notified and required to approve changes that affect their areas of responsibility.

  3. Prevent Self-Approval: To prevent contributors from approving their own PRs, enable settings such as "Require approval of the most recent reviewable push." This ensures that the last person to push changes cannot approve their own work, promoting unbiased reviews.

  4. Smaller PRs: Encourage the submission of smaller, more focused PRs (ideally under 50 lines of code). Smaller PRs are easier to review and less likely to overwhelm reviewers, leading to more thorough assessments and quicker approvals.

  5. Automated Checks: Implement automated checks and status checks that must pass before a PR can be merged. This includes running tests and ensuring that the code adheres to predefined quality standards. Automated checks can serve as an additional layer of security and quality assurance.

Security Best Practices

  1. Pinning Actions: When using GitHub Actions, pin actions to specific commit SHAs rather than version tags to avoid unintentional updates that could introduce vulnerabilities. This practice helps maintain consistent behavior in workflows and reduces security risks.

  2. Secret Management: Manage secrets carefully by using environment variables and avoiding exposure in logs. Regularly rotate secrets and implement least-privilege access controls to minimize the risk of unauthorized access.

  3. Review Third-Party Actions: Before incorporating third-party GitHub Actions, conduct thorough reviews to ensure they do not introduce security vulnerabilities. Consider forking risky actions for better control and maintenance.
@mattaereal mattaereal added good first collab Come do your first collaboration! modification Update or content modification request labels Aug 24, 2024
@mattaereal mattaereal added this to the Public visibility for repo milestone Aug 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first collab Come do your first collaboration! modification Update or content modification request
Projects
None yet
Milestone
Public visibility for repo
Development

No branches or pull requests
1 participant
@mattaereal