From 8a01a8d9518bf03fc85baf2ba85923fb14583058 Mon Sep 17 00:00:00 2001 From: Joyce Date: Fri, 19 May 2023 18:34:38 -0300 Subject: [PATCH] =?UTF-8?q?=F0=9F=93=96=20Update=20checks.md=20to=20show?= =?UTF-8?q?=20the=20benefit=20of=20>=3D2=20reviewers=20(#3013)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update checks.yaml instead of cehcks.md Signed-off-by: Joyce * feat: generate checks.md Signed-off-by: Joyce Brum --------- Signed-off-by: Joyce Signed-off-by: Joyce Brum Signed-off-by: Avishay --- docs/checks.md | 11 ++++++++--- docs/checks/internal/checks.yaml | 7 ++++++- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/docs/checks.md b/docs/checks.md index 9e569b9ec6a..339e26e8d88 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -73,11 +73,16 @@ result to meet most user needs. Different types of branch protection protect against different risks: - - Require code review: requires at least one reviewer, which greatly + - Require code review: + - requires at least one reviewer, which greatly reduces the risk that a compromised contributor can inject malicious code. Review also increases the likelihood that an unintentional vulnerability in a contribution will be detected and fixed before the change is accepted. + - requiring two or more reviewers protects even more from the insider risk + whereby a compromised contributor can be used by an attacker to LGTM + the attacker PR and inject a malicious code as if it was legitm. + - Prevent force push: prevents use of the `--force` command on public branches, which overwrites code irrevocably. This protection prevents the rewriting of public history without external notice. @@ -182,8 +187,8 @@ However, note that in those overlapping cases, Scorecard can only report what it Risk: `High` (unintentional vulnerabilities or possible injection of malicious code) -This check determines whether the project requires human code review before pull -requests (merge requests) are merged. +This check determines whether the project requires human code review +before pull requests (merge requests) are merged. Reviews detect various unintentional problems, including vulnerabilities that can be fixed immediately before they are merged, which improves the quality of diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index 65fdac3de74..e5db1e2dc10 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -162,11 +162,16 @@ checks: Different types of branch protection protect against different risks: - - Require code review: requires at least one reviewer, which greatly + - Require code review: + - requires at least one reviewer, which greatly reduces the risk that a compromised contributor can inject malicious code. Review also increases the likelihood that an unintentional vulnerability in a contribution will be detected and fixed before the change is accepted. + - requiring two or more reviewers protects even more from the insider risk + whereby a compromised contributor can be used by an attacker to LGTM + the attacker PR and inject a malicious code as if it was legitm. + - Prevent force push: prevents use of the `--force` command on public branches, which overwrites code irrevocably. This protection prevents the rewriting of public history without external notice.