Skip to content

Commit

Permalink
📖 Update checks.md to show the benefit of >=2 reviewers (ossf#3013)
Browse files Browse the repository at this point in the history
* Update checks.yaml instead of cehcks.md

Signed-off-by: Joyce <[email protected]>

* feat: generate checks.md

Signed-off-by: Joyce Brum <[email protected]>

---------

Signed-off-by: Joyce <[email protected]>
Signed-off-by: Joyce Brum <[email protected]>
Signed-off-by: Avishay <[email protected]>
  • Loading branch information
joycebrum authored and balteravishay committed May 29, 2023
1 parent 2d76297 commit d947126
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 4 deletions.
11 changes: 8 additions & 3 deletions docs/checks.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,11 +73,16 @@ result to meet most user needs.

Different types of branch protection protect against different risks:

- Require code review: requires at least one reviewer, which greatly
- Require code review:
- requires at least one reviewer, which greatly
reduces the risk that a compromised contributor can inject malicious code.
Review also increases the likelihood that an unintentional vulnerability in
a contribution will be detected and fixed before the change is accepted.

- requiring two or more reviewers protects even more from the insider risk
whereby a compromised contributor can be used by an attacker to LGTM
the attacker PR and inject a malicious code as if it was legitm.

- Prevent force push: prevents use of the `--force` command on public
branches, which overwrites code irrevocably. This protection prevents the
rewriting of public history without external notice.
Expand Down Expand Up @@ -182,8 +187,8 @@ However, note that in those overlapping cases, Scorecard can only report what it
Risk: `High` (unintentional vulnerabilities or possible injection of malicious
code)

This check determines whether the project requires human code review before pull
requests (merge requests) are merged.
This check determines whether the project requires human code review
before pull requests (merge requests) are merged.

Reviews detect various unintentional problems, including vulnerabilities that
can be fixed immediately before they are merged, which improves the quality of
Expand Down
7 changes: 6 additions & 1 deletion docs/checks/internal/checks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -162,11 +162,16 @@ checks:
Different types of branch protection protect against different risks:
- Require code review: requires at least one reviewer, which greatly
- Require code review:
- requires at least one reviewer, which greatly
reduces the risk that a compromised contributor can inject malicious code.
Review also increases the likelihood that an unintentional vulnerability in
a contribution will be detected and fixed before the change is accepted.
- requiring two or more reviewers protects even more from the insider risk
whereby a compromised contributor can be used by an attacker to LGTM
the attacker PR and inject a malicious code as if it was legitm.
- Prevent force push: prevents use of the `--force` command on public
branches, which overwrites code irrevocably. This protection prevents the
rewriting of public history without external notice.
Expand Down

0 comments on commit d947126

Please sign in to comment.