Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security tasks needed before moving the repo to public #165

Closed
18 tasks done
mdtro opened this issue Feb 22, 2023 · 4 comments
Closed
18 tasks done

Security tasks needed before moving the repo to public #165

mdtro opened this issue Feb 22, 2023 · 4 comments

Comments

@mdtro
Copy link
Member

mdtro commented Feb 22, 2023

Security was requested to review this repo in order to eventually move it to public. 🙂 We should be able to complete most of the below with our level of access, but it might be necessary to grant the GitHub security team additional access to the repo.

https://getsentry.atlassian.net/browse/INFO-1

  • add suitable license feat: Add a proper LICENSE to the repo #94
  • verify dependabot configuration basic dependabot configuration #167
  • if applicable, configure CodeQL for weekly and on PR scanning (requires repo to be public) basic codeql configuration #180
  • enable secret scanning (requires repo to be public)
  • review for any leaked secrets using gitleaks/trufflehog
  • review repo settings and environment variables
    • do all secrets exist under "Secrets"?
  • review any GitHub Actions
    • ensure no accidental printing of a secret value
    • ensure there is no basic encoding of a secret value that is printed
  • review configured webhooks
    • are all URLs expected destinations?
    • are they documented somewhere, either in Notion or the repo, and their purpose understood?
    • do they use sufficiently strong secrets for signing?
  • does the main branch have a protection rule in place requiring an approved PR to merge?
  • review collaborators on the repo
    • are access levels properly scoped (e.g. least privilege)?
    • are all collaborators Sentry employees?
@mdtro
Copy link
Member Author

mdtro commented Feb 22, 2023

Secret scan looks good.

> gitleaks detect --source . -v

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

9:29AM INF 388 commits scanned.
9:29AM INF scan completed in 22.9s
9:29AM INF no leaks found

@jeffrey-sentry
Copy link

Review notes:

  • All secrets exist under "Secrets
  • No webhook is configured
  • Branch Protection in place with Require Approvals enabled. @mdtro do we want to restrict who can dismiss pull request reviews?
  • Access Review: cleptric and dev-infra are removed since Read access is granted to the Engineering team already.

@mdtro
Copy link
Member Author

mdtro commented Feb 23, 2023

@phacops We're good to move the repo public when ready. We can handle the CodeQL and secret scanning configurations once it is public.

@phacops
Copy link
Contributor

phacops commented Feb 24, 2023

OK, we'll make it public Monday then. I'll ping you before we flip the switch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants