This file is auto-generated from definitions.ts. Do not edit this file directly, but instead edit definitions.ts and then run npm -w best-practices run generate.
This document defines a list of best practices we have defined.
An Owner is someone/a team that is responsible for tracking compliance of the best practice. They can also be approached for guidance on how to adhere. Typically this will be a DevX team.
| Name | Owner | Description | How to check compliance | How to exempt | Remediation | ID |
|---|---|---|---|---|---|---|
| Default Branch Name | @guardian | The default branch name should be main. |
Repocop compliance dashboard | Archived repositories are exempt. | Manual - see How to rename an existing branch | REPOSITORY-01 |
| Branch Protection | @guardian | Enable branch protection for the default branch, ensuring changes are reviewed before being deployed. | Repocop compliance dashboard | Archived repositories are exempt. Repositories without a production or documentation topic are exempt. | Repocop applies branch protection automatically in batches - teams informed via Anghammarad | REPOSITORY-02 |
| Team-based Access | @guardian | Grant access on a team basis, rather than directly to individuals. | Manual. View the repository on https://github.com | Repositories with one of following topics are exempt: hackday, learning, prototype, interactive. |
Manual | REPOSITORY-03 |
| Admin Access | @guardian | Grant at least one GitHub team Admin access - typically, the dev team that own the project. | Repocop compliance dashboard | Repositories with one of following topics are exempt: hackday, learning, prototype. Archived repositories are exempt. |
Manual | REPOSITORY-04 |
| Archiving | DevX Operations | Repositories that are no longer used should be archived. | Repocop compliance dashboard | Repositories with an interactive topic are exempt. |
Manual - DevX may contact you to discuss archiving if your repo has been inactive for over two years | REPOSITORY-05 |
| Topics | DevX Security | Repositories should have one of the following topics, to help understand what is in production. production, testing, documentation, hackday, prototype, learning, interactive |
Repocop compliance dashboard | Archived repositories are exempt. | Mainly manual - Repocop may automatically apply the 'production' topic to repos that are found to have a stack in AWS with PROD/INFRA tags - teams informed via Anghammarad | REPOSITORY-06 |
| Contents | DevX Security | Never commit secret information. Avoid private information in public repositories. | Manual. View the repository on https://github.com | N/A | Manual removal | REPOSITORY-07 |
| Stacks | DevX Security | Archived repositories should not have corresponding stacks on AWS. | Manual. View the repository on https://github.com | N/A | Manual removal of stack on AWS | REPOSITORY-08 |
| Vulnerability Tracking | @guardian | Repositories should have their dependencies tracked via Snyk or Dependabot, depending on the languages present. | Repocop compliance dashboard | All archived repos and all repos without a production tag are exempt. | Manually set up the Snyk Github Action in the repository that requires remediation. | REPOSITORY-09 |
| Name | Owner | Description | How to check compliance | How to exempt | Remediation | ID |
|---|---|---|---|---|---|---|
| Resource Tagging | DevX Operations | AWS resources should be tagged (where supported) with Stack, Stage, and App.This aids service discovery, and cost allocation. |
TBD | N/A | Migration to Guardian CDK | AWS-01 |
| Name | Owner | Description | How to check compliance | How to exempt | Remediation | ID |
|---|---|---|---|---|---|---|
| GitHub Usernames | DevX Operations | Each developer's Galaxies profile should contain their GitHub username | View on Galaxies | Your Galaxies role is something other than an engineer/data analyst | Use Galaxies profile update form | GALAXIESPERSON-01 |
| Name | Owner | Description | How to check compliance | How to exempt | Remediation | ID |
|---|---|---|---|---|---|---|
| Github Team | DevX Operations | Teams should have their GitHub team names in their Galaxies entry | Check in this file in the Galaxies repo | Teams that don't use GitHub are exempt | Manual via PR | GALAXIESTEAM-01 |
| Team Emails | DevX Operations | A team on Galaxies should have an email address entry | Check in this file in the Galaxies repo | N/A | Manual via PR | GALAXIESTEAM-02 |
| Team Channels | DevX Operations | A team on Galaxies should have a public chat channel key listed | Check in this file in the Galaxies repo | It's generally good practice to do this, but teams that don't use GitHub are exempt | Manual via PR | GALAXIESTEAM-03 |