Skip to content

ci: [2025-Q2] CI/CD Audit Story #1273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
39 of 62 tasks
rbarker-dev opened this issue Apr 25, 2025 · 2 comments
Open
39 of 62 tasks

ci: [2025-Q2] CI/CD Audit Story #1273

rbarker-dev opened this issue Apr 25, 2025 · 2 comments
Assignees
@PavelSBorisov
Labels
Audit Issues resulting from a code or process audit

Comments

@rbarker-dev
Copy link
Contributor

rbarker-dev commented Apr 25, 2025
edited by PavelSBorisov
Loading

CI/CD Repository Audit

Description:
Perform repository audit.

If there has not been a significant commit in the last year, add a note indicating so.
Skip to Acceptance Criteria section at the bottom to complete close this issue.

Administrative Audit Criteria

Actions State

If actions have not been run in the previous 6 months they should be disabled:

  • Actions are/have been disabled

If actions have run in the last 6 months then actions shall remain enabled:

  • Actions are enabled

Settings Window

General Tab

  • Require contributors to sign off on web-based commits

Features Section:

  • Disable Wiki
    • If it is in use, leave Wiki enabled. If not in use, remove functionality (uncheck Wiki option). Should be disabled whenever possible.
  • Enable Issues
  • Enable Preserve this Repository
  • Enable Discussions if repository is public
  • Enable Projects

Pull Requests Section:

  • Enable Allow Squash Merging
  • Enable Always suggest updating pull request branches
  • Enable Automatically delete head branches

Pushes Section:

  • Pushes: Limit how many branches and tags can be updated in a single push (Default # is 5)

Collaborators and Teams Tab

  • Teams are assigned to the repository
  • Individual contributors that are part of assigned teams are removed from contributors list

Branches Tab

  • Individual branch protections are turned off

Tags Tab

  • Individual tag protections are turned off

Rules/Rulesets Tab

  • The repository uses the current rulesets
  • If appropriate, global rules are enabled/disabled for the repo

Actions Tab

If actions are enabled:

  • Codecov is enabled on the repository
  • Title check is enabled
  • DCO check is enabled

Webhooks Tab

  • All webhooks present are needed and in use
  • Snyk is enabled on the repo (check to see if the webhook exists and is in use)

Code Security Tab

  • Dependabot is enabled on the repository

Secrets and Variables Tab

  • GitHub secrets are employed to store sensitive data
  • Tokens are stored securely as GitHub Secrets

GitHub Apps

  • Code Coverage Reporting
  • CodeQL is enabled on the repository
  • Codacy is enabled on the repository

App Integrations

  • Dependabot is configured to monitor all relevant ecosystems (verify through dependabot.yaml file)
  • DCO-2 is configured as the DCO check

Code Formatting

  • NodeJS Projects use ESLint/Prettier formatting
  • Java Projects use Checkstyle/Spotless formatting
  • CPP Projects use Clang Tidy
  • Rust
  • Swift
  • Go

CODEOWNERS

  • .github/CODEOWNERS is valid and up-to-date

Workflow Audit Criteria

Security Checks in Workflows

  • Secrets Management In Workflow Files (/.github/workflows/)
    • No hardcoded secrets in the workflow files or code
    • Secrets are referenced in CI via config files or environment variables
  • Executable Path Integrity
    • Integrity checks for executables are implemented
      • integrity checks should use either checksums or cryptographic hashes for verification
    • Checksums/hashes are verified during CI process to detect unauthorized changes
    • Expected checksums/hashes are stored securely and referenced through the CI pipeline
    • Use pinned versions of Docker files
  • npx playwright install deps is used to install OS dependencies instead of aptitude

Workflow checks

  • Appropriate permissions are set within the GitHub workflows
  • All steps are named
  • All workflow actions are using pinned commits
  • The step-security hardened security action is enabled on each workflow job
    • If the step-security dashboard reports action with score of <6, request a step-security version of the action

Self Hosted Runners

  • The Repository is using the latitude runner group label for the runs-on stanza

Other

  • If Applicable: Alert repository owners of software versions that are no longer supported
  • If Applicable: Alert repository owners when software versions are within 3 months of losing support

Acceptance Criteria

  • All Audit Criteria have been met
  • Inactive Repo (>1 year since last significant commit)
  • Empty Repo

Custom Properties - Marking Complete

Update the repo-properties.json file in the ORG/governance repository

  • Custom properties: initial-ci-review-by-team is set
  • Custom properties: initial-ci-review-date is set (Use format: YYYY-MM-DD)
  • Custom properties: last-ci-review-by-team is set
  • Custom properties: last-ci-review-date is set (Use format: YYYY-MM-DD)

Note: assumes ORG/governance is a valid repository in the Github Organization being audited
@rbarker-dev rbarker-dev added the Audit Issues resulting from a code or process audit label Apr 25, 2025
@PavelSBorisov
Copy link
Member

Set the following:
Pushes: Limit how many branches and tags can be updated in a single push (Default # is 5)

@PavelSBorisov
Copy link
Member

Deleted individual branch protection rule for main-old Currently applies to 0 branches

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PavelSBorisov PavelSBorisov

Labels
Audit Issues resulting from a code or process audit
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PavelSBorisov @rbarker-dev