HANDBOOK: Require CODEOWNERS and SECURITY.md

OWASP / www-committee-project

OWASP Foundation Web Respository

http://owasp.org/www-committee-project/

6 stars 9 forks source link

HANDBOOK: Require CODEOWNERS and SECURITY.md #61

Open stevespringett opened 1 year ago

stevespringett commented 1 year ago

We should require a CODEOWNERS file and SECURITY.md in every project repo.

thc202 commented 1 year ago

Branch protections as well to avoid accidental direct/force pushes.

hblankenship commented 1 year ago

Branch protections... Seems like it would be a per project thing. I know it is good practice but does everyone want to turn it on and have the defaults all the same? Though this conflates the Issue that we are considering here which is CODEOWNERS and SECURITY.md

psiinon commented 1 year ago

I'd argue that OWASP projects should practice what we preach and follow good practices 😁

hblankenship commented 1 year ago

CODEOWNERS ...should that be auto-created on project creation for the www-project- repository? Similar for SECURITY.md? Should that be auto-created with some default (report to the project leaders)?

stevespringett commented 1 year ago

should that be auto-created on project creation for the www-project- repository?

Well, I would think this could be auto generated for www-project repos. But we should also require all code/tool projects to have them in their project repos as well. We can auto create these (likely) if those are within the OWASP GitHub organization. But we'll need some governance for this for repos inside and outside of the OWASP GH org.

hblankenship commented 1 year ago

While we are at it, we should requires a CONTRIBUTING.md as well.

hblankenship commented 1 year ago

These were put in place for new project creations. While we are discussing this, should these be part of the Best Practices or make them required?

stevespringett commented 1 year ago

While we are at it, we should requires a CONTRIBUTING.md as well.

+1 for me

These were put in place for new project creations.

Fantastic

While we are discussing this, should these be part of the Best Practices or make them required?

Does it make sense to have a SECURITY.md on ASVS for example? I don't know. What they actually deliver is documentation. How that documentation is delivered does require source code.

In many cases, the SECURITY.md will end up being someones email address. We may want to support per-project email addresses for this purpose. For example asvs@owasp.org which could be a private distribution list.

We could leverage the project type to determine if the CODEOWNERS and SECURITY are required or not.

We could make it a best practice, create a script that enumerates all OWASP repos looking for the absense of CODEOWNERS.md and SECURITY.md and automatically create an issue against that project.

Open to suggestions.