cncf / tag-security

🔐CNCF Security Technical Advisory Group -- secure access, policy control, privacy, auditing, explainability and more!
https://tag-security.cncf.io
Other
2.09k stars 518 forks source link

[Suggestion] Update security guidelines on contribute.cncf.io #1260

Open linsun opened 5 months ago

linsun commented 5 months ago

Could you update the security guidelines on contribute.cncf.io (https://github.com/cncf/tag-contributor-strategy/blob/main/website/content/maintainers/security/security-guidelines.md) to include configuration of repository settings which will require an approval from one of the repository owners/maintenance instead of starting a build for each created pull request?

Please refer to GitHub's details here: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories

This should be recommended as best practices for projects. Let me know if you have any questions. cc @TheFoxAtWork and @tpepper

eddie-knight commented 5 months ago

A question was raised on today's TAG call:

Is this intended to be TAG Security guidance, or is this a call for contributions from STAG members?

TheFoxAtWork commented 5 months ago

The security guidelines on the contribute.CNCF.io site were contributed by TAG Security to provide projects with guidance on securing their project and repo, it was intended to pull together elements from the self assessment and best practices in a central location for project maintainers.

This request to update those guidelines is, in addition to refreshing them for current best practices, intended to reduce the probability of uninformed security researchers or malicious entities from successfully exfiltrating secrets from projects leveraging GitHub actions. How the TAG chooses to facilitate this update is up to you all!

We would like to ensure project maintainers are receiving the benefit of the STAG's expertise in securing their codebase.

@eddie-knight does this additional context answer the question?

eddie-knight commented 5 months ago

Thanks for the quick reply @TheFoxAtWork

Per @mnm678, we'll reach out to TAGCS and then document the relationship somewhere, so that the work is tracked and can be maintained over time.

TheFoxAtWork commented 5 months ago

Of course! some additional context: All the security content (templates and guidance) were contributed by TAG Security previously (I did the templates when I was an active member, and @ragashreeshekar i believe worked on the guidance). The guidance was a request from the TOC liaison at the time (also me) to ensure projects had a central location (contribute.cncf.io) to get all their resources, guides, and templates for starting and maintaining their project rather than searching through TAG repos for content of interest/relevance that may not be written in a manner that is easily actionable.

eddie-knight commented 5 months ago

We just spoke with TAGCS and concluded that we will:

TheFoxAtWork commented 5 months ago

Awesome thank you for the follow-up!