Update the Security process

[m-linner-ericsson]

Description

We need to update the security process to include:

• Handle Dependabot alerts
• Add a description on what responsibilities maintainers have in the security process

Motivation

Currently the process is unclear creating confusion

Exemplification

N/A

Benefits

Clear process

Possible Drawbacks

None that I can think of

[k-hallen-ericsson]

Some thoughts on this. @fredjn please add to this

Dependabot Seems like you have to be an admin for a repository to receive notifications and also have notifications enabled in your personal settings. Proposal: add to governance page that maintainers shall be admin/some shall be admin (?) and that they have to enable notifications. Shall we start with that it is recommended that they also act on the notifications. Since you need to be and admin to receive notifications it will be up to each repository maintainers to act, this will not be visible to e.g. security officers.

Responsibility for maintainers I would also include an update for the security officers. Today the governance page says that officers shall "ensure" several things. We need to elaborate on what "ensure" means.

[magnusbaeck]

Seems like you have to be an admin for a repository to receive notifications and also have notifications enabled in your personal settings.

Really? Judging by https://github.com/organizations/eiffel-community/settings/security_analysis

this isn't true and security officers should have the necessary permissions. Also, from the settings of an random repository (https://github.com/eiffel-community/eiffel/settings/security_analysis):

[k-hallen-ericsson]

Interesting @magnusbaeck , I can't access the page that you link to (https://github.com/organizations/eiffel-community/settings/security_analysis) and I can't see any scanning alerts. I got my info from https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/repository-roles-for-an-organization#access-requirements-for-security-features

[e-backmark-ericsson]

@fredjn could you look into this, if it works better for you than for Kristofer? Could you ask GitHub if it does not work?

[fredjn]

I get 404 when trying to access https://github.com/eiffel-community/eiffel/settings/security_analysis and https://github.com/organizations/eiffel-community/settings/security_analysis, so something is wrong I guess.

[fredjn]

This could have something to do with it though ;)

[t-persson]

@k-hallen-ericsson and @fredjn you have both been added to the group and should now have access to security features.

[e-backmark-ericsson]

@k-hallen-ericsson , @fredjn - do you need any more input on this from TC to progress this work?

[k-hallen-ericsson]

@e-backmark-ericsson thanks for the reminder, no we should be able to conclude this now.

[fredjn]

The motivation to this issue mentions that the current process is unclear and creates confusion. Would it be possible to elaborate a bit on this? Would be nice to have examples to go by when updating end refining the process, so we don't repeat past mistakes.

[k-hallen-ericsson]

I proposed updates for the security officer description. @fredjn will propose changes on dependabot settings for maintainers.

[k-hallen-ericsson]

@fredjn any comments? Should I propose updates for the maintainer responsibility?

[e-backmark-ericsson]

@k-hallen-ericsson , @fredjn , can this issue be closed now?