rbarkerSL commented 3 months ago

CI/CD Repository Audit

Description: Perform repository audit

Administrative Audit Criteria

Actions State

If actions have not been run in the previous 6 months they should be disabled:

[x] Actions are/have been disabled

If actions have run in the last 6 months then actions shall remain enabled:

[ ] Actions are enabled

Settings Window

General Tab

[x] Require contributors to sign off on web-based commits

Features Section:

[x] Disable Wiki
- If it is in use, leave Wiki enabled. If not in use, remove functionality (uncheck Wiki option). Should be disabled whenever possible.
[x] Enable Issues
[x] Enable Preserve this Repository
[x] Enable Discussions
[x] Enable Projects

Pull Requests Section:

[x] Enable Allow Squash Merging
[x] Enable Always suggest updating pull request branches
[x] Enable Automatically delete head branches

Pushes Section:

[x] Pushes: Limit how many branches and tags can be updated in a single push (Default # is 5)

Collaborators and Teams Tab

[x] Teams are assigned to the repository
[x] Individual contributors that are part of assigned teams are removed from contributors list

Branches Tab

[x] Individual branch protections are turned off

Tags Tab

[x] Individual tag protections are turned off

Rules/Rulesets Tab

[ ] The repository uses the current rulesets

Actions Tab

If actions are enabled:

[ ] Dependabot is enabled on the repository
[ ] Codecov is enabled on the repository

Webhooks Tab

[x] All webhooks present are needed and in use
[x] Snyk is enabled on the repo (check to see if the webhook exists and is in use)

Secrets and Variables Tab

[x] GitHub secrets are employed to store sensitive data
[x] Tokens are stored securely as GitHub Secrets

App Integrations

[ ] Dependabot is configured to monitor all relevant ecosystems
- npm
- electron
- github actions
- etc.
[ ] Code Coverage Reporting - Configure codecov on the repository
[ ] CodeQL is enabled on the repository

Security Checks in Repo

[x] Secrets Management
- [x] No hardcoded secrets in the workflow files or code
- [x] Secrets are referenced in CI via config files or environment variables
[ ] Executable Path Integrity
- [ ] Integrity checks for executables are implemented
- integrity checks should use either checksums or cryptographic hashes for verification
- [ ] Checksums/hashes are verified during CI process to detect unauthorized changes
- [ ] Expected checksums/hashes are stored securely and referenced through the CI pipeline
[ ] npx playwright install deps is used to install OS dependencies instead of aptitude

Code Formatting

[ ] NodeJS Projects use ESLint/Prettier formatting
[ ] Java Projects use Checkstyle/Spotless formatting

Non-Administrative Audit Criteria

Dependabot

[ ] dependabot.yml is up to date

Workflow checks

[ ] Appropriate permissions are set within the github workflows
[ ] All steps are named
[ ] All workflow actions are using pinned commits
[ ] The Step-Security Hardened Security action is enabled on each workflow job
[ ] Ensure no hard-coded keys in workflows
- [ ] Alert devops-ci administrative team if new github secrets are needed to resolve hard-coded keys

Self Hosted Runners

[ ] The Repository is using the latitude runner group label for the runs-on stanza

CODEOWNERS

[ ] .github/CODEOWNERS is valid and up-to-date

Other

[ ] If Applicable: Alert repository owners of software versions that are no longer supported
[ ] If Applicable: Alert repository owners when software versions are within 3 months of losing support

Repository Settings

[x] Require contributors to sign off on web-based commits
[x] Features: Issues
[x] Features: Preserve this Repository
[x] Features: Discussions
[x] Features: Projects
[x] Pull Requests: Allow Squash Merging
[x] Pull Requests: Always suggest updating pull request branches
[x] Pull Requests: Automatically delete head branches
[x] Pushes: Limit how many branches and tags can be updated in a single push

Acceptance Criteria

[x] All Audit Criteria have been met

mishomihov00 commented 3 weeks ago

This repo seems to be a DEMO repo. No workflows or other files from the Non-Administrative Audit Criteria are available and it's last updated 4 years ago. Nothing to be done here.