Open bsweger opened 4 months ago
Many (most) of these hardening suggestions involve updating repo settings (i.e., settings that the Hubverse team does not have access to).
We'll have to do some thinking about which of them we want to try enforcing programmatically (if possible).
Another useful resource: https://engineering.salesforce.com/github-actions-security-best-practices-b8f9df5c75f5/
I feel security issues resulting from running custom validation functions is also an important topic that we haven't put much thought into and this might be a good opportunity to: https://github.com/Infectious-Disease-Modeling-Hubs/hubValidations/issues/20
At a recent demo, @annakrystalli raised the good point of ensuring that Hubverse GitHub actions that interact with AWS are as secure as possible.
Anna specifically asked if there is a way to programmatically ensure that a repo has branch protections enabled before our cloud-based actions will run.
In addition, this GitHub writeup has additional security-hardening tips that we should strive to apply:
In the context of the Hubverse, we might also consider:
.txt
,.json
,.yaml
,.parquet
,.csv
,.tsv
.... basically things that can't contain a malicious payload)