Create SLSA GitHub Security Procedures

[melba-lopez]

As a subgroup of OpenSSF, we must think about security first and foremost. I am recommending creating a standard for all of SLSA repositories, builds, and scanning. I know we won't get here overnight, but would be good to get started on some low hanging fruit! @slsa-framework @slsa-steering-committee

Proposal:

• All Repositories must include open source Source Composition Analysis tools to assess vulnerabilities
• All Repositories must include open source Static Application Security Testing to assess vulnerabilities.
• All Repositories must include open source Dynamic Application Security Testing to assess vulnerabilities.
• All Repositories must enable Branch Protections
• All Repositories must enumerate direct/transitive dependencies via SBOM
• All Repositories must enable Dependabot
• All Repositories should assess themselves (periodically) against OpenSSF Scorecard and remediate any findings to ensure high scoring
• All Repositories should obtain an OpenSSF Best Practices Badge (@david-a-wheeler as you are a main contributor to the documentation, this should be pretty easy for you to do ;) )
• All Repositories should enable [OpenSSF AllStar project](repositories for adherence to security best practices.) for continuous compliance against security best practices
• All code promotions must require 2+ reviewers (no forced changes)
• SLSA Organization must setup Security Policies with contact information for responsible vulnerability disclosure
• SLSA Organization should identify remediation times based on severity of vulnerabilities

Several of our working group members are part of these OpenSSF projects and can help guide/lead implementation if there are issues. Important part is to get started where we can.

[jeffmendoza]

Allstar can be configured to enforce branch protection with 2+ reviews, and also the security policy check.

For anything that can be programatically detected, we would like to add to Allstar as a policy. Especially the first three, if there is an expected config file/workflow that we can look for, we can check that it is there and alert if not.

Dependabot can be setup at the org level like so: https://docs.github.com/en/code-security/getting-started/securing-your-organization#managing-dependabot-security-updates

[melba-lopez]

@jeffmendoza thanks for this!! i lost track of this issue (and now it is on my radar again) :)