DevX SOC2 compliance: repo rollout

[bobheadxi]

Roll out DevX SOC2 compliance items across our critical repos, in order of priority:

https://k8s.sgdev.org/users/robert/batch-changes/pr-auditor-rollout?status=OPEN

• [x] https://github.com/sourcegraph/sourcegraph
• [x] https://github.com/sourcegraph/deploy-sourcegraph-cloud
• [x] https://github.com/sourcegraph/deploy-sourcegraph-managed
• [x] https://github.com/sourcegraph/infrastructure
• [x] https://github.com/sourcegraph/src-cli
• [x] https://github.com/sourcegraph/deploy-sourcegraph
• [x] https://github.com/sourcegraph/deploy-sourcegraph-docker

Other repos:

• deploy-sourcegraph-aws etc?
• lsif indexers?

[jhchabran]

@bobheadxi Checking the docs, I don't see a mention about deploy-sourcegraph-cloud, which seems to be a wrapper on top of the single docker instance.

So, correct me if I'm wrong, it's a bit of a gray area because it's not a "product" that we are advertising explicitly, but we aren't either saying that it's not.

I see two paths there:

• We ask the owners if they're ok with dealing with the test plans, if they agree, we wire it.
• We make it explicit that it's not a supported product and thus we don't cover it.

For lsif-indexers, they are sub-components and if we were to have them within sourcegraph/sourcegraph they would be logically covered. So I think they should be part of the test plan process.

[bobheadxi]

@jhchabran deploy-sourcegraph-cloud is sourcegraph.com! 😛 I think you mean https://github.com/sourcegraph/deploy-sourcegraph-aws ? You're right on the following though I think:

So, correct me if I'm wrong, it's a bit of a gray area because it's not a "product" that we are advertising explicitly, but we aren't either saying that it's not.

I will reach out to Delivery regarding:

• https://github.com/sourcegraph/deploy-sourcegraph-aws
• https://github.com/sourcegraph/deploy-sourcegraph-digitalocean

slack thread

For lsif-indexers, they are sub-components and if we were to have them within sourcegraph/sourcegraph they would be logically covered. So I think they should be part of the test plan process.

lsif-indexers are not sub-components, but standalone projects:

• https://github.com/sourcegraph/lsif-java
• https://github.com/sourcegraph/lsif-node
• https://github.com/sourcegraph/lsif-py
• https://github.com/sourcegraph/lsif-typescript
• https://github.com/sourcegraph/lsif-go
• https://github.com/sourcegraph/lsif-kotlin
• https://github.com/sourcegraph/lsif-clang

Other seemingly related projects:

• https://github.com/sourcegraph/sbt-sourcegraph
• https://github.com/sourcegraph/lsif-go-action
• more: https://k8s.sgdev.org/search?q=context:global+++++++repo:%5Egithub%5C.com/sourcegraph/lsif-.*++++++OR+repo:%5Egithub%5C.com/sourcegraph/sbt-sourcegraph%24&patternType=literal

Speaking of which, I'm guessing we need these as well:

• https://github.com/sourcegraph/terraform-google-executors
• https://github.com/sourcegraph/terraform-aws-executors

[bobheadxi]

There are also sourcegraph extensions:

https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/sourcegraph/sourcegraph-.*&patternType=literal

[bobheadxi]

Most of the repos mentioned above are done, and I've made a variety of patches to pr-auditor as well based on feedback in the interim

Given that we don't seem to have additional guidance on what repos require this and doesn't, I've opened a fleet of additional PRs for everything that looks kind of used and updated and product-like: https://k8s.sgdev.org/users/robert/batch-changes/pr-auditor-rollout?status=OPEN 3 failed as well ( https://k8s.sgdev.org/users/robert/batch-changes/pr-auditor-rollout?status=FAILED ), so there are a total of 23 PRs that are pending

I've requested access to repos to resolve the failures: https://sourcegraph.slack.com/archives/C01CSS3TC75/p1646067746802959 - this is required so the bot can manage the commit status API appropriately, and so that I can make changes to said repos

tl;dr as of today

[bobheadxi]

Got redirected to security re: access questions: https://sourcegraph.slack.com/archives/C1JH2BEHZ/p1646181694003409

If that's a no-go, Michael mentioned that we can explore GitHub Apps: https://docs.github.com/en/developers/apps/getting-started-with-apps/differences-between-github-apps-and-oauth-apps#token-based-identification

Requested reviews for most repositories, which is a manual process. Some repositories also need manual intervention for linter exceptions

[bobheadxi]

Got confirmation last week from security, pinged it-tech-ops again this week to set up write access for all: https://sourcegraph.slack.com/archives/C01CSS3TC75/p1646675404295489

I am going to merge unreviewed PRs in the batch change now, which is nice and easy with the batch change bulk action but is creating a lot of spam... oh well, at least we know it works 😛

[bobheadxi]

There are still some unpublished changesets that were captured in the initial batch change query, but I am opting not to action these because they appear abandoned or are internal tooling:

You can see the full set of repositories that had this rolled out here: https://k8s.sgdev.org/users/robert/batch-changes/pr-auditor-rollout?status=MERGED&visible=50

And with that I'm calling it wraps and closing this issue! cc @jhchabran @sourcegraph/security

[jhchabran]

@bobheadxi thanks for taking on this grueling task 🙏💪, well done 🚀