Confirmed users
1,364
edits
GitHub/Repository Security: Difference between revisions
move definition of "sensitive repo" to the terminology section
(Clarify the guideline around Dependabot) |
(move definition of "sensitive repo" to the terminology section) |
||
| Line 5: | Line 5: | ||
The permissions model on GitHub, especially for older OAuth authenticated apps, is quite broad -- what you enable for one project applies to all projects you have access to. | The permissions model on GitHub, especially for older OAuth authenticated apps, is quite broad -- what you enable for one project applies to all projects you have access to. | ||
This can expose repositories with sensitive information to risks, without the repository admins being aware of risks. The following guidelines should be applied to all sensitive repositories hosted on GitHub | This can expose repositories with sensitive information to risks, without the repository admins being aware of risks. The following guidelines should be applied to all sensitive repositories (defined below) hosted on GitHub. | ||
The purpose of this checklist is to provide a base level of protection against compromise of credentials that may have the ability to modify repository resources (code, wikis, issues, etc.). Those credentials could belong either to an individual, or given to GitHub extensions. | The purpose of this checklist is to provide a base level of protection against compromise of credentials that may have the ability to modify repository resources (code, wikis, issues, etc.). Those credentials could belong either to an individual, or given to GitHub extensions. | ||
| Line 31: | Line 25: | ||
; Release: | ; Release: | ||
: Any distribution of the code, or artifacts generated from the code, for external use. "Release" includes deployments to staging or production hardware, "code drops" into another project, and similar milestones. | : Any distribution of the code, or artifacts generated from the code, for external use. "Release" includes deployments to staging or production hardware, "code drops" into another project, and similar milestones. | ||
; Sensitive Repository: | |||
: This term includes (but is not limited to): | |||
:* Repositories containing code that is directly or indirectly part of the Firefox product delivered by Mozilla. | |||
:* Repositories containing code that is run in production as part of services supporting the build, release, or ongoing operations of Firefox. | |||
:* Repositories containing PII or 3rd party IP which Mozilla has a contractual obligation to protect | |||
= Guidelines = | = Guidelines = | ||