Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update RA Policy #73

Merged
merged 2 commits into from
May 28, 2024
Merged

update RA Policy #73

merged 2 commits into from
May 28, 2024

Conversation

dandersonsw
Copy link
Contributor

Changes proposed in this pull request:

  • Updates RA Policy with information on container scanning exceptions
  • Updates outdated links in policy

Things to check

  • For any logging statements, is there any chance that they could be logging sensitive data?
  • Are log statements using a logging library with a logging level set? Setting a logging level means that log statements "below" that level will not be written to the output. For example, if the logging level is set to INFO and debugging statements are written with log.debug or similar, then they won't be written to the otput, which can prevent unintentional leaks of sensitive data.

Security considerations

Keeping our policy up-to-date

wz-gsa
wz-gsa reviewed May 28, 2024
View reviewed changes
RA-Policy.md Outdated

Note that _customers_ of cloud.gov are responsible for conducting static code analysis on the baseline of the applications they are deploying into cloud.gov containers.

Access to scanning tools, scan results, and logs is broadly shared amongst the cloud.gov team to ensure a rapid response to any findings. Similarly, on-demand access is granted to the Authorizing Official to aide in any systemic understanding of the system's risk posture.

See RA-5, RA-5(1), RA-5(2), RA-5(3), RA-5(5), RA-5(6), RA-5(8).
In some cases Common Vulnerabilities and Exposures (CVEs) found by container scans may be false positives. Exceptions for these CVEs are implemented, and documented, in the [common-pipelines](https://github.com/cloud-gov/common-pipelines/blob/main/container/grype.yaml) repository. To implement an exception the reason for the exception must be documented, and the change must be reviewed and approved by a member of the operations team.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the change must be reviewed and approved by a member of the security team.

wz-gsa
wz-gsa approved these changes May 28, 2024
View reviewed changes
Copy link
Contributor

@wz-gsa wz-gsa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! All changes I requested have been performed. 📜 😃

@wz-gsa wz-gsa merged commit e5f1294 into main May 28, 2024
@wz-gsa wz-gsa deleted the ra-policy branch May 28, 2024 20:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wz-gsa wz-gsa wz-gsa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dandersonsw @wz-gsa