-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TAC Vote Needed - Enable GitHub Secret Scanning and Push Protection #333
Comments
I don't think this should be a requirement to enter sandox but it could be to enter incubation, which should lead sandbox projects to want it in order to prepare for the next lifecycle stage. |
I agree with Arnaud. I think as an Incubating requirement would be more appropriate. |
do we want to integrate #255 along with this and ensure branch protection is enabled? |
I feel we need to decouple these two issues to isolate the potential impacts of the changes. I would also like us to build a consensus on what rulesets should be at the enterprise level versus the organizational level. |
@lehors @SecurityCRob I have moved the secret scanning off sandbox baseline. |
Do we have a way to enable it at an enterprise level, but only apply it to incubating and graduated TIs? |
For what it's worth I'm not worried about having it turned on for all projects within the ossf GitHub org. That becomes a benefit they get for free from having their repo in that org. I was merely concerned about requiring it for all projects, including those projects that wouldn't get it for free because they are not part of that org (and which are quite numerous I believe). |
Copying over the questions from the doc
Yes, I think this is a good idea. It doesn't differentiate between sandbox projects, but using partner patterns is very unlikely to generate a false positive (and if I understand correctly, contributors can identify a false positive and still be able to push through a detection).
Yes, I would enable push protection and add a resource link (which will help someone identify what to do in case there's a false positive).
I could go either way, but I'm leaning towards no. I think it's very unlikely repository admins would need to disable it (since there's a bypass flow built-in), and we can always revisit this if needed.
I think this should be the TI that maintains the repository - they have the most context on the repository contents. Any repository admin can get these alerts by either watching the entire repository (which is a good idea generally for admins), or by going Watch > Custom > Security alerts.
That sounds fine to me! |
I concur! Thanks for the breakdown @steiza. |
I vote "yes" to enable and set as a requirement for incubating & above. |
thanks @lehors could you please elaborate more on "I was merely concerned about requiring it for all projects, including those projects that wouldn't get it for free because they are not part of that org (and which are quite numerous I believe).". By all projects I meant all the projects under OpenSSF enterprise account. |
Thanks @sevansdell . Two different concepts if I understand your question properly.... Enterprise means GitHub enterprise account. it's a GitHub construct and the root of OpenSSF GitHub account structure. TI's are in the form of GitHub repositories that will be under a GitHub organization which is under the OpenSSF GitHub enterprise account. |
So, what I meant is that if this is something that can be enabled by the staff on all repos hosted by the ossf GitHub account/org without requiring anything from the projects we might as well do it for all of them, independently of their maturity/lifecycle status. |
@lehors I see....My note was flawed, yes, the setting is independent of project lifecycle. I updated the issue description. |
I vote "yes" to enable and set as a requirement for incubating & above. |
Thanks @bobcallaway ....if we want to do it this way, we have two options:
Either way requires repo admin to make changes. Enterprise or Org owner does not have to do anything with opt out approach. Security wise, I cannot see difference between the two approaches, assuming projects will attest when they apply for life cycle changes |
Opt out seems pragmatic to me. |
After reviewing the doc and discussion, here are my votes for repos under the ossf enterprise org:
opt out
yes
no
I agree with Zach, it should be the admins of the affected TI's repo to handle alerts. Instructions that show repo admins how to handle alerts should be added to the SCM Best Practices docs. In addition, I vote in favor of making the above a requirement for Incubating stage TIs that host repos outside the ossf org. |
I vote yes |
I agree with Marcela. :) |
8 of 9 tac members expressed support in the 9july2024 call. merging |
closing (no pr to merge) |
The issue is in response to BEST WG issue "Add secret scanning and push protection to SCM-BestPractices recommendations"
Secret scanning and push protection is added to the security baseline.
Will need TAC decision on enabling secret scanning and push protection at the enterprise level. Details of the features, settings at the enterprise level, how alert is raised, how to respond to the alert, and the approach to audit are capture in this document for TAC review and decision.
Summarized the responses from @SecurityCRob @sevansdell @steiza @lehors into TAC Decision section to make the remaining votes easier.
The text was updated successfully, but these errors were encountered: