Create SLSA GitHub Security Procedures #424
Description
As a subgroup of OpenSSF, we must think about security first and foremost. I am recommending creating a standard for all of SLSA repositories, builds, and scanning. I know we won't get here overnight, but would be good to get started on some low hanging fruit! @slsa-framework @slsa-steering-committee
Proposal:
- All Repositories must include open source Source Composition Analysis tools to assess vulnerabilities
- All Repositories must include open source Static Application Security Testing to assess vulnerabilities.
- All Repositories must include open source Dynamic Application Security Testing to assess vulnerabilities.
- All Repositories must enable Branch Protections
- All Repositories must enumerate direct/transitive dependencies via SBOM
- All Repositories must enable Dependabot
- All Repositories should assess themselves (periodically) against OpenSSF Scorecard and remediate any findings to ensure high scoring
- All Repositories should obtain an OpenSSF Best Practices Badge (@david-a-wheeler as you are a main contributor to the documentation, this should be pretty easy for you to do ;) )
- All Repositories should enable [OpenSSF AllStar project](repositories for adherence to security best practices.) for continuous compliance against security best practices
- All code promotions must require 2+ reviewers (no forced changes)
- SLSA Organization must setup Security Policies with contact information for responsible vulnerability disclosure
- SLSA Organization should identify remediation times based on severity of vulnerabilities
Several of our working group members are part of these OpenSSF projects and can help guide/lead implementation if there are issues. Important part is to get started where we can.