ci: [2024-Q3] CI/CD Audit Story

[rbarkerSL]

Contents

• CI/CD Repository Audit
  • Contents
  • Administrative Audit Criteria
    • Check Actions State
    • Check if Actions should be disabled
    • Repository Settings Checks
    • App Integrations
    • Security Checks
    • Custom Properties
  • Non-Administrative Audit Criteria
    • Dependabot
    • Workflow checks
    • Self Hosted Runners
    • CODEOWNERS
    • Other
  • Repository Settings
  • Acceptance Criteria

Administrative Audit Criteria

Check Actions State

• Actions are enabled
• Actions are disabled

Check if Actions should be disabled

If actions have not been run in the previous 6 months they should be disabled:

• Actions have run in the last 6 months and shall remain enabled
• Actions have been disabled on the inactive repository

Repository Settings Checks

• Repository settings are configured per organization standard
• Individual branch protections are turned off
• Individual tag protections are turned off
• The repository uses the current rulesets
• Teams are assigned to the repository
• Individual contributors that are part of assigned teams are removed from contributors list
• All webhooks present are needed and in use

App Integrations

If actions are enabled:

• Dependabot is enabled on the repository
• Codecov is enabled on the repository

Security Checks

• Snyk is enabled on the repository
• Dependabot is configured to monitor all relevant ecosystems
  • npm
  • electron
  • github actions
  • etc.
• Secrets Management
  • No hardcoded secrets in the workflow files or code
  • GitHub secrets are employed to store sensitive data
  • Secrets are referenced in CI via config files or environment variables
• Tokens are stored securely as GitHub Secrets
• Executable Path Integrity
  • Integrity checks for executables are implemented
    • integrity checks should use either checksums or cryptographic hashes for verification
  • Checksums/hashes are verified during CI process to detect unathorized changes
  • Expected checksums/hashes are stored securely and referenced through the CI pipeline
• Code Coverage Reporting - Configure codecov on the repository
• CodeQL is enabled on the repository
• npx playwright install deps is used to install OS dependencies instead of aptitude
• Code Formatting
  • ESLint rules are applied to the codebase
  • Prettier Formatting rules are applied to the codebase

Custom Properties

• Custom properties: last-ci-review-by-team is set
• Custom properties: last-ci-review-date is set (Use format: YYYY-MM-DD)

Non-Administrative Audit Criteria

Dependabot

• dependabot.yml is up to date

Workflow checks

• Appropriate permissions are set within the github workflows
• All steps are named
• All workflow actions are using pinned commits
• The Step-Security Hardened Security action is enabled on each workflow job
• Ensure no hard-coded keys in workflows
  • Alert devops-ci administrative team if new github secrets are needed to resolve hard-coded keys

Self Hosted Runners

• The Repository is using the latitude runner group label for the runs-on stanza

CODEOWNERS

• .github/CODEOWNERS is valid and up-to-date

Other

• If Applicable: Alert repository owners of software versions that are no longer supported
• If Applicable: Alert repository owners when software versions are within 3 months of losing support

---

Repository Settings

• Require contributors to sign off on web-based commits
• Features: Issues
• Features: Preserve this Repository
• Features: Discussions
• Features: Projects
• Pull Requests: Allow Squash Merging
• Pull Requests: Always suggest updating pull request branches
• Pull Requests: Automatically delete head branches
• Pushes: Limit how many branches and tags can be updated in a single push

---

Acceptance Criteria

• All Audit Criteria have been met