Skip to content

Latest commit

 

History

History
171 lines (133 loc) · 31.9 KB

File metadata and controls

171 lines (133 loc) · 31.9 KB

Source Code Management Platform Configuration Best Practices

by the Open Source Security Foundation (OpenSSF) Best Practices Working Group, 2023-08-29

Intro

Collaborative source code management platforms (such as GitHub and GitLab) play a critical role in modern software development, providing a central repository for storing, managing, and versioning source code as well as collaborating with a community of developers. However, they also represent a potential security risk if not properly configured. In this guide, we will explore the best practices for securing these platforms, covering topics that include user authentication, access control, permissions, monitoring, and logging.

Audience

This guide has been written for the:

  • Maintainer who wants to improve the security posture for one or more GitHub repositories or GitLab projects they support.
  • Owner who wants to improve the security posture for their GitHub organization or GitLab group they manage.
  • Open Source Program Office (OSPO) (or a team that plays a similar role) who is typically responsible for multiple GitHub organizations or GitLab groups.
  • Operations team tasked with applying policies as part of their work managing assets on these platforms.
  • GitHub/GitLab enterprise administrator who wants to improve the security posture for their SCM enterprise.

Tooling

Below is a non-exhaustive list of possible tools that can be used to assist in review source code repositories.

An open-source project from the OpenSSF that scans GitHub organizations for “repository level” misconfigurations. Allstar detects a subset of the “repository level” policies suggested by this document. It can be configured to scan all repositories in an organization or a subset of them and is supported by the following SCMs:

  • GitHub Cloud

An open-source project from Legit Security that scans SCM assets to find misconfigurations, security issues, and unfollowed best practices. Legitify detects all policies suggested by this document and supports the following SCMs:

  • GitHub Cloud
  • GitHub Enterprise Server
  • GitLab Cloud
  • GitLab Server

An open-source project from the OpenSSF that scans repositories for security issues and provides security health metrics. Scorecard detects many of the “repository level” policies suggested by this document and supports the following SCMs:

  • GitHub Cloud
  • GitHub Enterprise Server
  • GitLab Cloud
  • GitLab Server

Recommendations

Each specific recommendation below is noted to be applicable to either GitHub or GitLab by use of an appropriate icon and text, and is linked to the detailed best practice definition if available:

For recommendations only applicable to GitHub or GitLab visit one of the following pages:

Continuous Integration / Continuous Deployment

  • Workflows Should Not Be Allowed To Approve Pull Requests GitHub GitHub
  • GitHub Actions Should Be Restricted To Selected Repositories GitHub GitHub
  • GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions GitHub GitHub
  • Default Workflow Token Permission Should Be Read Only GitHub GitHub
  • Runner Group Should Be Limited to Private Repositories GitHub GitHub
  • Runner Group Should Be Limited to Selected Repositories GitHub GitHub

Enterprise

  • Two-Factor Authentication Should Be Enforced For The Enterprise GitHub GitHub
  • Enterprise Should Not Allow Members To Create public Repositories GitHub GitHub
  • Enterprise Should Not Allow Members To Invite Outside Collaborators GitHub GitHub
  • Enterprise Should Not Allow Members To Change Repository Visibility GitHub GitHub
  • Enterprise Should Use Single-Sign-On GitHub GitHub
  • Enterprise Should Not Allow Members To Fork Internal And Private Repositories GitHub GitHub
  • Two-Factor Authentication Should Be Enforced For The Group GitLab GitLab
  • Forking of Repositories to External Namespaces Should Be Disabled. GitLab GitLab
  • Group Should Enforce Branch Protection GitLab GitLab
  • Webhooks Should Be Configured To Use SSL GitLab GitLab

Members, Access Control and Permissions

  • Organization Should Have Fewer Than Three Owners GitHub GitHub
  • Organization Admins Should Have Activity In The Last 6 Months GitHub GitHub
  • Organization Members Should Have Activity In The Last 6 Months GitHub GitHub
  • Two Factor Authentication Should Be Enabled for Collaborators GitLab GitLab
  • Two Factor Authentication Should Be Enabled for External Collaborators GitLab GitLab
  • Administrators Should Have Activity in the Last 6 Months GitLab GitLab

Repository

  • Repository Should Be Updated At Least Quarterly GitHub GitHub
  • Workflows Should Not Be Allowed To Approve Pull Requests GitHub GitHub
  • Default Branch Should Require Code Review GitHub GitHub GitLab GitLab
  • Default Workflow Token Permission Should Be Set To Read Only GitHub GitHub
  • Default Branch Should Be Protected GitHub GitHub GitLab GitLab
  • Default Branch Should Not Allow Force Pushes GitHub GitHub GitLab GitLab
  • Default Branch Should Require Code Review By At Least Two Reviewers GitHub GitHub GitLab GitLab
  • Vulnerability Alerts Should Be Enabled GitHub GitHub
  • OpenSSF Scorecard Score Should Be Above 7 GitHub GitHub
  • GitHub Advanced Security – Dependency Review Should Be Enabled For A Repository GitHub GitHub
  • Default Branch Deletion Protection Should Be Enabled GitHub GitHub
  • Default Branch Should Require Linear History GitHub GitHub
  • Default Branch Should Require All Checks To Pass Before Merge GitHub GitHub
  • Default Branch Should Require Branches To Be Up To Date Before Merge GitHub GitHub
  • Repository Should Have Fewer Than Three Admins GitHub GitHub
  • Default Branch Should Restrict Who Can Push To It GitHub GitHub
  • Default Branch Should Require All Commits To Be Signed GitHub GitHub GitLab GitLab
  • Webhooks Should Be Configured With A Secret GitHub GitHub
  • Webhooks Should Be Configured To Use SSL GitHub GitHub
  • Default Branch Should Require All Conversations To Be Resolved Before Merge GitHub GitHub
  • Default Branch Should Restrict Who Can Dismiss Reviews GitHub GitHub
  • Default Branch Should Require New Code Changes After Approval To Be Re-Approved GitHub GitHub GitLab GitLab
  • Default Branch Should Limit Code Review to Code-Owners GitHub GitHub GitLab GitLab
  • Forking Should Not Be Allowed for This Repository GitHub GitHub
  • Project Should Be Updated At Least Quarterly GitLab GitLab
  • Repository Should Not Allow Review Requester To Approve Their Own Request GitLab GitLab
  • Merge Request Authors Should Not Be Able To Override the Approvers List GitLab GitLab
  • Project Should Require All Pipelines to Succeed GitLab GitLab
  • Forking Should Not Be Allowed GitLab GitLab
  • Project Should Require All Conversations To Be Resolved Before Merge GitLab GitLab
  • Repository Should Not Allow Committer Approvals GitLab GitLab
  • Webhook Configured Without SSL Verification GitLab GitLab
  • Project Should Have Fewer Than Three Owners GitLab GitLab

Operations

General Recommendations

  • Organization Management Should Be Consolidated Under a Central Account. (Applies to: GitHub GitHub)
  • Organization Membership Should Be Limited to Its Staff When Relevant. (Applies to: GitHub GitHub)
  • Review Security Policies and Procedures At Least Annually. (Applies to: GitHub GitHub GitLab GitLab)
  • Establish a Clear Communication and Incident Response Plan. (Applies to: GitHub GitHub GitLab GitLab)
  • Conduct Regular Security Audits and Vulnerability Assessments. (Applies to: GitHub GitHub GitLab GitLab)
  • Use Insights to Track Activity and in Repositories and Organizations. (Applies to: GitHub GitHub)
  • Use Tools Built On APIs to Automate Tasks and Avoid Needing Elevated Privileges. (Applies to: GitHub GitHub GitLab GitLab)
  • Review the Configuration Settings Before Making a Repository Public. (Applies to: GitHub GitHub GitLab GitLab)
  • Review the Configuration Settings After Transferring a Repository into the Organization. (Applies to: GitHub GitHub GitLab GitLab)
  • Provide Automated Alerts and Tooling to Ensure Ongoing Compliance. (Applies to: GitHub GitHub GitLab GitLab)
  • Review Audit Logs to Track Activity and Changes in Repositories and Organizations. (Applies to: GitHub GitHub)
  • Group Membership Should Be Limited to Organization Staff When Relevant. (Applies to: GitLab GitHub)
  • Review Audit Events to Track Activity and Changes in Projects and Groups. (Applies to: GitLab GitHub)

Specific Recommendations

  • Two-Factor Authentication Should Be Enforced For The Organization GitHub GitHub
  • Organization Should Use Single-Sign-On GitHub GitHub
  • Default Member Permissions Should Be Restricted GitHub GitHub
  • Only Admins Should Be Able To Create Public Repositories GitHub GitHub
  • Webhooks Should Be Configured To Use SSL GitHub GitHub GitLab GitLab
  • Webhooks Should Be Configured With A Secret GitHub GitHub
  • Configure Security Alerts and Vulnerability Scanning at the Organization or Repository Level. (Applies to: GitHub GitHub)
  • Enable GitHub Advanced Security features for Private and Internal Repositories. (Applies to: GitHub GitHub)
  • Two-Factor Authentication Should Be Enforced For The Group GitLab GitLab
  • Group Should Use Single-Sign-On (Applies to: GitLab GitLab)
  • Only Admins Should Be Able To Create Public Projects and Groups. (Applies to: GitLab GitLab)

Acknowledgements

The following community members helped contribute to this guidance: