[Suggestion] Update security guidelines on contribute.cncf.io

Question

[Suggestion] Update security guidelines on contribute.cncf.io

linsun opened this issue a month ago · comments

Could you update the security guidelines on contribute.cncf.io (https://github.com/cncf/tag-contributor-strategy/blob/main/website/content/maintainers/security/security-guidelines.md) to include configuration of repository settings which will require an approval from one of the repository owners/maintenance instead of starting a build for each created pull request?

Please refer to GitHub's details here: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories

This should be recommended as best practices for projects. Let me know if you have any questions. cc @TheFoxAtWork and @tpepper

Eddie Knight · Answer 1 · Thu Jun 06 2024 01:34:26 GMT+0800 (China Standard Time)

A question was raised on today's TAG call:

Is this intended to be TAG Security guidance, or is this a call for contributions from STAG members?

Emily Fox · Answer 2 · Thu Jun 06 2024 01:52:42 GMT+0800 (China Standard Time)

The security guidelines on the contribute.CNCF.io site were contributed by TAG Security to provide projects with guidance on securing their project and repo, it was intended to pull together elements from the self assessment and best practices in a central location for project maintainers.

This request to update those guidelines is, in addition to refreshing them for current best practices, intended to reduce the probability of uninformed security researchers or malicious entities from successfully exfiltrating secrets from projects leveraging GitHub actions. How the TAG chooses to facilitate this update is up to you all!

We would like to ensure project maintainers are receiving the benefit of the STAG's expertise in securing their codebase.

@eddie-knight does this additional context answer the question?

Eddie Knight · Answer 3 · Thu Jun 06 2024 01:57:54 GMT+0800 (China Standard Time)

Thanks for the quick reply @TheFoxAtWork

Per @mnm678, we'll reach out to TAGCS and then document the relationship somewhere, so that the work is tracked and can be maintained over time.

Emily Fox · Answer 4 · Thu Jun 06 2024 02:04:55 GMT+0800 (China Standard Time)

Of course! some additional context:
All the security content (templates and guidance) were contributed by TAG Security previously (I did the templates when I was an active member, and @ragashreeshekar i believe worked on the guidance). The guidance was a request from the TOC liaison at the time (also me) to ensure projects had a central location (contribute.cncf.io) to get all their resources, guides, and templates for starting and maintaining their project rather than searching through TAG repos for content of interest/relevance that may not be written in a manner that is easily actionable.

Eddie Knight · Answer 5 · Thu Jun 06 2024 03:09:15 GMT+0800 (China Standard Time)

We just spoke with TAGCS and concluded that we will:

Copy maintainer recommendations to an appropriate location in this repo
Update recommendations
Populate recommendations to our website (#1257)
Update the TAGCS website with a general overview and a link to the detailed recommendation on our website.

Emily Fox · Answer 6 · Thu Jun 06 2024 03:10:53 GMT+0800 (China Standard Time)

Awesome thank you for the follow-up!