From 21caaf196c04b690b2bef52d1598174e21f01696 Mon Sep 17 00:00:00 2001 From: Chris Hopkins Date: Fri, 21 Nov 2025 14:53:07 +0000 Subject: [PATCH 1/4] Update the go live instructions Signed-off-by: DBT pre-commit check --- .pre-commit-config.yaml | 2 +- SECURITY.md | 4 ++-- REOPENING_GO_LIVE.md => SECURITY_CHECKLIST.md | 22 ++++++++++++++----- 3 files changed, 19 insertions(+), 9 deletions(-) rename REOPENING_GO_LIVE.md => SECURITY_CHECKLIST.md (71%) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e8e38ac..080b6a2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/uktrade/github-standards - rev: v0.0.19 + rev: v1.0.1 hooks: - id: validate-security-scan - id: run-security-scan diff --git a/SECURITY.md b/SECURITY.md index d932c5d..c5b0f60 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -30,11 +30,11 @@ The uktrade account makes use of custom github properties to enforce branch prot ### Code scanning -All uktrade repositories with the new security policied applied have CodeQL scanning enabled. Individual repositories can apply their own advanced scanning rules if required +All uktrade repositories with the new security policy applied have CodeQL scanning enabled. Individual repositories can apply their own advanced scanning rules if required ### Push protection -To block known secrets being commited into github, all repositories with the new security policied applied will have push protection enabled and enforced. +To block known secrets being committed into github, all repositories with the new security policy applied will have push protection enabled and enforced. ### Branch protection diff --git a/REOPENING_GO_LIVE.md b/SECURITY_CHECKLIST.md similarity index 71% rename from REOPENING_GO_LIVE.md rename to SECURITY_CHECKLIST.md index f99a626..d14e524 100644 --- a/REOPENING_GO_LIVE.md +++ b/SECURITY_CHECKLIST.md @@ -27,12 +27,22 @@ To add the new security policy, follow these instructions: 1. Scroll down to the **Apply configurations** sections, and enter the name of the repository to be made public in the filter input field 1. Use the checkbox next to the results list to select all repositories being made public, then use the **Apply configuration** button to select the **Default DBT security** configuration 1. A confirmation modal will appear displaying a summary of the action being made. Click the apply button -1. In the repository that has had the new policy applied, nvaigate to the **Advanced Security** page in the repository settings. At the top of the page there should be a banner message **Modifications to some settings have been blocked by organization administrators.** +1. In the repository that has had the new policy applied, navigate to the **Advanced Security** page in the repository settings. At the top of the page there should be a banner message **Modifications to some settings have been blocked by organization administrators.** + +## Ensure CODEOWNERS file exists + +The organisation rulesets require a CODEOWNERS file to be present in the repository. If you don't already have one of these, github has produced [documentation explaining](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) what they are and why they are used. + +## Copying the SECURITY_CHECKLIST.md file + +To allow tracking of repositories that have successfully completed the reopening process, this file must be copied to the root of your repository and each of the items in the Checklist marked as completed ## Checklist -- [ ] `pre-commit` installation instructions followed -- [ ] Organisation custom properties added -- [ ] DBT security policy applied -- [ ] Organisation rulesets are applied. This should happen automatically once the custom properties are added, but it can be verified in the /settings/rules page -- [ ] A CODEOWNERS file has been created at the root of the repo +- [ ] Setup the pre-commit hook framework +- [ ] Setup custom properties on the repository +- [ ] Apply the correct github security policy +- [ ] Ensure CODEOWNERS file exists +- [ ] Copying the SECURITY_CHECKLIST.md file +- [ ] Wording TBC - understanding risk of committing to public repos +- [ ] Link TBC - link to understanding github security From 237d35c1e24f3057453d83be4138b3560457900e Mon Sep 17 00:00:00 2001 From: Chris Hopkins Date: Mon, 24 Nov 2025 20:59:10 +0000 Subject: [PATCH 2/4] Added additional custom prop description Signed-off-by: DBT pre-commit check --- SECURITY_CHECKLIST.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SECURITY_CHECKLIST.md b/SECURITY_CHECKLIST.md index d14e524..99ae2be 100644 --- a/SECURITY_CHECKLIST.md +++ b/SECURITY_CHECKLIST.md @@ -18,6 +18,7 @@ A set of github tags have been created at an organisation level, these must be a - `is_docker`: If this repository builds a docker image, this tag should be added to run docker related github workflows - `language`: All languages used by this repository should be selected, and github workflows will run with dedicated checks on that language. +- `ddat_portfolio`: The portfolio inside DDAT this repository belongs to. If your portfolio is missing, this can be added by raising an SRE ticket. ## Apply the correct github security policy From 349de9c92a62540f58c7b18244075b990b5164b0 Mon Sep 17 00:00:00 2001 From: Chris Hopkins Date: Tue, 25 Nov 2025 14:47:15 +0000 Subject: [PATCH 3/4] Update PR based on comments Signed-off-by: DBT pre-commit check --- SECURITY_CHECKLIST.md | 60 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 51 insertions(+), 9 deletions(-) diff --git a/SECURITY_CHECKLIST.md b/SECURITY_CHECKLIST.md index 99ae2be..51aaaeb 100644 --- a/SECURITY_CHECKLIST.md +++ b/SECURITY_CHECKLIST.md @@ -1,3 +1,27 @@ +# Security Checklist + +This checklist is designed to make it easier to improve the security posture of a GitHub repository. + +- It is mandatory for public repositories. +- This checklist must be copied over to the root of the repository. +- The repository steward is responsible for populating the checklist, or at least approving the related pull request. +- Any feedback should be shared with the GitHub Security working group. + For more details about the security features please refer to the [GitHub Standards](https://github.com/uktrade/github-standards) repo. + +## Checklist + +- [ ] [Setup the pre-commit hook framework](#setup-the-pre-commit-hook-framework) +- [ ] [Setup custom properties on the repository](#setup-custom-properties-on-the-repository) +- [ ] [Apply the correct github security policy](#apply-the-correct-github-security-policy) +- [ ] [Ensure CODEOWNERS file exists](#ensure-codeowners-file-exists) +- [ ] [Copying the SECURITY_CHECKLIST.md file](#copying-the-security_checklistmd-file) +- [ ] Wording TBC - understanding risk of committing to public repos +- [ ] Link TBC - link to understanding github security +- [ ] [Add Steward to Repository access](#add-at-least-one-steward-to-repository-access) +- [ ] [Review and limit maintainers with admin rights to the strict minimum](#review-and-limit-maintainers-with-admin-rights-to-the-strict-minimum) +- [ ] [Review Pull Request template](#review-pull-request-template) +- [ ] [Review SECURITY.md policy](#review-securitymd-policy) + ## Setup the pre-commit hook framework Several uktrade repositories already make use of the pre-commit framework for flagging code quality issues before pushing. Even in the repositories that have the pre-commit framework installed, it is still optional for an individual engineer to either avoid configuring the commit hooks, or skipping them entirely using the `--no-verify` cli argument. @@ -13,12 +37,12 @@ A set of github tags have been created at an organisation level, these must be a ### Mandatory custom properties - `reusable_workflow_opt_in`: This one has to be applied and set to `true` to allow this repository to apply the correct organisation branch protection ruleset and run the necessary github workflows on each PR +- `ddat_portfolio`: The portfolio inside DDAT this repository belongs to. If your portfolio is missing, this can be added by raising an SRE ticket. ### Optional custom properties - `is_docker`: If this repository builds a docker image, this tag should be added to run docker related github workflows - `language`: All languages used by this repository should be selected, and github workflows will run with dedicated checks on that language. -- `ddat_portfolio`: The portfolio inside DDAT this repository belongs to. If your portfolio is missing, this can be added by raising an SRE ticket. ## Apply the correct github security policy @@ -38,12 +62,30 @@ The organisation rulesets require a CODEOWNERS file to be present in the reposit To allow tracking of repositories that have successfully completed the reopening process, this file must be copied to the root of your repository and each of the items in the Checklist marked as completed -## Checklist +## Add at least one steward to repository access -- [ ] Setup the pre-commit hook framework -- [ ] Setup custom properties on the repository -- [ ] Apply the correct github security policy -- [ ] Ensure CODEOWNERS file exists -- [ ] Copying the SECURITY_CHECKLIST.md file -- [ ] Wording TBC - understanding risk of committing to public repos -- [ ] Link TBC - link to understanding github security +To ensure correct governance of a repository, at least one steward must be added. This will usually be the most senior engineer on the team. To add a steward to a repository: + +1. Open the `Collaborators and teams` settings page. The url for this is `https://github.com/uktrade/REPO_NAME/github-standards/settings/access` +1. Use the `Add people` button to open the people finder autocomplete box. +1. Find and click the user who is going to be a steward +1. On the Choose a role page, select the `Steward` role. +1. Repeat for any additional users who are going to be a steward + +## Review and limit maintainers with admin rights to the strict minimum + +You should review who has been assigned the github `admin` role. The `write` role is sufficient to allow team members to commit changes and raise pull requests + +## Review Pull Request template + +If your repository does not already contain a pull_request_template.md file, by default you will inherit the template from this repository. If you are already using your own template, you should add this section to remind reviewers they should be ensuring no secret values are visible + +``` +## Reviewer Checklist + +- [ ] I have reviewed the PR and ensured no secret values are present +``` + +## Review SECURITY.md policy + +This repository contain the SECURITY.md file, which is inherited by all repositories in the uktrade organisation account. This file should be read and understood by the repository steward, and discussed with the team to ensure all engineers understand the tooling that has been put in place From 9e7691afe8e2270e1fb4967ee685f3c052e449ff Mon Sep 17 00:00:00 2001 From: Chris Hopkins Date: Tue, 25 Nov 2025 16:49:30 +0000 Subject: [PATCH 4/4] Add ci cd diagram Signed-off-by: DBT pre-commit check --- SECURITY_CHECKLIST.md | 28 +++++++++++++++++++++------- assets/CI-CD pipeline.svg | 1 + 2 files changed, 22 insertions(+), 7 deletions(-) create mode 100644 assets/CI-CD pipeline.svg diff --git a/SECURITY_CHECKLIST.md b/SECURITY_CHECKLIST.md index 51aaaeb..20b603e 100644 --- a/SECURITY_CHECKLIST.md +++ b/SECURITY_CHECKLIST.md @@ -6,7 +6,6 @@ This checklist is designed to make it easier to improve the security posture of - This checklist must be copied over to the root of the repository. - The repository steward is responsible for populating the checklist, or at least approving the related pull request. - Any feedback should be shared with the GitHub Security working group. - For more details about the security features please refer to the [GitHub Standards](https://github.com/uktrade/github-standards) repo. ## Checklist @@ -14,13 +13,13 @@ This checklist is designed to make it easier to improve the security posture of - [ ] [Setup custom properties on the repository](#setup-custom-properties-on-the-repository) - [ ] [Apply the correct github security policy](#apply-the-correct-github-security-policy) - [ ] [Ensure CODEOWNERS file exists](#ensure-codeowners-file-exists) -- [ ] [Copying the SECURITY_CHECKLIST.md file](#copying-the-security_checklistmd-file) -- [ ] Wording TBC - understanding risk of committing to public repos -- [ ] Link TBC - link to understanding github security +- [ ] [Copy the SECURITY_CHECKLIST.md file](#copy-the-security_checklistmd-file) +- [ ] [Review the GitHub CI/CD overview](#review-the-github-cicd-overview) +- [ ] [Review the GitHub Safety Tips](#review-github-safety-tips) - [ ] [Add Steward to Repository access](#add-at-least-one-steward-to-repository-access) - [ ] [Review and limit maintainers with admin rights to the strict minimum](#review-and-limit-maintainers-with-admin-rights-to-the-strict-minimum) -- [ ] [Review Pull Request template](#review-pull-request-template) -- [ ] [Review SECURITY.md policy](#review-securitymd-policy) +- [ ] [Review the Pull Request template](#review-pull-request-template) +- [ ] [Review the SECURITY.md policy](#review-securitymd-policy) ## Setup the pre-commit hook framework @@ -58,10 +57,19 @@ To add the new security policy, follow these instructions: The organisation rulesets require a CODEOWNERS file to be present in the repository. If you don't already have one of these, github has produced [documentation explaining](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) what they are and why they are used. -## Copying the SECURITY_CHECKLIST.md file +## Copy the SECURITY_CHECKLIST.md file To allow tracking of repositories that have successfully completed the reopening process, this file must be copied to the root of your repository and each of the items in the Checklist marked as completed +## Review the GitHub CI/CD overview + +Internal contributors to the repository should review the CI/CD overview below +![CI/CD overview](assets/CI-CD%20pipeline.svg) + +## Review GitHub Safety Tips + +Internal contributors to the repository should review the [GitHub Safety Tips](https://uktrade.atlassian.net/wiki/x/n4AEKQE) + ## Add at least one steward to repository access To ensure correct governance of a repository, at least one steward must be added. This will usually be the most senior engineer on the team. To add a steward to a repository: @@ -89,3 +97,9 @@ If your repository does not already contain a pull_request_template.md file, by ## Review SECURITY.md policy This repository contain the SECURITY.md file, which is inherited by all repositories in the uktrade organisation account. This file should be read and understood by the repository steward, and discussed with the team to ensure all engineers understand the tooling that has been put in place + +## More information + +For more information about GitHub security standards, please refer [to this link](https://dbis.sharepoint.com/:w:/r/sites/DDaTDirectorate/Shared%20Documents/Work%20-%20GitHub%20Security/Github%20Security%20Framework/Guidelines%20and%20Policies/GitHub%20Security%20Standards%20v0.5.docx?d=wb29cd9b99ca042deb5c0cd8d670966d9&csf=1&web=1&e=6ITbnL) + +For more details about the security features please refer to the [GitHub Standards](https://github.com/uktrade/github-standards) repo. diff --git a/assets/CI-CD pipeline.svg b/assets/CI-CD pipeline.svg new file mode 100644 index 0000000..ba382fd --- /dev/null +++ b/assets/CI-CD pipeline.svg @@ -0,0 +1 @@ + \ No newline at end of file