How to maintain a secure GitHub repository - Training

Tags

Top Highlights

• Clearly, we need to protect information from being disclosed to people that shouldn't have access to it. But more importantly than that, we need to ensure that the information isn't inappropriately altered or destroyed, and that it's actually destroyed when it's supposed to be.

• There is a general knowledge problem

• Code must be created correctly and securely

• Applications must comply with rules and regulations

• shift left

• moving steps from a final gate at deployment time to an earlier step

• Security policies that allow you to specify how to report a security vulnerability in your project by adding a SECURITY.md file to your repository.

• Dependabot alerts that notify you when GitHub detects that your repository is using a vulnerable dependency or malware.

• Security advisories that you can use to privately discuss, fix, and publish information about security vulnerabilities in your repository.

• Code scanning that helps you find, triage, and fix vulnerabilities and errors in your code.

• look for a SECURITY.md file in the root of a repository

• maintain .gitignore files

• Settings are inherited from parent directories, with overriding fields in new .gitignore files taking precedence over parent settings for their folders and subfolders.

• You can create a branch protection rule to enforce certain workflows for one or more branches, such as requiring an approving review or passing status checks for all pull requests merged into the protected branch.

• By adding a CODEOWNERS file to your repository, you can assign individual team members or entire teams as code owners to paths in your repository.

• You can create the CODEOWNERS file in either the root of the repository, or in the docs or .github folder.