From 8b769510929fc0dc15408b4820cef4972af2bbe5 Mon Sep 17 00:00:00 2001 From: Rishi Verma Date: Tue, 17 Oct 2023 17:50:09 -0700 Subject: [PATCH 1/8] Rewrite of guide --- .../security/dependabot/README.md | 45 ------------- .../security/github-security/README.md | 64 +++++++++++++++++++ 2 files changed, 64 insertions(+), 45 deletions(-) delete mode 100644 docs/guides/software-lifecycle/security/dependabot/README.md create mode 100644 docs/guides/software-lifecycle/security/github-security/README.md diff --git a/docs/guides/software-lifecycle/security/dependabot/README.md b/docs/guides/software-lifecycle/security/dependabot/README.md deleted file mode 100644 index 17924832a..000000000 --- a/docs/guides/software-lifecycle/security/dependabot/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# Dependabot -A GitHub ecosystem tool for dependency version and security vulnerability analysis. - -## Automated Dependency Updates - -This Dependabot task provides an automated check for OSS component updates and automatically creates [pull requests](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates) to commit new versions. - -Starter Kit: -- [SLIM Starterkit Python -- Dependabot Script](https://github.com/NASA-AMMOS/slim-starterkit-python/blob/main/.github/dependabot.yml) to install in your GitHub repo - -To leverage Dependabot, make sure to do the following: -1. Discuss with your development team the cybersecurity best practice to regularly update OSS to latest versions and seek consensus on a workflow to accept proposed updates. -2. Add Dependabot automation to your repository, either via the **admin console** or **manually** (choose **one**): -> **Shortcut** - Copy the pre-set configuration to an identical path in your repository, e.g. `.github/dependabot.yml`. - * **Admin console:** (requires admin rights) - 1. Proceed to [enable Dependabot alerts through GitHub Settings UI](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts#enabling-or-disabling-dependabot-alerts-for-a-repository). - * **Manually:** (_approach available to all committers_) - 1. Create an issue and an issue branch to implement a code change. Checkout the issue branch. - 2. Copy the Dependabot configuration file from one of the SLIM Starterkit repos -- for example, [`dependabot.yml` in the Python Starterkit](https://github.com/NASA-AMMOS/slim-starterkit-python/blob/main/.github/dependabot.yml) -- into the root of your repository at `.github/dependabot.yml`. -3. Modify [Dependabot configurations](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-the-dependabotyml-file) for your project: -> **Requirement** - Set properties to match your repository setup, including core packaging system. - * Set the `package-ecosystem` property to [match your packaging system](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) in `dependabot.yml`. - * Set the `target-branch` to the [name of your default branch](https://github.com/NASA-AMMOS/slim-starterkit-python/branches) in `dependabot.yml`. - * Optionally, value-added features may be set, including such settings as [scheduling](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleday), a [strategy for versioning](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy) and [pull request reviewers](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers). -4. Dependabot is now installed and detections can be tracked through the dependency graph at [`Insights` **->** `Dependency graph` **->** `Dependabot`](https://github.com/NASA-AMMOS/slim-starterkit-python/network/updates). [Pull Requests](https://github.com/NASA-AMMOS/slim-starterkit-python/pulls) also will include automatically created Dependabot merges. - -## Automated Security Updates - -This Dependabot task automates security scanning for [known vulnerabilities](https://github.com/advisories) in OSS components and automatically creates [pull requests](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates) to update flagged components. - -[Dependabot Security Updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates) requires [Dependabot Automated Dependency Updates](./README.md#automated-dependency-updates) (see above). Although technically part of the same automation stack, it's [enabled through the GitHub Settings UI](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#enabling-or-disabling-dependabot-security-updates-for-an-individual-repository). Optionally, dependency updates can be disabled so that only security updates create pull requests. - -> **Requirement** - Install and set up the Starter Kit for Dependabot Automated Dependency Updates. - -To leverage this template, make sure to do the following: -1. Discuss with your development team the cybersecurity best practice to regularly scan OSS components for security flaws and seek consensus on a workflow to accept proposed updates. -2. Enable Security Updates: - 1. At [`Settings` **->** `Code security and analysis` **->** `Dependabot`](https://github.com/NASA-AMMOS/slim-starterkit-java/settings/security_analysis), select the `Enable` button to turn on `Dependabot security updates`. -> **Requirement** - Admin rights are necessary to modify `Code security and analysis` settings. -3. Modify [Dependabot configurations](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-the-dependabotyml-file) for your project: (optional) - 1. If only security-related pull requests are desired, [set the `open-pull-requests-limit` property to `0` for `updates` block(s)](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit). diff --git a/docs/guides/software-lifecycle/security/github-security/README.md b/docs/guides/software-lifecycle/security/github-security/README.md new file mode 100644 index 000000000..113306421 --- /dev/null +++ b/docs/guides/software-lifecycle/security/github-security/README.md @@ -0,0 +1,64 @@ +# GitHub Security Best Practices + +

A comprehensive guide on enhancing the security of your GitHub repositories.

+ +## Introduction + +**Background:** GitHub offers a suite of security features to help maintainers and developers protect their code and ensure the safety of their repositories. From automatically detecting vulnerabilities in dependencies to scanning for secrets and setting security policies, these tools are essential for any project, especially in today’s security-conscious environment. + +**Use Cases:** +- Protecting code repositories from known vulnerabilities in dependencies. +- Monitoring and identifying potentially harmful secrets in code. +- Establishing clear security guidelines and policies for contributors. + +## Prerequisites + +- A GitHub repository +- Familiarity with GitHub’s user interface +- Optional: Admin rights for certain configuration tasks + +## Quick Start + +[GitHub’s Security Features](https://docs.github.com/en/code-security) + +Click the link above to access an overview of the suite of security features GitHub provides for your repositories. + +## Step-by-Step Guide + +1. **Team Discussion:** Before diving into any configurations, we recommend engaging with your development team about the importance of GitHub’s security features. Establish a consensus on which ones to prioritize and implement. + +2. **Set Up Dependabot:** + - Head over to the Security tab of your repository. + - We recommend enabling Dependabot alerts to stay informed about insecure dependencies in your project. + - For added security, we suggest turning on Dependabot security updates to automatically generate pull requests for known vulnerabilities in your dependencies. + +3. **Enable Code Scanning:** + - In the Security tab of your repository, navigate to Code Scanning Alerts. + - Click on Set up code scanning. + - For optimal results, we recommend setting up the CodeQL Analysis workflow. This is a powerful, free tool provided by GitHub that meticulously scans your code for vulnerabilities across a variety of languages. Simply choose the CodeQL Analysis template and follow the instructions. + +4. **Enable Secret Scanning:** + - Head to the Security tab and select Secret Scanning Alerts. + - We recommend clicking on Set up secret scanning and following the step-by-step instructions provided. + +5. **Establish a Security Policy:** + - Within the Security tab, you’ll find an option to draft a SECURITY.md file. We advise using GitHub’s auto-generated template as it provides a comprehensive structure for your policy. + - We also recommend mentioning this policy in your repository’s CONTRIBUTING.md guide. This ensures potential contributors are well-informed and can adhere to the stipulated security guidelines. + +## Frequently Asked Questions (FAQ) + +- Q: Can these security features be used outside of GitHub? + A: This guide specifically focuses on GitHub’s ecosystem. While some tools might have external equivalents, the integrations and configurations here are GitHub-specific. + +## Credits + +**Authorship:** +- John Engelke (@jpl-jengelke) +- Rishi Verma (@riverma) + +**Acknowledgements:** +- GitHub for providing comprehensive security features and related documentation. + +## Feedback and Contributions + +We welcome feedback and contributions to help improve and grow this guide. Please see our [contribution guidelines](https://nasa-ammos.github.io/slim/docs/contribute/contributing/). \ No newline at end of file From bd67098b4e325b42abfdf1c4347bd4399ad67c49 Mon Sep 17 00:00:00 2001 From: Rishi Verma Date: Tue, 17 Oct 2023 18:30:11 -0700 Subject: [PATCH 2/8] Update README.md Links to GH profiles for contributors. --- .../software-lifecycle/security/github-security/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/guides/software-lifecycle/security/github-security/README.md b/docs/guides/software-lifecycle/security/github-security/README.md index 113306421..0b1dda3f6 100644 --- a/docs/guides/software-lifecycle/security/github-security/README.md +++ b/docs/guides/software-lifecycle/security/github-security/README.md @@ -53,12 +53,12 @@ Click the link above to access an overview of the suite of security features Git ## Credits **Authorship:** -- John Engelke (@jpl-jengelke) -- Rishi Verma (@riverma) +- John Engelke [@jpl-jengelke](http://github.com/jpl-jengelke/) +- Rishi Verma [@riverma](http://github.com/riverma/) **Acknowledgements:** -- GitHub for providing comprehensive security features and related documentation. +- GitHub for providing the security features and related documentation. ## Feedback and Contributions -We welcome feedback and contributions to help improve and grow this guide. Please see our [contribution guidelines](https://nasa-ammos.github.io/slim/docs/contribute/contributing/). \ No newline at end of file +We welcome feedback and contributions to help improve and grow this guide. Please see our [contribution guidelines](https://nasa-ammos.github.io/slim/docs/contribute/contributing/). From 3b09be5d902f9c9c7a2bb38c6e2a8688792efdf0 Mon Sep 17 00:00:00 2001 From: Rishi Verma Date: Wed, 18 Oct 2023 11:03:46 -0700 Subject: [PATCH 3/8] Update README.md Improvements to guide. --- .../security/github-security/README.md | 42 ++++++++++++------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/docs/guides/software-lifecycle/security/github-security/README.md b/docs/guides/software-lifecycle/security/github-security/README.md index 0b1dda3f6..5c01c29b0 100644 --- a/docs/guides/software-lifecycle/security/github-security/README.md +++ b/docs/guides/software-lifecycle/security/github-security/README.md @@ -1,53 +1,65 @@ # GitHub Security Best Practices -

A comprehensive guide on enhancing the security of your GitHub repositories.

+
Recommendations for enabling GitHub security features for your repositories.
## Introduction **Background:** GitHub offers a suite of security features to help maintainers and developers protect their code and ensure the safety of their repositories. From automatically detecting vulnerabilities in dependencies to scanning for secrets and setting security policies, these tools are essential for any project, especially in today’s security-conscious environment. **Use Cases:** -- Protecting code repositories from known vulnerabilities in dependencies. -- Monitoring and identifying potentially harmful secrets in code. -- Establishing clear security guidelines and policies for contributors. +- Being alerted over e-mail or GitHub notifications about known vulnerabilities in your dependencies and having pull-requests automatically created to resolve the issues. +- Being alerted if your dependencies have updated versions available. +- Being alerted if your commits have potentially harmful secrets or sensitive information within the code - including being blocked from pushing your commits. ## Prerequisites - A GitHub repository - Familiarity with GitHub’s user interface -- Optional: Admin rights for certain configuration tasks +- Admin rights for certain security configuration tasks ## Quick Start -[GitHub’s Security Features](https://docs.github.com/en/code-security) +The fastest way to enable recommended GitHub Security features is to perform it in bulk for _all_ of your repositories within a given organization. Consult [Enabling security features for multiple repositories](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/enabling-security-features-for-multiple-repositories) for details. Organization administrative-level access is required. -Click the link above to access an overview of the suite of security features GitHub provides for your repositories. +We recommend enabling the below features for all your repositories: -## Step-by-Step Guide +![img](https://github.com/NASA-AMMOS/slim/assets/3129134/be02ee5f-74cb-4869-bdf2-020c184516ec) + +Specifically: +- Dependency graphs (select "Enable All") + - Select "Automatically enable for new private repositories" +- Dependabot Alerts (select "Enable All") + - Select "Automatically enable for new repositories" +- Dependabot Security Updates (select "Enable All") + - Select "Automatically enable for new repositories" +- Code Scanning (select "Enable All") + - Select the default "CodeQL high-precision queries" option + +If you do not have organizational permissions or if you wish to customize security features per repository, see our Step-by-Step guide below for repository-specific guidance. + +## Step-by-Step Guide per Repository 1. **Team Discussion:** Before diving into any configurations, we recommend engaging with your development team about the importance of GitHub’s security features. Establish a consensus on which ones to prioritize and implement. 2. **Set Up Dependabot:** - Head over to the Security tab of your repository. - We recommend enabling Dependabot alerts to stay informed about insecure dependencies in your project. - - For added security, we suggest turning on Dependabot security updates to automatically generate pull requests for known vulnerabilities in your dependencies. + - We suggest turning on Dependabot security updates to automatically generate pull requests for known vulnerabilities in your dependencies. 3. **Enable Code Scanning:** - In the Security tab of your repository, navigate to Code Scanning Alerts. - Click on Set up code scanning. - - For optimal results, we recommend setting up the CodeQL Analysis workflow. This is a powerful, free tool provided by GitHub that meticulously scans your code for vulnerabilities across a variety of languages. Simply choose the CodeQL Analysis template and follow the instructions. + - We recommend enabling: + - CodeQL Analysis workflow: a free tool provided by GitHub that scans your code for vulnerabilities across a variety of languages. 4. **Enable Secret Scanning:** - Head to the Security tab and select Secret Scanning Alerts. - We recommend clicking on Set up secret scanning and following the step-by-step instructions provided. -5. **Establish a Security Policy:** - - Within the Security tab, you’ll find an option to draft a SECURITY.md file. We advise using GitHub’s auto-generated template as it provides a comprehensive structure for your policy. - - We also recommend mentioning this policy in your repository’s CONTRIBUTING.md guide. This ensures potential contributors are well-informed and can adhere to the stipulated security guidelines. - ## Frequently Asked Questions (FAQ) - Q: Can these security features be used outside of GitHub? + A: This guide specifically focuses on GitHub’s ecosystem. While some tools might have external equivalents, the integrations and configurations here are GitHub-specific. ## Credits @@ -57,7 +69,7 @@ Click the link above to access an overview of the suite of security features Git - Rishi Verma [@riverma](http://github.com/riverma/) **Acknowledgements:** -- GitHub for providing the security features and related documentation. +- GitHub for providing the security features and related documentation. See [GitHub’s Security Features](https://docs.github.com/en/code-security) to access an overview of the suite of security features GitHub provides for repositories. ## Feedback and Contributions From 7ed57cda633c57b4a1bfb324e4a6452bcfb3f13e Mon Sep 17 00:00:00 2001 From: Rishi Verma Date: Wed, 18 Oct 2023 11:30:00 -0700 Subject: [PATCH 4/8] Update README.md Some clearer language for per-repo settings. --- .../security/github-security/README.md | 49 +++++++++++++++---- 1 file changed, 39 insertions(+), 10 deletions(-) diff --git a/docs/guides/software-lifecycle/security/github-security/README.md b/docs/guides/software-lifecycle/security/github-security/README.md index 5c01c29b0..f959d756a 100644 --- a/docs/guides/software-lifecycle/security/github-security/README.md +++ b/docs/guides/software-lifecycle/security/github-security/README.md @@ -42,26 +42,55 @@ If you do not have organizational permissions or if you wish to customize securi 1. **Team Discussion:** Before diving into any configurations, we recommend engaging with your development team about the importance of GitHub’s security features. Establish a consensus on which ones to prioritize and implement. 2. **Set Up Dependabot:** - - Head over to the Security tab of your repository. - - We recommend enabling Dependabot alerts to stay informed about insecure dependencies in your project. - - We suggest turning on Dependabot security updates to automatically generate pull requests for known vulnerabilities in your dependencies. + - Navigate to your repository and click on the `Settings` tab. + - From the left sidebar, select the `Code security and analysis` menu. + - Under the "Dependabot" section: + - We recommend enabling Dependabot alerts to stay informed about insecure dependencies in your project. + - For added security, we suggest turning on Dependabot security updates to automatically generate pull requests for known vulnerabilities in your dependencies. + - We also recommend enabling Dependabot version updates _if you are using a package manager for your project_. This will help you keep your dependencies up-to-date. To configure Dependabot version updates: + 1. Create a `.github/dependabot.yml` file in your repository. + 2. Specify the package-ecosystem, directory, and schedule for the updates. For example: + ```yml + version: 2 + updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "daily" + ``` + - To view Dependabot alerts and version updates: + - Head back to the main page of your repository. + - Click on the `Security` tab. Here, you can select `Dependabot alerts` to view security alerts, and you can see version updates in the `Pull requests` tab labeled with "Dependabot". + 3. **Enable Code Scanning:** - - In the Security tab of your repository, navigate to Code Scanning Alerts. - - Click on Set up code scanning. - - We recommend enabling: - - CodeQL Analysis workflow: a free tool provided by GitHub that scans your code for vulnerabilities across a variety of languages. + - In the `Code security and analysis` menu from the `Settings` tab: + - Click on the `Code scanning alerts` setup button. + - We recommend enabling the following workflows: + - _CodeQL Analysis workflow:_ a free tool provided by GitHub that scans your code for vulnerabilities across a variety of languages. Simply choose a CodeQL Analysis template (default is acceptable) and follow the instructions. + - To view Code scanning alerts: + - Return to the repository main page. + - Click on the `Security` tab and select `Code scanning alerts`. 4. **Enable Secret Scanning:** - - Head to the Security tab and select Secret Scanning Alerts. - - We recommend clicking on Set up secret scanning and following the step-by-step instructions provided. + - In the `Code security and analysis` menu from the `Settings` tab: + - Click on the `Secret scanning` enable button. + - We recommend following the step-by-step instructions provided to enable Secret Scanning. + - We recommend enabling "Push protection" for blocking commits containing secrets + - To view Secret scanning alerts: + - Navigate to the repository main page. + - Click on the `Security` tab and select `Secret scanning alerts`. ## Frequently Asked Questions (FAQ) -- Q: Can these security features be used outside of GitHub? +- **Q: Can these security features be used outside of GitHub?** A: This guide specifically focuses on GitHub’s ecosystem. While some tools might have external equivalents, the integrations and configurations here are GitHub-specific. +- **Q: If I receive security alerts, what should I do and how soon should I act?** + + A: When you receive a security alert, it indicates a potential vulnerability in your repository. First, review the details of the alert to understand the severity and the affected component. Address critical vulnerabilities immediately, as they can pose a significant risk to your project. For less severe alerts, plan to address them in a timely manner. Always keep in mind that the sooner you act on security alerts, the better you can protect your code and users from potential threats. + ## Credits **Authorship:** From d11dea152a58fff6e4a08f0e0c1d9e650610c6b3 Mon Sep 17 00:00:00 2001 From: Rishi Verma Date: Wed, 18 Oct 2023 11:31:33 -0700 Subject: [PATCH 5/8] Update README.md Move team discussion as a pre-req. --- .../security/github-security/README.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/guides/software-lifecycle/security/github-security/README.md b/docs/guides/software-lifecycle/security/github-security/README.md index f959d756a..fd16e5de6 100644 --- a/docs/guides/software-lifecycle/security/github-security/README.md +++ b/docs/guides/software-lifecycle/security/github-security/README.md @@ -16,6 +16,7 @@ - A GitHub repository - Familiarity with GitHub’s user interface - Admin rights for certain security configuration tasks +- Team discussion: before diving into any configurations, we recommend engaging with your development team about the importance of GitHub’s security features. Establish a consensus on which ones to prioritize and implement. ## Quick Start @@ -39,9 +40,7 @@ If you do not have organizational permissions or if you wish to customize securi ## Step-by-Step Guide per Repository -1. **Team Discussion:** Before diving into any configurations, we recommend engaging with your development team about the importance of GitHub’s security features. Establish a consensus on which ones to prioritize and implement. - -2. **Set Up Dependabot:** +1. **Set Up Dependabot:** - Navigate to your repository and click on the `Settings` tab. - From the left sidebar, select the `Code security and analysis` menu. - Under the "Dependabot" section: @@ -63,7 +62,7 @@ If you do not have organizational permissions or if you wish to customize securi - Click on the `Security` tab. Here, you can select `Dependabot alerts` to view security alerts, and you can see version updates in the `Pull requests` tab labeled with "Dependabot". -3. **Enable Code Scanning:** +2. **Enable Code Scanning:** - In the `Code security and analysis` menu from the `Settings` tab: - Click on the `Code scanning alerts` setup button. - We recommend enabling the following workflows: @@ -72,7 +71,7 @@ If you do not have organizational permissions or if you wish to customize securi - Return to the repository main page. - Click on the `Security` tab and select `Code scanning alerts`. -4. **Enable Secret Scanning:** +3. **Enable Secret Scanning:** - In the `Code security and analysis` menu from the `Settings` tab: - Click on the `Secret scanning` enable button. - We recommend following the step-by-step instructions provided to enable Secret Scanning. From 173dfcf025f46d9ffaa9f843c73b48e0fc20ef19 Mon Sep 17 00:00:00 2001 From: Rishi Verma Date: Wed, 18 Oct 2023 11:37:58 -0700 Subject: [PATCH 6/8] Update README.md Wording improvements. Tested against a real use case repository. --- .../software-lifecycle/security/github-security/README.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/docs/guides/software-lifecycle/security/github-security/README.md b/docs/guides/software-lifecycle/security/github-security/README.md index fd16e5de6..da8078616 100644 --- a/docs/guides/software-lifecycle/security/github-security/README.md +++ b/docs/guides/software-lifecycle/security/github-security/README.md @@ -63,10 +63,8 @@ If you do not have organizational permissions or if you wish to customize securi 2. **Enable Code Scanning:** - - In the `Code security and analysis` menu from the `Settings` tab: - - Click on the `Code scanning alerts` setup button. - - We recommend enabling the following workflows: - - _CodeQL Analysis workflow:_ a free tool provided by GitHub that scans your code for vulnerabilities across a variety of languages. Simply choose a CodeQL Analysis template (default is acceptable) and follow the instructions. + - In the `Code security and analysis` menu from the `Settings` tab, click the "Set Up" or enable the following workflows: + - _CodeQL Analysis workflow:_ a free tool provided by GitHub that scans your code for vulnerabilities across a variety of languages. Simply choose a CodeQL Analysis template (default is acceptable) and follow the instructions. - To view Code scanning alerts: - Return to the repository main page. - Click on the `Security` tab and select `Code scanning alerts`. @@ -74,7 +72,6 @@ If you do not have organizational permissions or if you wish to customize securi 3. **Enable Secret Scanning:** - In the `Code security and analysis` menu from the `Settings` tab: - Click on the `Secret scanning` enable button. - - We recommend following the step-by-step instructions provided to enable Secret Scanning. - We recommend enabling "Push protection" for blocking commits containing secrets - To view Secret scanning alerts: - Navigate to the repository main page. From 25ca65762e02ef55328c7bd8cc1dbd7a28ec7a58 Mon Sep 17 00:00:00 2001 From: Rishi Verma Date: Wed, 18 Oct 2023 15:16:49 -0700 Subject: [PATCH 7/8] Update README.md Feedback from jpl-jengelke --- .../software-lifecycle/security/github-security/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/guides/software-lifecycle/security/github-security/README.md b/docs/guides/software-lifecycle/security/github-security/README.md index da8078616..a50a44ce7 100644 --- a/docs/guides/software-lifecycle/security/github-security/README.md +++ b/docs/guides/software-lifecycle/security/github-security/README.md @@ -95,7 +95,8 @@ If you do not have organizational permissions or if you wish to customize securi **Acknowledgements:** - GitHub for providing the security features and related documentation. See [GitHub’s Security Features](https://docs.github.com/en/code-security) to access an overview of the suite of security features GitHub provides for repositories. - +- [OWASP DevSecOps Guideline](https://owasp.org/www-project-devsecops-guideline/latest/) for providing a Shift Left strategy to secure all phases of development. + ## Feedback and Contributions We welcome feedback and contributions to help improve and grow this guide. Please see our [contribution guidelines](https://nasa-ammos.github.io/slim/docs/contribute/contributing/). From 3c08db6256e78065e8bda9312521c2b844a6d445 Mon Sep 17 00:00:00 2001 From: Rishi Verma Date: Wed, 18 Oct 2023 15:31:53 -0700 Subject: [PATCH 8/8] Update README.md GHE FAQ question --- .../software-lifecycle/security/github-security/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/guides/software-lifecycle/security/github-security/README.md b/docs/guides/software-lifecycle/security/github-security/README.md index a50a44ce7..1f18cc822 100644 --- a/docs/guides/software-lifecycle/security/github-security/README.md +++ b/docs/guides/software-lifecycle/security/github-security/README.md @@ -83,6 +83,10 @@ If you do not have organizational permissions or if you wish to customize securi A: This guide specifically focuses on GitHub’s ecosystem. While some tools might have external equivalents, the integrations and configurations here are GitHub-specific. +- **Q: Are these security features available on GitHub Enterprise?** + + A: It depends on your institution's particular version of GitHub deployed. You'll have to check your Settings tab to view the features that are provided. GitHub.com is the most up-to-date version we recommend for. + - **Q: If I receive security alerts, what should I do and how soon should I act?** A: When you receive a security alert, it indicates a potential vulnerability in your repository. First, review the details of the alert to understand the severity and the affected component. Address critical vulnerabilities immediately, as they can pose a significant risk to your project. For less severe alerts, plan to address them in a timely manner. Always keep in mind that the sooner you act on security alerts, the better you can protect your code and users from potential threats.