Add Security guidelines #16
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SamuelBeaurepaire
requested review from
defagos,
fredhdroz,
jboix,
MGaetan89 and
oiledCode
as code owners
|
defagos
reviewed
Mar 5, 2024
| @@ -9,3 +9,4 @@ | |||
| * [Contributor's Handbook](/guides/CONTRIBUTING_GUIDE.md) | |||
| * [Pull Request Manual](/guides/PULL_REQUEST_GUIDE.md) | |||
| * [Code of Conduct Guidelines](/guides/CODE_OF_CONDUCT_GUIDE.md) | |||
| * [Security policy Guidelines](/guides/SECURITY_GUIDE.md) | |||
There was a problem hiding this comment.
Suggested change
| * [Security policy Guidelines](/guides/SECURITY_GUIDE.md) | |
| * [Security Policy Guidelines](/guides/SECURITY_GUIDE.md) |
defagos
approved these changes
Mar 5, 2024
2 tasks
MGaetan89
approved these changes
Mar 6, 2024
| maintain confidentiality and control access. For open-source projects or non-sensitive content, | ||
| consider making the repository public to encourage collaboration and transparency. | ||
|
|
||
| ## Enable Dependency Graph for Private Repositories |
There was a problem hiding this comment.
Why only for private repositories?
We could also look to have Dependency Graph enabled by default for every repositories in the SRGSSR organisation: https://docs.github.com/en/code-security/getting-started/securing-your-organization
There was a problem hiding this comment.
The dependency graph is enabled for public repositories by default (and cannot be disabled AFAIK). Here is an example with our Pillarbox Apple repository:
Comment on lines
+14
to
+18
| ## Enable Dependabot Alerts, Security Updates, and Version Updates | ||
| Enable Dependabot alerts to receive notifications about vulnerable dependencies in your | ||
| repositories. | ||
| Configure Dependabot to automatically apply security updates and version updates when available. | ||
| Regularly review and merge Dependabot pull requests to keep dependencies up-to-date and secure. |
There was a problem hiding this comment.
Maybe we should also explain how to enable and configure these features? Or provide links to relevant documentation?
Comment on lines
+40
to
+41
| This template will assist you in creating a concise SECURITY POLICY for your project which should | ||
| be a `SECURITY.md` file at the root of the repository. |
There was a problem hiding this comment.
Suggested change
| This template will assist you in creating a concise SECURITY POLICY for your project which should | |
| be a `SECURITY.md` file at the root of the repository. | |
| This template will assist you in creating a concise security policy for your project, which should | |
| be a `SECURITY.md` file at the root of the repository. |
Comment on lines
+68
to
+69
| To report a vulnerability, open an issue with the "security" label on GitHub. Additionally, open a | ||
| Jira SMAC issue with a link to the GitHub issue for tracking and coordination. |
There was a problem hiding this comment.
- It's a detail, but by default, I don't think that the "security" label exists. So it would be nice to mention that it needs to be created first (or see if it's possible to create it at the organisation level)
- Add a link to Jira SMAC?
Suggested change
| To report a vulnerability, open an issue with the "security" label on GitHub. Additionally, open a | |
| Jira SMAC issue with a link to the GitHub issue for tracking and coordination. | |
| To report a vulnerability, open an issue with the "security" label on GitHub. | |
| Additionally, open a | |
| [Jira SMAC](https://srgssr-ch.atlassian.net/browse/SMAC) issue with a link to the GitHub issue for tracking and coordination. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR add security related guidelines to address issue #3
Changes Made
Checklist: