Confirmed users
1,351
edits
GitHub/Repository Security: Difference between revisions
m
switch to using "pre"
(remove lang=) |
m (switch to using "pre") |
||
| Line 39: | Line 39: | ||
== Membership == | == Membership == | ||
< | <pre> | ||
- [ ] All GitHub accounts granted specific access to a sensitive repository need to have a current email contact address recorded in a Mozilla system. (GitHub does not provide this feature.) For staff, that should be done in the "Github Username" field of their phonebook record, for others GitHub should be added as a "Profile Identity" in their Mozillians record, and their login added to the "Bio" section. | - [ ] All GitHub accounts granted specific access to a sensitive repository need to have a current email contact address recorded in a Mozilla system. (GitHub does not provide this feature.) For staff, that should be done in the "Github Username" field of their phonebook record, for others GitHub should be added as a "Profile Identity" in their Mozillians record, and their login added to the "Bio" section. | ||
- [ ] All GitHub accounts must use 2FA | - [ ] All GitHub accounts must use 2FA | ||
- [ ] Any member given elevated permissions to a repository should be told that it is their responsibility to contact organization owners and repository admins if they ever suspect or know that any of their GitHub credentials have been leaked or compromised. (This includes any Personal Access Tokens generated by the user.) | - [ ] Any member given elevated permissions to a repository should be told that it is their responsibility to contact organization owners and repository admins if they ever suspect or know that any of their GitHub credentials have been leaked or compromised. (This includes any Personal Access Tokens generated by the user.) | ||
</ | </pre > | ||
== Repository == | == Repository == | ||
< | <pre> | ||
- [ ] Sensitive repositories should only be hosted in a GitHub organization operated by Mozilla staff. | - [ ] Sensitive repositories should only be hosted in a GitHub organization operated by Mozilla staff. | ||
- [ ] The hosting organization should have 2FA set as a requirement. | - [ ] The hosting organization should have 2FA set as a requirement. | ||
| Line 57: | Line 57: | ||
- [ ] Important milestone achievement criteria should include an audit all relevant verified commits. | - [ ] Important milestone achievement criteria should include an audit all relevant verified commits. | ||
- [ ] Elevated permissions should be granted to teams, not individual accounts, whenever possible. (Only org members can be part of a team.) | - [ ] Elevated permissions should be granted to teams, not individual accounts, whenever possible. (Only org members can be part of a team.) | ||
</ | </pre > | ||
= Implementation = | = Implementation = | ||