You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: audit_template.md
+23-18Lines changed: 23 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,10 +47,13 @@ If actions have run in the last 6 months then actions shall remain enabled:
47
47
48
48
### Rules/Rulesets Tab
49
49
-[ ] The repository uses the current rulesets
50
+
-[ ] If appropriate, global rules are enabled/disabled for the repo
50
51
51
52
### Actions Tab
52
53
**If actions are enabled**:
53
54
-[ ] Codecov is enabled on the repository
55
+
-[ ] Title check is enabled
56
+
-[ ] DCO check is enabled
54
57
55
58
### Webhooks Tab
56
59
-[ ] All webhooks present are needed and in use
@@ -66,23 +69,27 @@ If actions have run in the last 6 months then actions shall remain enabled:
66
69
### GitHub Apps
67
70
-[ ] Code Coverage Reporting
68
71
-[ ] CodeQL is enabled on the repository
72
+
-[ ] Codacy is enabled on the repository
69
73
70
74
## App Integrations
71
75
-[ ] Dependabot is configured to monitor all relevant ecosystems (verify through `dependabot.yaml` file)
72
-
- npm
73
-
- electron
74
-
- github actions
75
-
- etc.
76
+
- Link to [relevant ecosystems](https://docs.github.com/en/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories)
76
77
-[ ] DCO-2 is configured as the DCO check
77
78
78
-
### Code Formatting
79
-
-[ ] NodeJS Projects use ESLint/Prettier formatting
80
-
-[ ] Java Projects use Checkstyle/Spotless formatting
81
-
-[ ] CPP Projects use Clang Tidy
79
+
## Code Formatting
80
+
-[ ] NodeJS Projects use ESLint/Prettier formatting
81
+
-[ ] Java Projects use Checkstyle/Spotless formatting
82
+
-[ ] CPP Projects use Clang Tidy
83
+
-[ ] Rust
84
+
-[ ] Swift
85
+
-[ ] Go
86
+
87
+
## CODEOWNERS
88
+
-[ ]`.github/CODEOWNERS` is valid and up-to-date
82
89
83
90
# Workflow Audit Criteria
84
91
85
-
###Security Checks in Workflows
92
+
## Security Checks in Workflows
86
93
-[ ] Secrets Management In Workflow Files (`/.github/workflows/`)
87
94
-[ ] No hardcoded secrets in the workflow files or code
88
95
-[ ] Secrets are referenced in CI via config files or environment variables
@@ -91,24 +98,22 @@ If actions have run in the last 6 months then actions shall remain enabled:
91
98
- integrity checks should use either checksums or cryptographic hashes for verification
92
99
-[ ] Checksums/hashes are verified during CI process to detect unauthorized changes
93
100
-[ ] Expected checksums/hashes are stored securely and referenced through the CI pipeline
101
+
-[ ] Use pinned versions of Docker files
94
102
-[ ]`npx playwright install deps` is used to install OS dependencies instead of `aptitude`
95
103
96
-
###Workflow checks
104
+
## Workflow checks
97
105
98
-
-[ ] Appropriate permissions are set within the github workflows
106
+
-[ ] Appropriate permissions are set within the GitHub workflows
99
107
-[ ] All steps are named
100
108
-[ ] All workflow actions are using pinned commits
101
-
-[ ] The Step-Security Hardened Security action is enabled on each workflow job
109
+
-[ ] The step-security hardened security action is enabled on each workflow job
110
+
-[ ] If the step-security dashboard reports action with score of <6, request a step-security version of the action
102
111
103
-
###Self Hosted Runners
112
+
## Self Hosted Runners
104
113
105
114
-[ ] The Repository is using the latitude runner group label for the `runs-on` stanza
106
115
107
-
### CODEOWNERS
108
-
109
-
-[ ]`.github/CODEOWNERS` is valid and up-to-date
110
-
111
-
### Other
116
+
## Other
112
117
113
118
-[ ]*If Applicable*: Alert repository owners of software versions that are no longer supported
114
119
-[ ]*If Applicable*: Alert repository owners when software versions are within 3 months of losing support
0 commit comments