Skip to content

initiatives#286

Merged
houdini91 merged 192 commits into
devfrom
dev-preview/initiatives
May 22, 2025
Merged

initiatives#286
houdini91 merged 192 commits into
devfrom
dev-preview/initiatives

Conversation

@cppvik

@cppvik cppvik commented Dec 12, 2024

Copy link
Copy Markdown
Contributor

This pull request introduces a new documentation section for configuration and initiatives, including a comprehensive guide for securing software pipelines. The key changes are the addition of new category files and detailed documentation for a secure pipeline blueprint.

New documentation sections:

Blueprint for Secure Pipelines:

  • docs/configuration/initiatives/bp1.md: Added a detailed document outlining best practices and technical guidelines for securing software pipelines. This includes control descriptions, mitigations, rules, and evidence defaults.

@cppvik
cppvik changed the base branch from master to dev December 12, 2024 09:59
@netlify

netlify Bot commented Dec 12, 2024

Copy link
Copy Markdown

Deploy Preview for scribe-security ready!

Name Link
🔨 Latest commit 1d52e59
🔍 Latest deploy log https://app.netlify.com/projects/scribe-security/deploys/6829bcc27584900008df02b8
😎 Deploy Preview https://deploy-preview-286--scribe-security.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Comment thread docs/guides/enforcing-sdlc-initiative.md Outdated
Comment thread docs/guides/enforcing-sdlc-initiative.md Outdated

Note that in this case `valint` filtered out `SSDF-IMAGE` rules because it wasn't provided with the right target.

### Whole initiative verification

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should include a paragraph to explain how to require a initiative evidence be signed and the resulted table showcasing the signed evidence verification.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I explain it in the Reading the Results section and also in the configuratino field description, do you think it's not enough?

@netlify

netlify Bot commented Feb 5, 2025

Copy link
Copy Markdown
Comment has been resolved by Viktor Kartashov

dn left a comment:

"Released binaries must be built by Azure DevOps from a specific git repository and have unsigned SLSA provenance." please remove. the thumb rule is 3 examples, and this one is complicated and not realistic.

Browser metadata
Path:      /docs/guides/enforcing-sdlc-initiative/
Browser:   Chrome 132.0.0.0 on Mac OS 10.15.7
Viewport:  2499 x 1251 @1x
Language:  en-US
Cookies:   Enabled

Open in BrowserStack

Open Deploy Preview · Mark as Unresolved

@cppvik
cppvik requested a review from Copilot March 25, 2025 17:11

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces a large set of new documentation pages that detail various security policy rules and initiatives for Scribe. Key changes include:

  • New rule documentation for multiple platforms (Bitbucket, GitHub, GitLab, Jenkins, etc.) with usage examples, mitigation strategies, and evidence requirements.
  • Updates to Scribe API-based rules and initiatives, including a blueprint for secure pipelines.
  • An updated initiatives index that organizes these new documents.

Reviewed Changes

Copilot reviewed 229 out of 236 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
docs/configuration/initiatives/rules/bitbucket/project/allow-admins.md New rule doc for allowed Bitbucket project admins
docs/configuration/initiatives/rules/bitbucket/repository/allow-admins.md New rule doc for allowed Bitbucket repository admins
docs/configuration/initiatives/rules/bitbucket/repository/allow-users.md New rule doc for allowed Bitbucket repository users
docs/configuration/initiatives/rules/bitbucket/project/allow-users.md New rule doc for allowed Bitbucket project users
docs/configuration/initiatives/rules/api/scribe-api-cve-product.md New rule doc for Scribe API CVE product verification
docs/configuration/initiatives/rules/bitbucket/project/long-live-tokens.md New rule doc for Bitbucket project token expiration controls
docs/configuration/initiatives/rules/api/scribe-api-cve.md New rule doc for Scribe API CVE vulnerability verification
docs/configuration/initiatives/rules/bitbucket/project/exposed-credentials.md New rule doc for preventing exposed credentials in Bitbucket projects
docs/configuration/initiatives/rules/bitbucket/repository/branch-protection.md New rule doc for branch protection in Bitbucket repositories
docs/configuration/initiatives/index.md Updated initiatives index for organizing documentation
docs/configuration/initiatives/rules/api/scribe-api-published.md New rule doc for Scribe Published Policy
docs/configuration/initiatives/bp1.md New blueprint for secure pipelines initiative documentation
docs/configuration/initiatives/rules/api/scribe-api.md New rule doc for applying the Scribe API template policy
Files not reviewed (7)
  • docs/configuration/category.json: Language not supported
  • docs/configuration/initiatives/category.json: Language not supported
  • docs/configuration/initiatives/rules/category.json: Language not supported
  • docs/configuration/initiatives/rules/api/category.json: Language not supported
  • docs/configuration/initiatives/rules/bitbucket/category.json: Language not supported
  • docs/configuration/initiatives/rules/bitbucket/project/category.json: Language not supported
  • docs/configuration/initiatives/rules/bitbucket/repository/category.json: Language not supported

Comment thread docs/configuration/initiatives/rules/api/scribe-api-cve-product.md Outdated
Comment thread docs/configuration/initiatives/rules/api/scribe-api-cve.md Outdated
Comment on lines +31 to +32
Ensure that all critical or high severity vulnerabilities are addressed before delivering the product.

Copilot AI Mar 25, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The mitigation text does not match the rule's purpose, which is to verify that the image Scribe Publish flag is set. Please update the mitigation to align with the rule description.

Suggested change
Ensure that all critical or high severity vulnerabilities are addressed before delivering the product.
Ensure that the Scribe Publish flag is set for all container images before delivering the product.

Copilot uses AI. Check for mistakes.
Comment thread docs/configuration/initiatives/rules/api/scribe-api.md
cppvik and others added 24 commits April 2, 2025 09:29
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…t.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
(attempt to fix broken build)

This reverts commit 51c646e.
@houdini91
houdini91 marked this pull request as ready for review May 22, 2025 11:52
@houdini91
houdini91 merged commit 3bf4911 into dev May 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants