Secure the SCM Platform

[TBD]

Outcome

• Repository access is restricted using a least privilege approach, granting only the necessary permissions to each user or team.
• Pull request merges require approval from designated code owners to ensure proper oversight and code quality.
• Monitoring is in place to detect and alert on any attempts to bypass access restrictions or review requirements.
• CI/CD pipelines (e.g., GitHub Workflows, GitLab CI Pipelines) are reviewed and hardened to prevent malicious users from impacting deployed environments. Controls are implemented to minimize potential damage.
• Signed commits are enforced, and a verification process is in place to ensure signatures match a list of trusted users and keys.

Metrics

• Number of detected bypasses to the controls applied
• Number of exceptions to the controls applied
• Percentage of repositories covered

Tools & Resources

• Semgrep (Free)

Further Reading

• OWASP's CI/CD Top 10
• OWASP's Secure SCM Configuration
• Enforcing device trust [and commit signatures] on code changes
• Mitigating Attack Vectors in GitHub Workflows