Skip to content

Secure the SCM Platform

[TBD]

Outcome

  • Repository access is restricted using a least privilege approach, granting only the necessary permissions to each user or team.
  • Pull request merges require approval from designated code owners to ensure proper oversight and code quality.
  • Monitoring is in place to detect and alert on any attempts to bypass access restrictions or review requirements.
  • CI/CD pipelines (e.g., GitHub Workflows, GitLab CI Pipelines) are reviewed and hardened to prevent malicious users from impacting deployed environments. Controls are implemented to minimize potential damage.
  • Signed commits are enforced, and a verification process is in place to ensure signatures match a list of trusted users and keys.

Metrics

  • Number of detected bypasses to the controls applied
  • Number of exceptions to the controls applied
  • Percentage of repositories covered

Tools & Resources

Further Reading