Secure the SCM Platform
[TBD]
Outcome
- Repository access is restricted using a least privilege approach, granting only the necessary permissions to each user or team.
- Pull request merges require approval from designated code owners to ensure proper oversight and code quality.
- Monitoring is in place to detect and alert on any attempts to bypass access restrictions or review requirements.
- CI/CD pipelines (e.g., GitHub Workflows, GitLab CI Pipelines) are reviewed and hardened to prevent malicious users from impacting deployed environments. Controls are implemented to minimize potential damage.
- Signed commits are enforced, and a verification process is in place to ensure signatures match a list of trusted users and keys.
Metrics
- Number of detected bypasses to the controls applied
- Number of exceptions to the controls applied
- Percentage of repositories covered
Tools & Resources
- Semgrep (Free)