Skip to content

Commit 3f3dd53

Browse files
andyblundellandyblundell
authored
Quality check - secret scan - tidy (#144)
1 parent 6299701 commit 3f3dd53

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

quality-checks.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ We recommend tracking progress on an Engineering Quality dashboard, for example:
4444
| Integration tests | Functionality | Universal | Check interactions with other components and dependant systems. e.g. across microservices, authentication layers, database, third-party systems. Ideally includes full end-to-end testing across all components | When components are developed in isolation, it's vital that we regularly test them working together. Changes in one component can break the whole system | Builds fail if any tests fail | | |
4545
| API / contract tests | Functionality | Contextual | Check whether the API interface adheres to the agreed contract | Any API interface is an integration point with another component or a software systems. An extra care has to be taken to ensure compatibility and stability of that integration are maintained so that we don't break applications that depend on our APIs | Builds fail if any tests fail | Postman | [Automate Your API Tests with Postman](https://www.postman.com/use-cases/api-testing-automation/) |
4646
| UI tests | Functionality | Contextual | Check that the user interface components behave as expected, particularly checking the visual elements to verify that they are functioning according to requirements | As the only aspects of software that end users come into contact with, it is essential that these elements behave as expected and allow users to get only what they need from our software applications | Builds fail if any tests fail | | |
47-
| Secret scanning | Security | Universal | Check for secrets (e.g. passwords, IP addresses, etc) accidentally included in software code | This protects us against accidentally leaking secrets (in source code) which could compromise the security of the application | Covering all of the patterns listed in the <!-- markdown-link-check-disable -->[security practices](/practices/security.md#application-level-security):<!-- markdown-link-check-enable --><br/><br/>Full repository (including history) scan, and all secrets removed<br/><br/>And:<br/><br/>Local (on developer laptop) scanning to block commits containing the patterns <br/><br/>And:<br/><br/>Server-side scanning within the code repository for new commits containing the patterns| One-off scanning, and ongoing local scanning: [Git-secrets](https://github.com/awslabs/git-secrets)<br/>[GitLeaks](https://github.com/zricethezav/gitleaks)<br/><br/><br/>Code-repository scanning: TBC | <!-- markdown-link-check-disable -->[Security practices ("don't trust yourself or others")](/practices/security.md#application-level-security)<!-- markdown-link-check-enable -->|
47+
| Secret scanning | Security | Universal | Check for secrets (e.g. passwords, IP addresses, etc) accidentally included in software code | This protects us against accidentally leaking secrets (in source code) which could compromise the security of the application | Full repository (including history) scan, and all secrets removed<br/><br/>And:<br/><br/>Local (on developer laptop) scanning to block commits containing the patterns <br/><br/>And:<br/><br/>Server-side scanning within the code repository for new commits containing the patterns| <!-- markdown-link-check-disable -->[Security practices ("don't trust yourself or others")](/practices/security.md#application-level-security)<!-- markdown-link-check-enable --> | |
4848
| Security code analysis | Security | Universal | Check for indications of possible security issues (for example injection weaknesses) | This gives fast feedback about security issues: it's not as thorough as security testing, but it's much quicker to execute, so both are important to achieve both rapid and thorough security testing | | | |
4949
| Security testing | Security | Contextual | Check for security issues (for example injection weaknesses) | More thorough than security code scanning, but much slower to execute, so both are important to achieve both rapid and thorough security testing | | | |
5050
| Dependency scanning | Security | Universal | Check for security issues and vulnerabilities in dependent areas of code that are outside of our direct control | Without this we have no way of knowing of any issues or security vulnerabilities of third party components that we are not responsible for | | | |

0 commit comments

Comments
 (0)