Closes #228 (#229) - default branch references

Author: iw-ezequiel

practices/security.md

@@ -92,9 +92,9 @@ The remainder of this page gives more detailed and specific recommendations to b
   - Only allow access for emergencies using a "break glass" pattern, e.g. using Azure AD [Privileged Identity Management](https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure)
   - Audit access to production and alert for unexpected access
   - Frequently asked questions:
-    - Q: If I can't access production, how can I check data, for example to respond to a support call? A: one approach is to build a facility (which must be automated, controlled and secured - so likely to be triggered via a pipeline) to clone the production database into a short-lived and isolated copy, so that data can be checked safely without anyone accessing production. Read-replicas can potentially be used instead, but they are (obviously) limited to read-only, and will often consume more cost and energy than on-demand clones ([ARCHITECTURE-SUSTAINABILITY](https://digital.nhs.uk/about-nhs-digital/our-work/nhs-digital-architecture/principles/deliver-sustainable-services)). As above, access must be audited and strictly controlled. 
+    - Q: If I can't access production, how can I check data, for example to respond to a support call? A: one approach is to build a facility (which must be automated, controlled and secured - so likely to be triggered via a pipeline) to clone the production database into a short-lived and isolated copy, so that data can be checked safely without anyone accessing production. Read-replicas can potentially be used instead, but they are (obviously) limited to read-only, and will often consume more cost and energy than on-demand clones ([ARCHITECTURE-SUSTAINABILITY](https://digital.nhs.uk/about-nhs-digital/our-work/nhs-digital-architecture/principles/deliver-sustainable-services)). As above, access must be audited and strictly controlled.
     - Q: If I can't access production, how can I update data that is incorrect? A: to update data safely and with confidence, all data changes should be scripted, tested against production data (using a clone, as above) and applied (both for testing and to production) via delivery pipelines rather than via manual updates.
-    - Q: If I can't access production, how can I refresh static / reference data? A: as above, one approach is to script the data changes required and apply them via delivery pipelines; another approach is to build a housekeeping facility that refreshes an entire static dataset based on a file (for example CSV or JSON) - if using this approach, access and usage must be audited and strictly controlled. 
+    - Q: If I can't access production, how can I refresh static / reference data? A: as above, one approach is to script the data changes required and apply them via delivery pipelines; another approach is to build a housekeeping facility that refreshes an entire static dataset based on a file (for example CSV or JSON) - if using this approach, access and usage must be audited and strictly controlled.
 - **Secure the route** to infrastructure: all access to infrastructure (production or otherwise) must be via a secured route, for example via a hardened bastion only accessible via a VPN (with MFA challenge), and with an audit of usage.
 - Ensure infrastructure **IAM** is robust
   - Strong passwords and MFA

tools/nhsd-git-secrets/git-secrets

@@ -186,7 +186,7 @@ prepare_commit_msg_hook() {
     merge,)
       local git_head=$(env | grep GITHEAD)  # e.g. GITHEAD_<sha>=release/1.43
       local sha="${git_head##*=}"           # Get just the SHA
-      local branch=$(git symbolic-ref HEAD) # e.g. refs/heads/master
+      local branch=$(git symbolic-ref HEAD) # e.g. refs/heads/main
       local dest="${branch#refs/heads/}"    # cut out "refs/heads"
       git log "${dest}".."${sha}" -p | scan_with_fn_or_die "scan" -
       ;;

tools/nhsd-git-secrets/nhsd-git-secrets.dockerfile

@@ -1,7 +1,7 @@
 ###################################################################################
 #
 # Uses git secrets scanner to scan raw source code for secrets
-# Same framework in the nhsd-git-secrets folder, but wrapped up in a docker image 
+# Same framework in the nhsd-git-secrets folder, but wrapped up in a docker image
 #
 # How to use:
 # 1. Create yourself a ".gitallowed" file in the root of your project.
@@ -44,7 +44,7 @@ WORKDIR /secrets-scanner/source
 RUN git init
 
 RUN echo "Downloading regex files from engineering-framework"
-RUN curl https://codeload.github.com/NHSDigital/software-engineering-quality-framework/tar.gz/master | tar -xz --strip=3 software-engineering-quality-framework-master/tools/nhsd-git-secrets/nhsd-rules-linux-mac.txt
+RUN curl https://codeload.github.com/NHSDigital/software-engineering-quality-framework/tar.gz/main | tar -xz --strip=3 software-engineering-quality-framework-main/tools/nhsd-git-secrets/nhsd-rules-linux-mac.txt
 
 RUN echo "Copying allowed secrets list"
 COPY .gitallowed .