Move code-scan details from everything-as-code to security (#87)

* Move code-scan details from everything-as-code to security

* Update practices/security.md

Co-authored-by: Ivor Caldwell <[email protected]>

Co-authored-by: Ivor Caldwell <[email protected]>

Author: andyblundell

patterns/everything-as-code.md

@@ -20,7 +20,7 @@ Everything (including [infrastructure](../practices/cloud-services.md)) should b
   * All code is peer-reviewed and tested.
   * All code is version controlled.
 * Code changes should be automatically checked for code quality using tools like [SonarQube](https://www.sonarqube.org) (as well as via IDE plugins).
-* Code should be automatically scanned for secrets or other sensitive data using standalone tools like [GitGuardian](https://www.gitguardian.com/) or built in tools in [GitLab](https://docs.gitlab.com/ee/user/application_security/secret_detection/) or [GitHub](https://docs.github.com/en/github/administering-a-repository/about-secret-scanning).
+* Code should be automatically scanned for secrets or other sensitive data (see [security](../practices/security.md) for details)
 * Prefer well structured and expressive code over extensive documentation to avoid documentation getting out of date.
 * Design the interface prior to the implementation and choose vocabulary to make it coherent. This includes external interfaces (e.g. REST API) and internal interfaces of classes, method signatures etc.
 * Adopt test-first approach to minimise waste and increase cohesion of the code (see [testing](../practices/testing.md)).

practices/security.md

@@ -34,7 +34,10 @@
 - Prevent **[clickjacking](https://sudo.pagerduty.com/for_engineers/#clickjacking)** with `X-Frame-Options`
 - Be careful not to **leak information**, e.g. error messages, stack traces, headers
 - **Don't trust** yourself or others!
-  - Scan source code automatically for secrets or other sensitive data (see [everything as code](../patterns/everything-as-code.md) for details)
+  - Code should be automatically scanned for secrets or other sensitive data using standalone tools like [GitGuardian](https://www.gitguardian.com/) or [awslabs git-secrets](https://github.com/awslabs/git-secrets) or built in tools in [GitLab](https://docs.gitlab.com/ee/user/application_security/secret_detection/) or [GitHub](https://docs.github.com/en/github/administering-a-repository/about-secret-scanning).
+    - Review the configuration of whichever tools you use, for example [awslabs git-secrets](https://github.com/awslabs/git-secrets) does not scan for IP addresses by default, but you can change that by adding more regex expressions
+      - TO DO: add config to register regex for IP4 and IP6
+    - Ideally, run a tool like [awslabs git-secrets](https://github.com/awslabs/git-secrets) locally on developer laptops (to catch secrets at source) with a backstop of a centralised tool such as  [GitHub](https://docs.github.com/en/github/administering-a-repository/about-secret-scanning)
   - Be wary of any 3rd party JavaScript included on the page, e.g. for A/B testing, analytics
   - Pin dependencies at known versions to avoid unexpected updates
   - Scan dependencies for vulnerabilities, e.g. using [OWASP Dependency Check](https://www.owasp.org/index.php/OWASP_Dependency_Check) or [Snyk](https://snyk.io/)