|
9 | 9 | - [Code security](#code-security) |
10 | 10 | - [Branch protection](#branch-protection) |
11 | 11 |
|
12 | | -This guide lays out security best practice for Github repositories. This set of practices is a minimum (nothing stops you from doing more), and they should be implemented alongside other relevant ones that contribute to [security](security.md) as a whole. These are discussed in more detail as part of the [Quality Checks](../quality-checks.md). |
| 12 | +In line with [NCSC guidance](https://www.ncsc.gov.uk/collection/developers-collection/principles/protect-your-code-repository) it is important to secure your code repository. |
13 | 13 |
|
14 | | -## Prerequisites |
15 | | - |
16 | | -[Publishing Code](../quality-checks.md#publishing-code) within the Quality Checks page lists a minimum set of practices that should be in place before code is published. This implies that: |
17 | | - |
18 | | -- Repositories can only be secure once the listed practices meet the relevant amber/green thresholds (which should also be reflected in a [Quality Dashboard](../insights/metrics.md)). |
19 | | -- The guidelines in this page are a necessary, but not a sufficient, condition for code overall being secure. |
| 14 | +This guide describes our minimum set of requirements to secure & configure our Github repositories. This minimum set should be implemented alongside other relevant ones that contribute to [security](security.md) as a whole. These are discussed in more detail as part of the [Quality Checks](../quality-checks.md). |
20 | 15 |
|
21 | 16 | ## Access controls |
22 | 17 |
|
23 | 18 | ### Organisation-level settings |
24 | 19 |
|
25 | | -- All users must have MFA enabled. |
| 20 | +- MFA must be enabled and enforced for all users. |
26 | 21 | - Baseline visibility for private repositories must be `No Permission`. |
27 | 22 | - Ability to change repository view from private to public must be reserved to admins only. |
28 | 23 |
|
29 | 24 | ### Repository-specific settings |
30 | 25 |
|
31 | 26 | - In line with the [Service Manual](https://service-manual.nhs.uk/service-standard/12-make-new-source-code-open), new repositories should be public by default, unless there is good reason not to - this avoids costly rework to secure private information further down the line. |
32 | 27 | - Private repositories must disable forking. |
33 | | -- There must be no outside collaborators in private repositories. |
34 | | -- Enable abuse reporting by <!-- markdown-link-check-disable -->[accepting content reports](https://docs.github.com/en/communities/moderating-comments-and-conversations/managing-how-contributors-report-abuse-in-your-organizations-repository)<!-- markdown-link-check-enable --> |
35 | | -- Default branch should be called "main", not "master" - please see [](../inclusive-language.md) for guidance on how to rename the default branch |
| 28 | +- Outside collaborators must not be permitted in private repositories. |
| 29 | +- Abuse reporting must be enabled by <!-- markdown-link-check-disable -->[accepting content reports](https://docs.github.com/en/communities/moderating-comments-and-conversations/managing-how-contributors-report-abuse-in-your-organizations-repository)<!-- markdown-link-check-enable --> |
| 30 | +- In line with [inclusive language](../inclusive-language.md) guidance, the default branch must not be named "master" - we suggest "main" - please see our [inclusive language guidance](../inclusive-language.md) for how to rename the default branch. |
36 | 31 |
|
37 | 32 | ### Teams setup |
38 | 33 |
|
|
0 commit comments