You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: practices/security-repository.md
+10-1Lines changed: 10 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,7 +10,7 @@ This guide lays out security best practice for Github repositories. This set of
10
10
## Access controls
11
11
### Organisation-level settings
12
12
* All users must have MFA enabled.
13
-
* Baseline visibility for private repositories must be "no permission".
13
+
* Baseline visibility for private repositories must be `No Permission`.
14
14
* Ability to change repository view from private to public must be reserved to admins only.
15
15
16
16
### Repository-specific settings
@@ -19,6 +19,15 @@ This guide lays out security best practice for Github repositories. This set of
19
19
* There must be no outside collaborators in private repositories.
20
20
* Enable abuse reporting by [accepting content reports](https://docs.github.com/en/communities/moderating-comments-and-conversations/managing-how-contributors-report-abuse-in-your-organizations-repository)
21
21
22
+
### Teams setup
23
+
Because of baseline visibility configurations, you must setup Github teams in order to provide team members access to repos. The minimum recommended setup is as follows:
24
+
* Create one team with the name of your programme (e.g. `Engineering Quality Framework`). Add all required members to this team.
25
+
* Create one child team within the team, for admins only (e.g. `Engineering Quality Framework Admins`). Add admins only to this team.
26
+
* Create a second child team, for code owners (e.g. `Engineering Quality Framework Code Owners`). Add relevant members to this team, and reference in the CODEOWNERS file (example [here](https://github.com/NHSDigital/software-engineering-quality-framework/blob/master/CODEOWNERS)).
27
+
* For each repo in your programme (e.g. `software-engineering-quality-framework`), under the `Manage Access` option in `Settings`, set the general team to have `Write` access and the admins team to have `Admin` access.
28
+
29
+
Depending on your use case, you may want to create additional teams (e.g. a read-only access team, or different teams granting access to different projects). This is welcomed by the framework, as long as the teams provide clarity on the role they encompass, remain consistent and are applied consistently to your repos.
30
+
22
31
## Code security
23
32
* Enable, at a minimum, [Dependabot](https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/) alerts for vulnerabilities and respond to them appropriately.
24
33
* Disable ability to push to the default branch for everyone, admins included (`applies-to-admin` option).
0 commit comments