You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: recommendations-chains.md
+10-8Lines changed: 10 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,26 +13,28 @@ Based on our readings and research, we came to the following conclusions.
13
13
14
14
CHAINS recommendations are meant to be directly applicable, with state of the art solutions.
15
15
16
-
- CHAINS recommends designing, implementing and enforcing [reproducible builds](https://arxiv.org/pdf/2104.06020)
17
-
- CHAINS recommends the usage of dependency pinning, via hashes.
16
+
-(builds) CHAINS recommends designing, implementing and enforcing [reproducible builds](https://arxiv.org/pdf/2104.06020)
17
+
-(dependencies) CHAINS recommends the usage of dependency pinning, via hashes.
18
18
- In NPM, this means using [lockfiles](https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json).
19
19
- In Maven, this means strict versions in the pom + [Maven lockfile](https://github.com/chains-project/maven-lockfile/).
20
-
- CHAINS recommends the usage of automated dependency bots such as [Renovate](<[url](https://github.com/apps/renovate)>) and Dependabot. Chains recommends activating auto-merge of dependency updates, together with a strong test suite.
21
-
- CHAINS recommends the usage of static vulnerability scanners on all commits of the main branch. This contributes to protecting against insider attacks (eg [xz](https://research.swtch.com/xz-timeline)).
22
-
- CHAINS recommends disabling dynamic evaluation of code (aka eval) in production
20
+
- CHAINS recommends the usage of automated dependency bots such as [Renovate](<[url](https://github.com/apps/renovate)>) and Dependabot. Chains recommends activating auto-merge of dependency updates, together with a strong test suite.
21
+
- CHAINS recommends pushing lockfiles to the repo, for both applications and libraries
22
+
- (CI) CHAINS recommends the usage of static vulnerability scanners on all commits of the main branch. This contributes to protecting against insider attacks (eg [xz](https://research.swtch.com/xz-timeline)).
23
+
- (eval is evil) CHAINS recommends disabling dynamic evaluation of code (aka eval) in production
23
24
- In NodeJS, this is `--disallow-code-generation-from-strings`[doc](https://nodejs.org/api/cli.html#--disallow-code-generation-from-strings)
24
-
- CHAINS recommends taking care of Github organization permissions:
25
+
-(configuration) CHAINS recommends taking care of Github organization permissions:
25
26
- Do not use default "Allow all actions and reusable workflows"
26
27
- Do not use "Require approval for all external contributor" for CI workflows
27
28
- Do no use default "Read and write permissions" for token permissions
28
29
- Tokens should all have expiration dates
29
-
- CHAINS recommends having Github tag rulesets to enforce immutable Git tags
30
+
- (pipeline) CHAINS recommends pinning pipelines, CHAINS recommends secrets in branch-restricted environments (instead of repository secrets)
31
+
- (tags & releases) CHAINS recommends having Github tag rulesets to enforce immutable Git tags
30
32
31
33
## CHAINS Encourages
32
34
33
35
These items are harder to achieve than the recommendations above, because of lack of maturity.
34
36
35
-
- CHAINS encourages transparency logs over releases/packages
37
+
- CHAINS encourages transparency logs over package registries (global and local)
36
38
- CHAINS encourages pushing build attestations on high-integrity ledgers such Sigstore/Rekor
37
39
- CHAINS encourages using functional package managers in CI (Guix, NIX)
38
40
- CHAINS encourages automated publication of SBOMs as part of the release process ([tutorial for Github release](https://chains.proj.kth.se/sbom-github.html))
0 commit comments