Skip to content

Commit a09ca4c

Browse files
david-a-wheelerdavid-a-wheeler
committed
Note that rulesets can also enforce review
Signed-off-by: David A. Wheeler <[email protected]>
1 parent 31cf78e commit a09ca4c

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

docs/Concise-Guide-for-Developing-More-Secure-Software.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ Here is a concise guide for all software developers for secure software developm
1313
7. **Monitor known vulnerabilities in your software’s direct & indirect dependencies**. E.g., enable basic scanning via GitHub's [dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates) or GitLab [dependency scanning](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/). Many other third party Software Composition Analysis (SCA) tools are also available. Quickly update vulnerable dependencies.
1414
8. **Keep dependencies reasonably up-to-date**. Otherwise, it’s hard to update for vulnerabilities.
1515
9. **Do not push secrets to a repository**. Use tools to detect pushing secrets to a repository.
16-
10. **Review before accepting changes**. Enforce it, e.g., [GitHub](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) or [GitLab](https://docs.gitlab.com/ee/user/project/protected_branches.html) protected branches.
16+
10. **Review before accepting changes**. Enforce this, e.g., using [GitHub](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) or [GitLab](https://docs.gitlab.com/ee/user/project/protected_branches.html) protected branches or an equivalent [GitHub ruleset](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
1717
11. **Prominently document how to report vulnerabilities & prepare for them**.
1818
- Use resources like the [Guide to coordinated vulnerability disclosure](https://github.com/ossf/oss-vulnerability-guide).
1919
- [Explicitly disclose security issues affecting vendored dependencies](Vendored-Dependencies-Guide.md).

0 commit comments

Comments
 (0)