Skip to content

Add secret scanning to SCM guide, fixes #488 #489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Nov 5, 2024
Merged

Add secret scanning to SCM guide, fixes #488 #489

merged 9 commits into from
Nov 5, 2024
+145 −0

Conversation

@david-a-wheeler
Copy link
Contributor

@david-a-wheeler david-a-wheeler commented May 14, 2024

No description provided.

@david-a-wheeler
Add secret scanning to SCM guide, fixes #488
748ff78 
Signed-off-by: David A. Wheeler <[email protected]>
@david-a-wheeler
Fix markdownlint issues
ad69d7c 
Signed-off-by: David A. Wheeler <[email protected]>
@david-a-wheeler
Copy link
Contributor Author

david-a-wheeler commented May 16, 2024

@SecurityCRob - comments?

I did not try to edit best-practices.yml. I'm not sure what that yml file is doing. Is that the source & the README is generated? I don't see any code to do the generation. If the .yml file is generated from the README, then please run that tool. If they're edited simultaneously, well, yuck :-(. In any case, there should be a clear document somewhere what their relationship is.

ctcpip
ctcpip requested changes May 16, 2024
View reviewed changes
Copy link
Member

@ctcpip ctcpip left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is great! looks good, just some minor corrections, and a few consistency suggestions as well

SecurityCRob and others added 6 commits May 21, 2024 08:48
@SecurityCRob @ctcpip
Update docs/SCM-BestPractices/github/repository/secret_scanning.md
2af81c8 
fixes typo

Co-authored-by: Chris de Almeida <[email protected]>
Signed-off-by: CRob <[email protected]>
@SecurityCRob @ctcpip
Update docs/SCM-BestPractices/github/repository/secret_scanning.md
7959141 
better word choice

Co-authored-by: Chris de Almeida <[email protected]>
Signed-off-by: CRob <[email protected]>
@SecurityCRob @ctcpip
Update docs/SCM-BestPractices/github/repository/secret_scanning.md
3447e0f 
"quotes"

Co-authored-by: Chris de Almeida <[email protected]>
Signed-off-by: CRob <[email protected]>
@SecurityCRob @ctcpip
Update docs/SCM-BestPractices/github/repository/secret_scanning.md
76cc1ad 
"quotes"

Co-authored-by: Chris de Almeida <[email protected]>
Signed-off-by: CRob <[email protected]>
@SecurityCRob @ctcpip
Update docs/SCM-BestPractices/github/repository/secret_scanning.md
5d73b59 
"quotes"

Co-authored-by: Chris de Almeida <[email protected]>
Signed-off-by: CRob <[email protected]>
@SecurityCRob @ctcpip
Update docs/SCM-BestPractices/gitlab/project/secret_scanning.md
6aa08a6 
better word choice

Co-authored-by: Chris de Almeida <[email protected]>
Signed-off-by: CRob <[email protected]>
SecurityCRob
SecurityCRob approved these changes May 21, 2024
View reviewed changes
Copy link
Contributor

@SecurityCRob SecurityCRob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the addition. If we could get Chris' open comment resolved I think we can move this forward

@SecurityCRob
Copy link
Contributor

SecurityCRob commented May 21, 2024

@SecurityCRob - comments?

I did not try to edit best-practices.yml. I'm not sure what that yml file is doing. Is that the source & the README is generated? I don't see any code to do the generation. If the .yml file is generated from the README, then please run that tool. If they're edited simultaneously, well, yuck :-(. In any case, there should be a clear document somewhere what their relationship is.

I think Randall put that in place. I'm also unsure how that works. We should ask him to start.

@balteravishay
Copy link
Contributor

balteravishay commented May 21, 2024

@SecurityCRob - comments?
I did not try to edit best-practices.yml. I'm not sure what that yml file is doing. Is that the source & the README is generated? I don't see any code to do the generation. If the .yml file is generated from the README, then please run that tool. If they're edited simultaneously, well, yuck :-(. In any case, there should be a clear document somewhere what their relationship is.

I think Randall put that in place. I'm also unsure how that works. We should ask him to start.

I think that might relate to how the Legitify was used to produce these recommendations. maybe @noamd-legit can comment on this and suggest how to add new ones?

@noamd-legit
Copy link
Contributor

noamd-legit commented May 23, 2024

The best-practices.yml is generated automatically and does not require manual edits. In fact, I believe we can remove it entirely from this repository.

To update the document, simply edit the markdown file. If we need to regenerate the base version, I will handle any differences that arise.

@david-a-wheeler
Copy link
Contributor Author

david-a-wheeler commented May 23, 2024

In that case, I suggest removing the .yml file (in a separate pull request). We generally don't want generated files in the source repo.

@noamd-legit - would you mind creating that PR?

@david-a-wheeler david-a-wheeler mentioned this pull request May 24, 2024
Closed
@noamd-legit
Copy link
Contributor

noamd-legit commented May 30, 2024

@david-a-wheeler
Removed the file here: #508

@david-a-wheeler @ctcpip
Update docs/SCM-BestPractices/README.md
a2d6dd0 
Co-authored-by: Chris de Almeida <[email protected]>
Signed-off-by: David A. Wheeler <[email protected]>
@balteravishay balteravishay requested a review from ctcpip November 5, 2024 15:34
@SecurityCRob SecurityCRob merged commit 95fd687 into main Nov 5, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@balteravishay balteravishay balteravishay approved these changes

@SecurityCRob SecurityCRob SecurityCRob approved these changes

@ctcpip ctcpip Awaiting requested review from ctcpip

Assignees

No one assigned

Labels

Enhancement Product: SCM Guide

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@david-a-wheeler @SecurityCRob @balteravishay @noamd-legit @ctcpip