Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reboot Security 🔒 #1

Open
2 of 9 tasks
UlisesGascon opened this issue Jan 17, 2025 · 0 comments
Open
2 of 9 tasks

Reboot Security 🔒 #1

UlisesGascon opened this issue Jan 17, 2025 · 0 comments
Assignees
@UlisesGascon

Comments

@UlisesGascon
Copy link
Member

UlisesGascon commented Jan 17, 2025
edited
Loading

Overview

Related to yeoman/yeoman#1779

The goal of this security plan is to ensure that Yeoman remains a secure, reliable tool for the community. By defining clear policies, roles, and responsibilities—and by proactively monitoring and mitigating vulnerabilities—we can help protect Yeoman users from potential threats.

General Approach

  1. Establish a clear reporting process
    • Provide a transparent path for security researchers and community members to report vulnerabilities.
  2. Maintain secure development practices
    • Regularly review code, update dependencies, and follow security best practices.
  3. Audit and monitor
    • Continuously track known vulnerabilities, apply patches, and communicate risks to stakeholders.

Backlog

  • Define a comprehensive SECURITY.md at the organization level
    • Document a responsible disclosure policy (including how to report security issues and expected response times).
    • Include guidance on how vulnerabilities are triaged and fixed.
    • See: docs: add a security policy #2
  • Create a .github repository or folder for organization-wide resources
  • Create a threat model
    • Use examples from Express and Node.js as references.
    • Outline potential attack vectors, likely threat agents, and mitigation strategies.
  • Review and update GitHub teams/permissions
    • Ensure the principle of least privilege is followed.
    • Restrict sensitive actions (e.g., publishing, merging to main) to trusted maintainers/contributors.
  • Review and update teams/permissions on npm
    • Verify correct ownership and publishing rights.
    • Rotate access tokens or credentials (if needed).
  • Review CVEs for known vulnerabilities
    • Evaluate Yeoman’s repos and dependencies against reported CVEs.
    • Patch or mitigate as necessary.
  • Update vulnerable dependencies
    • Identify and upgrade libraries with known vulnerabilities.
  • Plan releases to improve project security posture
    • Create a new release for each library if more than a year has passed since the previous release.
  • Implement OSSF Scorecard recommendations
    • Monitor the current score and track improvements over time: (OpenSSF Scorecard Report Updated #3 and reports)
    • Address suggested remediation steps (e.g., signing releases, enabling branch protection rules, automating dependency checks, SAST, CI/CD Pipeline Hardening, etc.).

Notes

This is an open discussion, and this backlog may evolve over time as we implement these actions. Feel free to participate and suggest additional improvements. 👍
@UlisesGascon UlisesGascon self-assigned this Jan 17, 2025
@UlisesGascon UlisesGascon moved this to In Progress in Maintenance Reboot Jan 17, 2025
This was referenced Jan 17, 2025
Merged
Merged
Open
Merged
Merged
@UlisesGascon UlisesGascon pinned this issue Jan 18, 2025
This was referenced Jan 18, 2025
Merged
Merged
Merged
UlisesGascon added a commit to yeoman/yeoman-character that referenced this issue Jan 18, 2025
@UlisesGascon
feat: add CodeQL
b7311df 
Related: yeoman/.github#1
UlisesGascon added a commit to yeoman/yeoman-character that referenced this issue Jan 18, 2025
@UlisesGascon
feat: add dependency-review tool
4808a8a 
Related: yeoman/.github#1
UlisesGascon added a commit to yeoman/yeoman-character that referenced this issue Jan 18, 2025
@UlisesGascon
feat: add OSSF Scorecard
b28feac 
Related: yeoman/.github#1
This was referenced Jan 18, 2025
Merged
Merged
Merged
UlisesGascon added a commit to yeoman/yeoman-character that referenced this issue Jan 18, 2025
@UlisesGascon
feat: add OSSF Scorecard (#6)
a42fe6c 
Related: yeoman/.github#1
UlisesGascon added a commit to yeoman/yeoman-character that referenced this issue Jan 18, 2025
@UlisesGascon
feat: add dependency-review tool (#7)
3f05493 
Related: yeoman/.github#1
UlisesGascon added a commit to yeoman/yeoman-character that referenced this issue Jan 18, 2025
@UlisesGascon
feat: add CodeQL (#8)
5736749 
Related: yeoman/.github#1
This was referenced Jan 18, 2025
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@UlisesGascon UlisesGascon

Labels
None yet
Projects
Maintenance Reboot
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
1 participant
@UlisesGascon