Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reboot Security 🔒 #1

Open
4 of 9 tasks
UlisesGascon opened this issue Jan 17, 2025 · 1 comment
Open
4 of 9 tasks

Reboot Security 🔒 #1

UlisesGascon opened this issue Jan 17, 2025 · 1 comment
Assignees
@UlisesGascon

Comments

@UlisesGascon
Copy link
Member

UlisesGascon commented Jan 17, 2025
edited
Loading

Overview

Related to yeoman/yeoman#1779

The goal of this security plan is to ensure that Yeoman remains a secure, reliable tool for the community. By defining clear policies, roles, and responsibilities—and by proactively monitoring and mitigating vulnerabilities—we can help protect Yeoman users from potential threats.

General Approach

  1. Establish a clear reporting process
    • Provide a transparent path for security researchers and community members to report vulnerabilities.
  2. Maintain secure development practices
    • Regularly review code, update dependencies, and follow security best practices.
  3. Audit and monitor
    • Continuously track known vulnerabilities, apply patches, and communicate risks to stakeholders.

Backlog

  • Define a comprehensive SECURITY.md at the organization level
    • Document a responsible disclosure policy (including how to report security issues and expected response times).
    • Include guidance on how vulnerabilities are triaged and fixed.
    • See: docs: add a security policy #2
  • Create a .github repository or folder for organization-wide resources
  • Implement OSSF Scorecard recommendations
  • Review CVEs for known vulnerabilities
  • Create a threat model
    • Use examples from Express and Node.js as references.
    • Outline potential attack vectors, likely threat agents, and mitigation strategies.
  • Review and update GitHub teams/permissions
    • Ensure the principle of least privilege is followed.
    • Restrict sensitive actions (e.g., publishing, merging to main) to trusted maintainers/contributors.
  • Review and update teams/permissions on npm
    • Verify correct ownership and publishing rights.
    • Rotate access tokens or credentials (if needed).
  • Update vulnerable dependencies
    • Identify and upgrade libraries with known vulnerabilities.
  • Plan releases to improve project security posture
    • Create a new release for each library if more than a year has passed since the previous release.

Notes

This is an open discussion, and this backlog may evolve over time as we implement these actions. Feel free to participate and suggest additional improvements. 👍
@UlisesGascon UlisesGascon self-assigned this Jan 17, 2025
@UlisesGascon UlisesGascon moved this to In Progress in Maintenance Reboot Jan 17, 2025
This was referenced Jan 17, 2025
Merged
Merged
Open
Merged
Merged
@UlisesGascon UlisesGascon pinned this issue Jan 18, 2025
This was referenced Jan 18, 2025
Merged
Merged
Merged
UlisesGascon added a commit to yeoman/yeoman-character that referenced this issue Jan 18, 2025
@UlisesGascon
feat: add CodeQL
b7311df 
Related: yeoman/.github#1
UlisesGascon added a commit to yeoman/yeoman-character that referenced this issue Jan 18, 2025
@UlisesGascon
feat: add dependency-review tool
4808a8a 
Related: yeoman/.github#1
UlisesGascon added a commit to yeoman/yeoman-character that referenced this issue Jan 18, 2025
@UlisesGascon
feat: add OSSF Scorecard
b28feac 
Related: yeoman/.github#1
This was referenced Jan 18, 2025
Merged
Merged
Merged
UlisesGascon added a commit to yeoman/yeoman-character that referenced this issue Jan 18, 2025
@UlisesGascon
feat: add OSSF Scorecard (#6)
a42fe6c 
Related: yeoman/.github#1
UlisesGascon added a commit to yeoman/yeoman-character that referenced this issue Jan 18, 2025
@UlisesGascon
feat: add dependency-review tool (#7)
3f05493 
Related: yeoman/.github#1
UlisesGascon added a commit to yeoman/yeoman-character that referenced this issue Jan 18, 2025
@UlisesGascon
feat: add CodeQL (#8)
5736749 
Related: yeoman/.github#1
This was referenced Jan 18, 2025
Merged
Merged
Merged
This was referenced Feb 7, 2025
Merged
Merged
Merged
Closed
Merged
Merged
@UlisesGascon UlisesGascon mentioned this issue Feb 7, 2025
Merged
UlisesGascon added a commit to yeoman/yosay that referenced this issue Feb 7, 2025
@UlisesGascon
docs: use the global security policy
112af9c 
ref: yeoman/.github#1
This was referenced Feb 7, 2025
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@UlisesGascon
Copy link
Member Author

With this great improvements, I consider the Scorecard implementation phase completed 🥳

Repository Commit Score Score Delta Report StepSecurity
yeoman/generator aa4661e 6.8 1 / Details View Fix it
yeoman/yeoman.io 92f38d7 7 4.3 / Details View Fix it
yeoman/yo c66f7a7 6.6 2.8 / Details View Fix it
yeoman/generator-generator e39e025 5.2 2.3 / Details View Fix it
yeoman/generator-dummy 22caabc 5.1 2.4 / Details View Fix it
yeoman/generator-node 06b66b1 4.9 2.9 / Details View Fix it
yeoman/yosay f781247 5.9 1.7 / Details View Fix it
yeoman/yeoman-test c3b6899 5.5 2.3 / Details View Fix it
yeoman/environment 92fa818 5.6 2.2 / Details View Fix it
yeoman/doctor c576ffa 6.1 2.5 / Details View Fix it
yeoman/yeoman-character c20fb53 5.9 2 / Details View Fix it
yeoman/yeoman-welcome ad4896e 5.9 4 / Details View Fix it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@UlisesGascon UlisesGascon

Labels
None yet
Projects
Maintenance Reboot
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
1 participant
@UlisesGascon