A CLI utility to secure a GitHub repo following the best practices identified in the CNCF Supply Chain Security Whitepaper.
The Cloud Native Computing Foundation published the Software Supply Chain Best Practices paper in May of 2021. Part one of this paper deals with source code repositories. In this section, CNCF makes the following recommendations:
- Require signed commits
- Verify commits in merges (to achieve "full attestation")
- Use automated tooling to block the committing of secrets to a repository
- Use automation to enforce coding conventions
- Automatically perform security scanning of code and dependencies
- Establish and adhere to contribution policies
- Define roles/responsibilities and corresponding access controls for contributors
- Require code reviews before merges
- Prevent "force pushes" and otherwise implement branch protection rules
- Require MFA for contributors
- Require SSH for repository access
- Have a key rotation policy
- Use short lived/ephemeral certificates for automation agents
You can read more detailed explanations of each of these recommendations in the CNCF paper.
This utility attempts to update as many of the settings as possible around a git repository to meet the above recommendations. It was originally conceived as being focused on GitHub, but is being designed to be platform agnostic so that, through the use of a simple API wrapper, it can work with any Git hosting platform. Different platforms enable different features differently, and not every recommendation can be implemented through code (some will have to be enforced manually by the project's organization). For example, with GitHub the utility can do the following:
- Create branch protection rules which require: a. signed commits b. pull requests for certain branches (ie, main) c. code reviews for pull requests d. block force merges
- Create a CODEOWNERS file that defines who can sign off of code reviews
- Report what percentage of the project's merge commits are signed
- Verify that users on a project have SSH keys for their account
- Generate and revoke access tokens that can be used for automation agents
In addition, using git and the local system itself, the utility can:
- Generate SSH and GPG keys and add them to a user account on GitHub
- Verify the presence of certain git hooks (ie, awslabs/git-secrets), which speak to secret blocking, code convention enforcement, and automatic security scanning
- Update the local .gitconfig file for a user to prefer SSH and automate commit signing
However, there are certain things that cannot be done on GitHub automatically. For example, we cannot enforce MFA (though this is easy enough for an organization to turn on). And though we can check for SSH keys on user accounts, we can't enforce their use of SSH to access the repo (this just has to be an organizational policy). The closest we can get is changing the local .gitconfig, but this can be undone by a user and/or bypassed at the CLI.
After completing this project for GitHub, the plan is to add support for GitLab and Bitbucket, followed possibly by some other git hosting platforms.
This project has most of its skeleton, some of the graphql queries/mutations, and none of the actual commands written. As it is updated, we'll update the status here.