ci: [2024-Q3] CI/CD Audit Story
Closed this issue · 0 comments
rbarkerSL commented
CI/CD Quarterly Audit
- Description: Perform quarterly CI/CD audit
Audit Criteria
- If Actions are enabled
- All workflow items are using pinned actions
- Appropriate permissions are set within the github workflows
- Dependabot is enabled on the repository
- The Repository is using self-hosted runners (if appropriate)
- The Step-Security Hardened Security action is enabled
- Actions are disabled if not in use within last 6 months
- The repository uses the current rulesets
- Individual branch protections are turned off
- Individual tag protections are turned off
- CODEOWNERS is valid and up-to-date
- Teams are assigned to the repository
- Individual contributors that are part of assigned teams are removed from contributors list
- Repository settings are configured per organization standard
- All webhooks present are needed and in use
- If Applicable: Alert repository owners of software versions that are no longer supported
- If Applicable: Alert repository owners when software versions are within 3 months of losing support
- Custom properties:
last-ci-review-by-teamis set - Custom properties:
last-ci-review-dateis set (Use format:YYYY-MM-DD)
Repository Settings
- Require contributors to sign off on web-based commits
- Features: Issues
- Features: Preserve this Repository
- Features: Discussions
- Features: Projects
- Pull Requests: Allow Squash Merging
- Pull Requests: Always suggest updating pull request branches
- Pull Requests: Automatically delete head branches
- Pushes: Limit how many branches and tags can be updated in a single push
Acceptance Criteria
- All Audit Criteria have been met