supplychainsecurity: apply supply chain security recommendations
odeke-em opened this issue · 2 comments
odeke-em commented
Coming here from the results of a supply chain security analysis of this repository that we Orijtech Inc engaged Chainguard Inc, to perform on behalf of the Cosmos ecosystem. The report is at https://cyber.orijtech.com/scsec/cosmos-v1 or in PDF standalone https://cyber.orijtech.com/chainguard_cosmos_v1.pdf#page20
Tasks
- Enable branch protection so that no one can just push directly to the main branch
- Add dependabot and renovatebot
- Enable GitHub Advanced Security
- Add CodeQL and cosmos/gosec
- Require multi-factor authentication for every contributor to the organization and repository per https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization
- Need for reproducible builds. Please use apko https://github.com/chainguard-dev/apko https://www.chainguard.dev/unchained/introducing-apko-bringing-distroless-nirvana-to-alpine-linux
agouin commented
Thanks @odeke-em !
We will take a look at these. To start:
- We have branch protection on our main branch.
- We produce reproducible images using pinned build images in addition to final scratch images that contain only the chain binary and a minimal shell and utilities.
odeke-em commented
Thank you @agouin! Great to see. One thing I can also request is ensuring code reviews and approvals of PRs before merge per https://github.com/strangelove-ventures/heighliner/settings/branch_protection_rules/new?branch_name=main
