By Christine Abernathy (F5), Daniel Appelquist (Snyk), Noam Dotan (Legit Security)
We are excited to announce the release of the Source Code Management (SCM) Best Practices Guide by the Open Source Security Foundation (OpenSSF) Best Practices Working Group. This guide is a comprehensive resource dedicated to raising awareness and education for securing and implementing best practices for SCM platforms, including GitHub and GitLab.
SCM Best Practices Guide
The OpenSSF Best Practices Working Group has been working to create a guide that provides a central repository for SCM security policies and guidelines covering critical security practices such as user authentication, access control, and change management. It is designed to help maintainers improve the security posture of their repositories and source code projects, assist Open Source Program Offices (OSPO) in managing multiple GitHub organizations or GitLab groups, and provide operations teams with best practices for these platforms.
Helping Developers, Maintainers and Organizations
The SCM Best Practices guide is a valuable resource for developers and security operations teams alike. It provides a comprehensive set of recommendations for securing SCM platforms like GitHub and GitLab. The guide also includes a list of tools that can assist in reviewing source code repositories. One example is Legitify, by Legit Security, which helps detect all misconfigurations and security issues described throughout the project’s document. Other tools that provide help in this context are Allstar and Scorecard from OpenSSF. These tools can help detect misconfigurations, security issues, and unfollowed best practices, with a goal to provide more secure development environments.
Recommendations
The document covers multiple aspects of securing SCM systems:
Hardening CI/CD Pipelines Against Supply Chain Attacks:
CI/CD (Continuous Integration/Continuous Deployment) pipelines automate the software delivery. As such, they can be prime targets for supply chain attacks, where malicious actors try to insert harmful code or dependencies into the software before it’s deployed. Pipeline hardening policies involve requiring the least permissions for workflows, setting who can trigger a pipeline, and more.
Branch Protection Policies for Healthy Coding Workflows:
Branch protection policies in SCM systems, like Git, ensure that code changes go through a structured review process before being merged. This could mean requiring code reviews, ensuring passing builds from CI tools, or restricting who can push to main branches. These policies help catch bugs early and prevent potential malicious code from being integrated without scrutiny.
Recommended Access Controls and Permissions:
Access controls determine who can view, modify, or delete certain parts of the codebase or SCM configuration. A refined permissions structure can segregate duties and ensure that only authorized individuals can make significant changes. This means setting explicit roles for members (e.g., admin, contributor, viewer) and groups, ensuring that access is granted based on the principle of least privilege—where users have only the permissions necessary to perform their tasks.
Server-level Policies for Globally Enforced Best Practices:
SCM systems have server-side components beyond just the software or code level. Instituting server-level policies means setting up rules and best practices that apply across projects and repositories, ensuring a consistent security posture.
And much more.
We Want Your Feedback
The best way to improve and refine our practices is through community feedback. We encourage you to review the SCM Best Practices Guide and provide your insights and suggestions. Your feedback will help us ensure that the guide remains relevant, practical, and beneficial to the entire open source community.
Feel free to raise issues on our GitHub repo, reach out on our Slack channel #wg_best_practices_ossdev, and get involved with the OpenSSF.
On behalf of the OpenSSF Best Practices Working Group, thank you for your ongoing support and contributions to the open source community. Together, we can make open source software safer and more secure for everyone.
About the Authors
Christine Abernathy, F5
Christine leads the Open Source Program Office at F5 with prior experience helping grow Facebook’s open source presence. Christine is active in various OpenSSF working groups and initiatives.
Dan Appelquist, Snyk
Dan Appelquist is the Open Source & Open Standards Strategy Director at Snyk, a member of the OpenSSF Technical Advisory Council, and a long-time supporter of open source and open standards. He may be found in the Fediverse at @torgo@mastodon.social.
Noam Dotan, Legit Security
Noam Dotan is a Lead Security Researcher at Legit Security. Noam’s research specialty is software supply chain security and SDLC system vulnerabilities. He has 10+ years of experience in cybersecurity across multiple disciplines.
In addition, we would like to thank the many contributors to this effort from the OpenSSF Best Practices Working Group.