This repository has been archived by the owner on Jul 2, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 113
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
As discussed in sourcegraph/security#1025 --------- Co-authored-by: andreeleuterio <[email protected]>
- Loading branch information
1 parent
83edd5e
commit 7083baa
Showing
2 changed files
with
33 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| ## Repository policies and controls | ||
|
|
||
| As our product offerings grow we will have increasingly more code in scope for SOC2 compliance spread across multiple repositories. This policy defines categories for repositories and which controls are necessary. | ||
|
|
||
| ## Repository categories | ||
|
|
||
| ### SOC2-scoped | ||
|
|
||
| Any repository that contains code which processes Enterprise Sourcegraph customer data is categorized as `SOC2-scoped`. This includes repositories such as: sourcegraph/sourcegraph, sourcegraph/cody, sourcegraph/scip-\* and more. | ||
|
|
||
| ### Security-tracked | ||
|
|
||
| Repositories that may not be in scope for compliance but present security risks should be categorized as `Security-tracked`. This includes repositories such as: sourcegraph/abuse-ban-bot, sourcegraph/controller and more. | ||
|
|
||
| ### Out-of-scope | ||
|
|
||
| All other repositories are categorized as `Out-of-scope`. | ||
|
|
||
| ## Repository controls | ||
|
|
||
| The following controls are required for all `SOC2-scoped` repositories. `Security-tracked` repositories are not required to have the controls but should be strongly considered. If a repository is categorized as `Out-of-scope` it does not require any controls. | ||
|
|
||
| - Branch protection: a repository must not allow committing directly to the `main` branch. | ||
| - PR approvals: merging changes to the main branch must require an approval | ||
| - Test plan: PRs must have a Test Plan in the PR description. | ||
| - CODEOWNERS: a repository must have a CODEOWNERS file. | ||
| - CLA: non-Sourcegraph employees can only contribute to the repo by signing a CLA. | ||
| - CI tests: code must pass tests (unit, integration, etc) before merging. | ||
| - SAST: code must pass security testing before merging. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters