diff --git a/content/departments/security/repo-policies.md b/content/departments/security/repo-policies.md new file mode 100644 index 000000000000..a34a72a00a99 --- /dev/null +++ b/content/departments/security/repo-policies.md @@ -0,0 +1,29 @@ +## Repository policies and controls + +As our product offerings grow we will have increasingly more code in scope for SOC2 compliance spread across multiple repositories. This policy defines categories for repositories and which controls are necessary. + +## Repository categories + +### SOC2-scoped + +Any repository that contains code which processes Enterprise Sourcegraph customer data is categorized as `SOC2-scoped`. This includes repositories such as: sourcegraph/sourcegraph, sourcegraph/cody, sourcegraph/scip-\* and more. + +### Security-tracked + +Repositories that may not be in scope for compliance but present security risks should be categorized as `Security-tracked`. This includes repositories such as: sourcegraph/abuse-ban-bot, sourcegraph/controller and more. + +### Out-of-scope + +All other repositories are categorized as `Out-of-scope`. + +## Repository controls + +The following controls are required for all `SOC2-scoped` repositories. `Security-tracked` repositories are not required to have the controls but should be strongly considered. If a repository is categorized as `Out-of-scope` it does not require any controls. + +- Branch protection: a repository must not allow committing directly to the `main` branch. +- PR approvals: merging changes to the main branch must require an approval +- Test plan: PRs must have a Test Plan in the PR description. +- CODEOWNERS: a repository must have a CODEOWNERS file. +- CLA: non-Sourcegraph employees can only contribute to the repo by signing a CLA. +- CI tests: code must pass tests (unit, integration, etc) before merging. +- SAST: code must pass security testing before merging. diff --git a/content/departments/security/security-support-rotation.md b/content/departments/security/security-support-rotation.md index dc1064d0b632..5204e2305460 100644 --- a/content/departments/security/security-support-rotation.md +++ b/content/departments/security/security-support-rotation.md @@ -131,3 +131,7 @@ We are notified when a user submits request for vendor procurement. 5. Review the attached documents with above guidelines in mind 6. If a security portal link from the vendor is provided, request access and review information available there 7. Click approve or deny based on your review + +### New repository alert + +We get alerts for new repositories created in the Sourcegraph GitHub org. These repositories should be added to [this spreadsheet](https://docs.google.com/spreadsheets/d/1IPQv9lPe1J3fwx_ZwOV-Tu4PqyP_c4bXKd3p_uw291s/edit#gid=0) and categorized as per our Repository policy: `SOC2-compliant`, `SOC2-in-progress`, `Security-tracked` or `Out-of-scope`.