safebank-fe

Overview

This report describes the hardening strategy implemented to secure the GitHub environments for all repositories of IE-SafeBank. Our strategy leverages GitHub Advanced Security features to detect vulnerabilities, prevent accidental exposure of sensitive information, and enforce secure coding practices.

---

Components of the Hardening Strategy

Secret Scanning

• Purpose: Automatically detects and alerts on the inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in the codebase.
• Configuration:
  • Secret scanning has been enabled for all repositories (Frontend, Backend, and Infra).
  • Push protection is enabled to block contributors from pushing secrets, with alerts configured for bypasses.
• Benefits: Prevents the exposure of sensitive credentials.
• Links:
  • Secret Scanning Configurations: Frontend
  • Secret Scanning Configurations: Backend
  • Secret Scanning Configurations: Infrastructure

---

Push Protection

• Purpose: Prevents secrets from being accidentally committed and pushed to repositories to avoid possible security breaches.
• Configuration:
  • Push protection is enabled in repository settings for all branches.
  • Contributors are notified and blocked when secrets are detected during a push operation.
• Benefits: Prevents secrets from being included in version history.
• Evidence: (Add links to evidence if available)

---

CodeQL for Code Scanning

• Purpose: Identify vulnerabilities and security issues in the Frontend (Vue.js) and Backend (Python) codebase using semantic analysis.
• Configuration:
  • CodeQL workflows are configured for both the Frontend and Backend repositories.
  • Analysis is performed automatically on every push and pull request to the main branch.
• Benefits: Detects a wide range of vulnerabilities such as SQL injection, XSS, and insecure API usage.
• Links:
  • CodeQL Workflow Configuration BE: Workflow
  • CodeQL Analysis Run BE: Workflow
  • CodeQL Workflow Configuration FE: Workflow
  • CodeQL Analysis Run FE: Workflow

---

OSSF Scorecard

• Purpose: Assess and improve the security posture of the repositories based on industry-standard security practices.
• Configuration:
  • Workflows configured to run the OSSF Scorecard analysis periodically.
  • Scorecard reports provide actionable recommendations for improving repository security.
• Benefits: Highlights areas to improve security hygiene, such as branch protection, CI/CD security, and dependencies management.
• Links:
  • OSSF Scorecard Workflow Infra: Workflow
  • OSSF Scorecard Analysis Results Infra: Workflow
  • OSSF Scorecard Workflow BE: Workflow
  • OSSF Scorecard Analysis Results BE: Workflow
  • OSSF Scorecard Workflow FE: Workflow
  • OSSF Scorecard Analysis Results FE: Workflow

---

Dependabot

• Purpose: Automatically detect and notify the team about outdated dependencies and reusable workflows.
• Configuration:
  • Dependabot is configured to monitor dependencies and GitHub Actions in all repositories.
  • Pull requests are automatically created for updates to dependencies with known vulnerabilities.
• Benefits: Ensures dependencies are up-to-date and reduces the attack surface by addressing vulnerabilities quickly.
• Evidence: (Add links to evidence if available)

---

CODEOWNERS

• Purpose: Define code ownership and automatically assign reviewers to pull requests for specific files or directories.
• Configuration:
  • Full-stack developers are global owners of the Frontend and Backend repositories.
  • Infrastructure developers are global owners of the Infra repository.
• Benefits: Ensures the right domain experts review code changes, improving code quality and accountability.
• Links:
  • CODEOWNERS File - Frontend Repo
  • CODEOWNERS File - Backend Repo
  • CODEOWNERS File - Infra Repo

---

Implementation Workflow

Workflow for Code Scanning

1. CodeQL scans are triggered on every pull request and commit.
2. Results are reviewed by CODEOWNERS for relevant sections of the codebase.
3. Any detected issues are addressed promptly before merging.

---

Workflow for Dependency Management

1. Dependabot monitors dependency updates and submits pull requests.
2. Dependency reviews are conducted as part of the pull request review process.
3. Approved updates are merged and deployed.

---

Workflow for Secret Management

1. Push protection prevents commits containing secrets.
2. Alerts are reviewed and addressed if a bypass occurs.
3. Secret scanning runs on a schedule to catch any existing secrets in the codebase.

---

Benefits of the Strategy

• Improved Security Posture: Proactively detects and mitigates vulnerabilities.
• Enhanced Collaboration: Automates code review assignments and dependency updates.
• Streamlined Processes: Integrates security into the development workflow without hindering productivity.
• Compliance: Ensures adherence to security best practices and compliance requirements.