gitlabcis 1.3.2__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- gitlabcis/__init__.py +12 -0
- gitlabcis/__main__.py +7 -0
- gitlabcis/benchmarks/__init__.py +8 -0
- gitlabcis/benchmarks/artifacts_4/__init__.py +4 -0
- gitlabcis/benchmarks/artifacts_4/access_to_artifacts_4_2.py +139 -0
- gitlabcis/benchmarks/artifacts_4/origin_traceability_4_4.py +11 -0
- gitlabcis/benchmarks/artifacts_4/package_registries_4_3.py +105 -0
- gitlabcis/benchmarks/artifacts_4/verification_4_1.py +83 -0
- gitlabcis/benchmarks/build_pipelines_2/__init__.py +4 -0
- gitlabcis/benchmarks/build_pipelines_2/build_environment_2_1.py +268 -0
- gitlabcis/benchmarks/build_pipelines_2/build_worker_2_2.py +129 -0
- gitlabcis/benchmarks/build_pipelines_2/pipeline_instructions_2_3.py +444 -0
- gitlabcis/benchmarks/build_pipelines_2/pipeline_integrity_2_4.py +146 -0
- gitlabcis/benchmarks/dependencies_3/__init__.py +2 -0
- gitlabcis/benchmarks/dependencies_3/third_party_packages_3_1.py +171 -0
- gitlabcis/benchmarks/dependencies_3/validate_packages_3_2.py +182 -0
- gitlabcis/benchmarks/deployment_5/__init__.py +2 -0
- gitlabcis/benchmarks/deployment_5/deployment_configuration_5_1.py +165 -0
- gitlabcis/benchmarks/deployment_5/deployment_environment_5_2.py +66 -0
- gitlabcis/benchmarks/source_code_1/__init__.py +6 -0
- gitlabcis/benchmarks/source_code_1/code_changes_1_1.py +665 -0
- gitlabcis/benchmarks/source_code_1/code_risks_1_5.py +506 -0
- gitlabcis/benchmarks/source_code_1/contribution_access_1_3.py +334 -0
- gitlabcis/benchmarks/source_code_1/repository_management_1_2.py +168 -0
- gitlabcis/benchmarks/source_code_1/third_party_1_4.py +139 -0
- gitlabcis/cli/__init__.py +0 -0
- gitlabcis/cli/log.py +30 -0
- gitlabcis/cli/main.py +541 -0
- gitlabcis/cli/output.py +151 -0
- gitlabcis/recommendations/artifacts_4/access_to_artifacts_4_2/external_auth_server.yml +51 -0
- gitlabcis/recommendations/artifacts_4/access_to_artifacts_4_2/limit_artifact_uploaders.yml +57 -0
- gitlabcis/recommendations/artifacts_4/access_to_artifacts_4_2/limit_certifying_artifacts.yml +53 -0
- gitlabcis/recommendations/artifacts_4/access_to_artifacts_4_2/minimum_package_registry_admins.yml +54 -0
- gitlabcis/recommendations/artifacts_4/access_to_artifacts_4_2/readme.md +14 -0
- gitlabcis/recommendations/artifacts_4/access_to_artifacts_4_2/require_mfa_to_package_registry.yml +52 -0
- gitlabcis/recommendations/artifacts_4/access_to_artifacts_4_2/restrict_anonymous_access.yml +67 -0
- gitlabcis/recommendations/artifacts_4/origin_traceability_4_4/artifact_origin_info.yml +56 -0
- gitlabcis/recommendations/artifacts_4/origin_traceability_4_4/readme.md +7 -0
- gitlabcis/recommendations/artifacts_4/package_registries_4_3/all_artifact_versions_signed.yml +70 -0
- gitlabcis/recommendations/artifacts_4/package_registries_4_3/audit_package_registry_config.yml +46 -0
- gitlabcis/recommendations/artifacts_4/package_registries_4_3/readme.md +12 -0
- gitlabcis/recommendations/artifacts_4/package_registries_4_3/secure_repo_webhooks.yml +50 -0
- gitlabcis/recommendations/artifacts_4/package_registries_4_3/validate_signed_artifacts_on_upload.yml +72 -0
- gitlabcis/recommendations/artifacts_4/readme.md +12 -0
- gitlabcis/recommendations/artifacts_4/verification_4_1/encrypt_artifacts_before_distribution.yml +47 -0
- gitlabcis/recommendations/artifacts_4/verification_4_1/only_authorized_platforms_can_decrypt_artifacts.yml +59 -0
- gitlabcis/recommendations/artifacts_4/verification_4_1/readme.md +11 -0
- gitlabcis/recommendations/artifacts_4/verification_4_1/sign_artifacts_in_build_pipeline.yml +40 -0
- gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/authenticate_build_access.yml +55 -0
- gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/build_automation.yml +54 -0
- gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/build_env_admins.yml +55 -0
- gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/build_logging.yml +49 -0
- gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/disable_build_tools_default_passwords.yml +54 -0
- gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/immutable_pipeline_infrastructure.yml +60 -0
- gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/limit_build_access.yml +64 -0
- gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/limit_build_secrets_scope.yml +56 -0
- gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/readme.md +19 -0
- gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/secure_build_env_webhooks.yml +43 -0
- gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/single_responsibility_pipeline.yml +58 -0
- gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/vuln_scanning.yml +64 -0
- gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/build_worker_vuln_scanning.yml +58 -0
- gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/monitor_worker_resource_consumption.yml +59 -0
- gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/pass_worker_envs_and_commands.yml +48 -0
- gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/readme.md +16 -0
- gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/restrict_worker_connectivity.yml +61 -0
- gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/segregate_worker_duties.yml +78 -0
- gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/single_use_workers.yml +47 -0
- gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/store_worker_config.yml +62 -0
- gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/worker_runtime_security.yml +37 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/build_stage_io.yml +49 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/build_steps_as_code.yml +42 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/limit_pipeline_triggers.yml +76 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/pipeline_misconfiguration_scanning.yml +48 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/pipeline_secret_scanning.yml +56 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/pipeline_vuln_scanning.yml +44 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/readme.md +16 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/secure_pipeline_output.yml +52 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/track_pipeline_files.yml +48 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_integrity_2_4/create_reproducible_artifacts.yml +52 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_integrity_2_4/lock_dependencies.yml +59 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_integrity_2_4/pipeline_produces_sbom.yml +81 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_integrity_2_4/pipeline_signs_sbom.yml +38 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_integrity_2_4/readme.md +14 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_integrity_2_4/sign_artifacts.yml +35 -0
- gitlabcis/recommendations/build_pipelines_2/pipeline_integrity_2_4/validate_dependencies.yml +63 -0
- gitlabcis/recommendations/build_pipelines_2/readme.md +12 -0
- gitlabcis/recommendations/dependencies_3/readme.md +10 -0
- gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/define_package_managers.yml +84 -0
- gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/dependency_sbom.yml +84 -0
- gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/monitor_dependencies.yml +61 -0
- gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/packages_over_60_days_old.yml +95 -0
- gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/pin_dependency_version.yml +48 -0
- gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/readme.md +14 -0
- gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/third_party_sbom_required.yml +70 -0
- gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/verify_artifacts.yml +45 -0
- gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/verify_signed_metadata.yml +41 -0
- gitlabcis/recommendations/dependencies_3/validate_packages_3_2/org_wide_dependency_policy.yml +47 -0
- gitlabcis/recommendations/dependencies_3/validate_packages_3_2/package_license_scanning.yml +47 -0
- gitlabcis/recommendations/dependencies_3/validate_packages_3_2/package_ownership_change.yml +42 -0
- gitlabcis/recommendations/dependencies_3/validate_packages_3_2/package_vuln_scanning.yml +62 -0
- gitlabcis/recommendations/dependencies_3/validate_packages_3_2/readme.md +10 -0
- gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/audit_deployment_config.yml +46 -0
- gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/limit_deployment_config_access.yml +51 -0
- gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/pin_deployment_config_manifests.yml +59 -0
- gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/readme.md +13 -0
- gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/scan_iac.yml +72 -0
- gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/secret_scan_deployment_config.yml +45 -0
- gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/separate_deployment_config.yml +50 -0
- gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/verify_deployment_config.yml +49 -0
- gitlabcis/recommendations/deployment_5/deployment_environment_5_2/automate_deployment.yml +47 -0
- gitlabcis/recommendations/deployment_5/deployment_environment_5_2/disable_default_passwords.yml +63 -0
- gitlabcis/recommendations/deployment_5/deployment_environment_5_2/limit_prod_access.yml +45 -0
- gitlabcis/recommendations/deployment_5/deployment_environment_5_2/readme.md +12 -0
- gitlabcis/recommendations/deployment_5/deployment_environment_5_2/reproducible_deployment.yml +50 -0
- gitlabcis/recommendations/deployment_5/readme.md +10 -0
- gitlabcis/recommendations/readme.md +24 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/audit_branch_protections.yml +56 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/auto_risk_scan_merges.yml +62 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/branch_protections_for_admins.yml +60 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/branches_updated_before_merging.yml +56 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/checks_pass_before_merging.yml +57 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/code_approval_dismissals.yml +62 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/code_approvals.yml +65 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/code_changes_require_code_owners.yml +68 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/code_dismissal_restrictions.yml +69 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/code_owners.yml +61 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/code_tracing.yml +52 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/comments_resolved_before_merging.yml +59 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/commits_must_be_signed_before_merging.yml +63 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/default_branch_protected.yml +85 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/deny_branch_deletions.yml +76 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/ensure_force_push_is_denied.yml +59 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/linear_history_required.yml +56 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/merging_restrictions.yml +65 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/readme.md +26 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/stale_branch_reviews.yml +72 -0
- gitlabcis/recommendations/source_code_1/code_changes_1_1/version_control.yml +45 -0
- gitlabcis/recommendations/source_code_1/code_risks_1_5/dast_api_scanning.yml +50 -0
- gitlabcis/recommendations/source_code_1/code_risks_1_5/dast_web_scanning.yml +51 -0
- gitlabcis/recommendations/source_code_1/code_risks_1_5/dependency_scanning.yml +84 -0
- gitlabcis/recommendations/source_code_1/code_risks_1_5/enable_secret_detection.yml +45 -0
- gitlabcis/recommendations/source_code_1/code_risks_1_5/license_scanning.yml +47 -0
- gitlabcis/recommendations/source_code_1/code_risks_1_5/readme.md +14 -0
- gitlabcis/recommendations/source_code_1/code_risks_1_5/secure_iac_instructions.yml +81 -0
- gitlabcis/recommendations/source_code_1/code_risks_1_5/secure_pipeline_instructions.yml +62 -0
- gitlabcis/recommendations/source_code_1/code_risks_1_5/vulnerability_scanning.yml +48 -0
- gitlabcis/recommendations/source_code_1/contribution_access_1_3/domain_verification.yml +65 -0
- gitlabcis/recommendations/source_code_1/contribution_access_1_3/ensure_2_admins_per_repo.yml +56 -0
- gitlabcis/recommendations/source_code_1/contribution_access_1_3/limit_top_level_group_creation.yml +61 -0
- gitlabcis/recommendations/source_code_1/contribution_access_1_3/limit_user_registration_domain.yml +58 -0
- gitlabcis/recommendations/source_code_1/contribution_access_1_3/minimum_number_of_admins.yml +56 -0
- gitlabcis/recommendations/source_code_1/contribution_access_1_3/org_provided_ssh_certs.yml +70 -0
- gitlabcis/recommendations/source_code_1/contribution_access_1_3/readme.md +21 -0
- gitlabcis/recommendations/source_code_1/contribution_access_1_3/require_mfa_at_org_level.yml +89 -0
- gitlabcis/recommendations/source_code_1/contribution_access_1_3/require_mfa_for_contributors.yml +76 -0
- gitlabcis/recommendations/source_code_1/contribution_access_1_3/restrict_ip_addresses.yml +84 -0
- gitlabcis/recommendations/source_code_1/contribution_access_1_3/review_and_remove_inactive_users.yml +62 -0
- gitlabcis/recommendations/source_code_1/contribution_access_1_3/scm_notification_restriction.yml +46 -0
- gitlabcis/recommendations/source_code_1/contribution_access_1_3/strict_permissions_for_repo.yml +62 -0
- gitlabcis/recommendations/source_code_1/contribution_access_1_3/track_code_anomalies.yml +43 -0
- gitlabcis/recommendations/source_code_1/readme.md +13 -0
- gitlabcis/recommendations/source_code_1/repository_management_1_2/limit_issue_deletions.yml +57 -0
- gitlabcis/recommendations/source_code_1/repository_management_1_2/limit_repo_creations.yml +64 -0
- gitlabcis/recommendations/source_code_1/repository_management_1_2/limit_repo_deletions.yml +57 -0
- gitlabcis/recommendations/source_code_1/repository_management_1_2/public_repos_have_security_file.yml +59 -0
- gitlabcis/recommendations/source_code_1/repository_management_1_2/readme.md +15 -0
- gitlabcis/recommendations/source_code_1/repository_management_1_2/review_and_archive_stale_repos.yml +65 -0
- gitlabcis/recommendations/source_code_1/repository_management_1_2/track_forks.yml +74 -0
- gitlabcis/recommendations/source_code_1/repository_management_1_2/track_project_visibility_status.yml +74 -0
- gitlabcis/recommendations/source_code_1/third_party_1_4/README.md +12 -0
- gitlabcis/recommendations/source_code_1/third_party_1_4/admin_approval_for_app_installs.yml +83 -0
- gitlabcis/recommendations/source_code_1/third_party_1_4/least_privilge_app_permissions.yml +103 -0
- gitlabcis/recommendations/source_code_1/third_party_1_4/secure_webhooks.yml +73 -0
- gitlabcis/recommendations/source_code_1/third_party_1_4/stale_app_reviews.yml +66 -0
- gitlabcis/recommendations/template.yml +30 -0
- gitlabcis/tests/__init__.py +0 -0
- gitlabcis/tests/input/__init__.py +0 -0
- gitlabcis/tests/input/conftest.py +29 -0
- gitlabcis/tests/input/no_input_test.py +82 -0
- gitlabcis/tests/input/switch_test.py +19 -0
- gitlabcis/tests/input/version_test.py +7 -0
- gitlabcis/tests/unit/__init__.py +0 -0
- gitlabcis/tests/unit/benchmarks/artifacts_4/access_to_artifacts_4_2_test.py +131 -0
- gitlabcis/tests/unit/benchmarks/artifacts_4/origin_traceability_4_4_test.py +15 -0
- gitlabcis/tests/unit/benchmarks/artifacts_4/package_registries_4_3_test.py +102 -0
- gitlabcis/tests/unit/benchmarks/artifacts_4/verification_4_1_test.py +78 -0
- gitlabcis/tests/unit/benchmarks/build_pipelines_2/build_environment_2_1_test.py +239 -0
- gitlabcis/tests/unit/benchmarks/build_pipelines_2/build_worker_2_2_test.py +105 -0
- gitlabcis/tests/unit/benchmarks/build_pipelines_2/pipeline_instructions_2_3_test.py +340 -0
- gitlabcis/tests/unit/benchmarks/build_pipelines_2/pipeline_integrity_2_4_test.py +115 -0
- gitlabcis/tests/unit/benchmarks/conftest.py +47 -0
- gitlabcis/tests/unit/benchmarks/dependencies_3/third_party_packages_3_1_test.py +135 -0
- gitlabcis/tests/unit/benchmarks/dependencies_3/validate_packages_3_2_test.py +171 -0
- gitlabcis/tests/unit/benchmarks/deployment_5/deployment_configuration_5_1_test.py +140 -0
- gitlabcis/tests/unit/benchmarks/deployment_5/deployment_environment_5_2_test.py +60 -0
- gitlabcis/tests/unit/benchmarks/function_test.py +24 -0
- gitlabcis/tests/unit/benchmarks/source_code_1/code_changes_1_1_test.py +565 -0
- gitlabcis/tests/unit/benchmarks/source_code_1/code_risks_1_5_test.py +419 -0
- gitlabcis/tests/unit/benchmarks/source_code_1/contribution_access_1_3_test.py +265 -0
- gitlabcis/tests/unit/benchmarks/source_code_1/repository_management_1_2_test.py +142 -0
- gitlabcis/tests/unit/benchmarks/source_code_1/third_party_1_4_test.py +119 -0
- gitlabcis/tests/unit/conftest.py +94 -0
- gitlabcis/tests/unit/log/log_test.py +23 -0
- gitlabcis/tests/unit/utils/argfilters_test.py +9 -0
- gitlabcis/tests/unit/utils/ci_test.py +156 -0
- gitlabcis/tests/unit/utils/output_test.py +95 -0
- gitlabcis/tests/unit/utils/utils_general_test.py +149 -0
- gitlabcis/tests/unit/utils/version_test.py +11 -0
- gitlabcis/tests/unit/yaml/bad_file_test.py +15 -0
- gitlabcis/tests/unit/yaml/recommendation_test.py +123 -0
- gitlabcis/utils/__init__.py +146 -0
- gitlabcis/utils/ci.py +132 -0
- gitlabcis-1.3.2.dist-info/LICENSE +21 -0
- gitlabcis-1.3.2.dist-info/METADATA +241 -0
- gitlabcis-1.3.2.dist-info/RECORD +218 -0
- gitlabcis-1.3.2.dist-info/WHEEL +5 -0
- gitlabcis-1.3.2.dist-info/entry_points.txt +2 -0
- gitlabcis-1.3.2.dist-info/top_level.txt +1 -0
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: 5.2.1
|
|
3
|
+
name: automate_deployment
|
|
4
|
+
title: Ensure deployments are automated
|
|
5
|
+
profile: 1
|
|
6
|
+
category: deployment
|
|
7
|
+
sub_category: deployment_environment
|
|
8
|
+
description: >-
|
|
9
|
+
Automate deployments of production environment and application.
|
|
10
|
+
rationale: >-
|
|
11
|
+
Automating the deployments of both production environment and applications reduces
|
|
12
|
+
the risk for human mistakes — such as a wrong configuration or exposure of sensitive
|
|
13
|
+
data — because it requires less human interaction or intervention. It also eases
|
|
14
|
+
redeployment of the environment. It is best to automate with Infrastructure as Code
|
|
15
|
+
(IaC) because it offers more control over changes made to the environment creation
|
|
16
|
+
configuration and stores to a version control platform.
|
|
17
|
+
impact: >-
|
|
18
|
+
audit: >-
|
|
19
|
+
For each deployment process, ensure it is automated.
|
|
20
|
+
remediation: >-
|
|
21
|
+
Automate each deployment process of the production environment and application.
|
|
22
|
+
default_value:
|
|
23
|
+
references:
|
|
24
|
+
cis_controls:
|
|
25
|
+
- id: 16.1
|
|
26
|
+
version: 8
|
|
27
|
+
name: Establish and Maintain a Secure Application Development Process
|
|
28
|
+
description: >-
|
|
29
|
+
Establish and maintain a secure application development process. In the
|
|
30
|
+
process, address such items as: secure application design standards, secure coding
|
|
31
|
+
practices, developer training, vulnerability management, security of third-party code,
|
|
32
|
+
and application security testing procedures. Review and update documentation
|
|
33
|
+
annually, or when significant enterprise changes occur that could impact this
|
|
34
|
+
Safeguard.
|
|
35
|
+
implementation_groups:
|
|
36
|
+
- IG2
|
|
37
|
+
- IG3
|
|
38
|
+
- id: 18.1
|
|
39
|
+
version: 7
|
|
40
|
+
name: Establish and Maintain a Secure Application Development Process
|
|
41
|
+
description: >-
|
|
42
|
+
Establish secure coding practices appropriate to the programming language and
|
|
43
|
+
development environment being used.
|
|
44
|
+
implementation_groups:
|
|
45
|
+
- IG2
|
|
46
|
+
- IG3
|
|
47
|
+
additional_info: >-
|
gitlabcis/recommendations/deployment_5/deployment_environment_5_2/disable_default_passwords.yml
ADDED
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: 5.2.4
|
|
3
|
+
name: disable_default_passwords
|
|
4
|
+
title: Ensure default passwords are not used
|
|
5
|
+
profile: 1
|
|
6
|
+
category: deployment
|
|
7
|
+
sub_category: deployment_environment
|
|
8
|
+
description: >-
|
|
9
|
+
Do not use default passwords of deployment tools and components.
|
|
10
|
+
rationale: >-
|
|
11
|
+
Many deployment tools and components are provided with default passwords for the
|
|
12
|
+
first login. This password is intended to be used only on the first login and should be
|
|
13
|
+
changed immediately after. Using the default password substantially increases the
|
|
14
|
+
attack risk. It is very important to ensure that default passwords are not used in
|
|
15
|
+
deployment tools and components.
|
|
16
|
+
impact: >-
|
|
17
|
+
audit: |
|
|
18
|
+
GitLab's default root password depends on the installation method, and when the installation occurred:
|
|
19
|
+
1. When deploying a GitLab instance using the official AWS AMI, the root password to the instance is the EC2 Instance ID
|
|
20
|
+
2. Most installation methods allow a non-default password to be provided as configuration
|
|
21
|
+
3. Prior to 14.0 the default password was 5iveL!fe
|
|
22
|
+
4. Otherwise the default password is unique and randomly generated.
|
|
23
|
+
|
|
24
|
+
Attempt to log in as root using a suspected default password to audit whether it has changed.
|
|
25
|
+
For any other external build tools, ensure the password used is not the default one.
|
|
26
|
+
remediation: >-
|
|
27
|
+
GitLab's root password can be changed by an administrator using the UI, the
|
|
28
|
+
“gitlab:password:reset” rake task, or by using the Rails console.
|
|
29
|
+
For each build tool with a default password, change to a unique cryptographically
|
|
30
|
+
secure pseudorandom password.
|
|
31
|
+
default_value:
|
|
32
|
+
references:
|
|
33
|
+
cis_controls:
|
|
34
|
+
- id: 5.2
|
|
35
|
+
version: 8
|
|
36
|
+
name: Use Unique Passwords
|
|
37
|
+
description: >-
|
|
38
|
+
Use unique passwords for all enterprise assets. Best practice implementation
|
|
39
|
+
includes, at a minimum, an 8-character password for accounts using MFA and a
|
|
40
|
+
14-character password for accounts not using MFA.
|
|
41
|
+
implementation_groups:
|
|
42
|
+
- IG1
|
|
43
|
+
- IG2
|
|
44
|
+
- IG3
|
|
45
|
+
- id: 4.2
|
|
46
|
+
version: 7
|
|
47
|
+
name: Change Default Passwords
|
|
48
|
+
description: >-
|
|
49
|
+
Before deploying any new asset, change all default passwords to have values
|
|
50
|
+
consistent with administrative level accounts.
|
|
51
|
+
implementation_groups:
|
|
52
|
+
- IG1
|
|
53
|
+
- IG2
|
|
54
|
+
- IG3
|
|
55
|
+
- id: 4.4
|
|
56
|
+
version: 7
|
|
57
|
+
name: example
|
|
58
|
+
description: >-
|
|
59
|
+
Use Unique Passwords
|
|
60
|
+
implementation_groups:
|
|
61
|
+
- IG2
|
|
62
|
+
- IG3
|
|
63
|
+
additional_info: >-
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: 5.2.3
|
|
3
|
+
name: limit_prod_access
|
|
4
|
+
title: Ensure access to production environment is limited
|
|
5
|
+
profile: 1
|
|
6
|
+
category: deployment
|
|
7
|
+
sub_category: deployment_environment
|
|
8
|
+
description: >-
|
|
9
|
+
Restrict access to the production environment to a few trusted and qualified users only.
|
|
10
|
+
rationale: >-
|
|
11
|
+
The production environment is an extremely sensitive one. It directly affects the
|
|
12
|
+
customer experience and trust in a product, which has serious effects on the
|
|
13
|
+
organization itself. Because of this sensitive nature, it is important to restrict access to
|
|
14
|
+
the production environment to only a few trusted and qualified users. This will reduce
|
|
15
|
+
the risk of mistakes such as exposure of secrets or misconfiguration. This restriction
|
|
16
|
+
also reduces the number of accounts that are vulnerable to hijacking in order to
|
|
17
|
+
potentially harm the production environment.
|
|
18
|
+
impact: >-
|
|
19
|
+
Reducing the number of users who have access to the production environment means
|
|
20
|
+
those users would lose their ability to make direct changes to that environment.
|
|
21
|
+
audit: >-
|
|
22
|
+
Verify that the production environment is accessible only to trusted and qualified users.
|
|
23
|
+
remediation: >-
|
|
24
|
+
Restrict access to the production environment to trusted and qualified users.
|
|
25
|
+
default_value:
|
|
26
|
+
references:
|
|
27
|
+
cis_controls:
|
|
28
|
+
- id: 16.8
|
|
29
|
+
version: 8
|
|
30
|
+
name: Separate Production and Non-Production Systems
|
|
31
|
+
description: >-
|
|
32
|
+
Maintain separate environments for production and non-production systems.
|
|
33
|
+
implementation_groups:
|
|
34
|
+
- IG2
|
|
35
|
+
- IG3
|
|
36
|
+
- id: 18.9
|
|
37
|
+
version: 7
|
|
38
|
+
name: Separate Production and Non-Production Systems
|
|
39
|
+
description: >-
|
|
40
|
+
Maintain separate environments for production and nonproduction systems.
|
|
41
|
+
Developers should not have unmonitored access to production environments.
|
|
42
|
+
implementation_groups:
|
|
43
|
+
- IG2
|
|
44
|
+
- IG3
|
|
45
|
+
additional_info: >-
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
# 5.2 Deployment Environment
|
|
2
|
+
|
|
3
|
+
This section consists of security recommendations for the management of the deployment environment.
|
|
4
|
+
|
|
5
|
+
The deployment environment is the orchestrator and the production environment where the application is deployed. It directly affects the customer experience and trust in a product, which has serious effects on the organization itself. Securing it varies from access management to automation.
|
|
6
|
+
|
|
7
|
+
## Recommendations
|
|
8
|
+
|
|
9
|
+
* [5.2.1 - automate_deployment.yml](./automate_deployment.yml)
|
|
10
|
+
* [5.2.2 - reproducible_deployment.yml](./reproducible_deployment.yml)
|
|
11
|
+
* [5.2.3 - limit_prod_access.yml](./limit_prod_access.yml)
|
|
12
|
+
* [5.2.4 - disable_default_passwords.yml](./disable_default_passwords.yml)
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: 5.2.2
|
|
3
|
+
name: reproducible_deployment
|
|
4
|
+
title: Ensure the deployment environment is reproducible
|
|
5
|
+
profile: 1
|
|
6
|
+
category: deployment
|
|
7
|
+
sub_category: deployment_environment
|
|
8
|
+
description: >-
|
|
9
|
+
Verify that the deployment environment - the orchestrator and the production
|
|
10
|
+
environment where the application is deployed - is reproducible. This means that the
|
|
11
|
+
environment stays the same in each deployment if the configuration has not changed.
|
|
12
|
+
rationale: >-
|
|
13
|
+
A reproducible build is a build that produces the same artifact when given the same
|
|
14
|
+
input data, and in this case the same environment. Ensuring that the same environment
|
|
15
|
+
is produced when given the same input helps verify that no change has been made to it.
|
|
16
|
+
This action allows an organization to trust that its deployment environment is built only
|
|
17
|
+
from safe code and configuration that has been reviewed and tested and has not been
|
|
18
|
+
tainted or changed abruptly.
|
|
19
|
+
impact: >-
|
|
20
|
+
audit: >-
|
|
21
|
+
Verify that the deployment/production environment is reproducible.
|
|
22
|
+
remediation: >-
|
|
23
|
+
Adjust the process that deploys the deployment/production environment to build the
|
|
24
|
+
same environment each time when the configuration has not changed.
|
|
25
|
+
default_value:
|
|
26
|
+
references:
|
|
27
|
+
cis_controls:
|
|
28
|
+
- id: 16.1
|
|
29
|
+
version: 8
|
|
30
|
+
name: Establish and Maintain a Secure Application Development Process
|
|
31
|
+
description: >-
|
|
32
|
+
Establish and maintain a secure application development process. In the
|
|
33
|
+
process, address such items as: secure application design standards, secure coding
|
|
34
|
+
practices, developer training, vulnerability management, security of third-party code,
|
|
35
|
+
and application security testing procedures. Review and update documentation
|
|
36
|
+
annually, or when significant enterprise changes occur that could impact this
|
|
37
|
+
Safeguard.
|
|
38
|
+
implementation_groups:
|
|
39
|
+
- IG2
|
|
40
|
+
- IG3
|
|
41
|
+
- id: 18.1
|
|
42
|
+
version: 7
|
|
43
|
+
name: Establish and Maintain a Secure Application Development Process
|
|
44
|
+
description: >-
|
|
45
|
+
Establish secure coding practices appropriate to the programming language and
|
|
46
|
+
development environment being used.
|
|
47
|
+
implementation_groups:
|
|
48
|
+
- IG2
|
|
49
|
+
- IG3
|
|
50
|
+
additional_info: >-
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
# 5 Deployment
|
|
2
|
+
|
|
3
|
+
This section consists of security recommendations for management of the release process, the application deployment, and the configuration files that comes with it.
|
|
4
|
+
|
|
5
|
+
This is the final phase of the software supply chain. After that, the client already uses the application, and it is running in production. This phase contains the deployment orchestrator, the deployment configuration, the manifest files, and the deployment environment. It is important to secure all of these to deliver the software to the client safely.
|
|
6
|
+
|
|
7
|
+
## Sections
|
|
8
|
+
|
|
9
|
+
- [5.1 - Deployment Configuration](./deployment_configuration_5_1)
|
|
10
|
+
- [5.2 - Deployment Environment](./deployment_environment_5_2)
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
# Controls
|
|
2
|
+
|
|
3
|
+
* [1 - Source Code](./source_code_1)
|
|
4
|
+
* [1.1 - Code Changes](./source_code_1/code_changes_1_1)
|
|
5
|
+
* [1.2 - Repository Management](./source_code_1/repository_management_1_2)
|
|
6
|
+
* [1.3 - Contribution Access](./source_code_1/contribution_access_1_3)
|
|
7
|
+
* [1.4 - Third-Party](./source_code_1/third_party_1_4)
|
|
8
|
+
* [1.5 - Code Risks](./source_code_1/code_risks_1_5)
|
|
9
|
+
* [2 - Build Pipelines](./build_pipelines_2)
|
|
10
|
+
* [2.1 - Build Environment](./build_pipelines_2/build_environment_2_1)
|
|
11
|
+
* [2.2 - Build Worker](./build_pipelines_2/build_worker_2_2)
|
|
12
|
+
* [2.3 - Pipeline Instructions](./build_pipelines_2/pipeline_instructions_2_3)
|
|
13
|
+
* [2.4 - Pipeline Integrity](./build_pipelines_2/pipeline_integrity_2_4)
|
|
14
|
+
* [3 - Dependencies](./dependencies_3)
|
|
15
|
+
* [3.1 - Third-Party Packages](./dependencies_3/third_party_packages_3_1)
|
|
16
|
+
* [3.2 - Validate Packages](./dependencies_3/validate_packages_3_2)
|
|
17
|
+
* [4 - Artifacts](./artifacts_4)
|
|
18
|
+
* [4.1 - Verification](./artifacts_4/verification_4_1)
|
|
19
|
+
* [4.2 - Access to Artifacts](./artifacts_4/access_to_artifacts_4_2)
|
|
20
|
+
* [4.3 - Package Registries](./artifacts_4/package_registries_4_3)
|
|
21
|
+
* [4.4 - Origin Traceability](./artifacts_4/origin_traceability_4_4)
|
|
22
|
+
* [5 - Deployment](./deployment_5)
|
|
23
|
+
* [5.1 - Deployment Configuration](./deployment_5/deployment_configuration_5_1)
|
|
24
|
+
* [5.2 - Deployment Environment](./deployment_5/deployment_environment_5_2)
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: 1.1.19
|
|
3
|
+
name: audit_branch_protections
|
|
4
|
+
title: Ensure any changes to branch protection rules are audited
|
|
5
|
+
profile: 1
|
|
6
|
+
category: source_code
|
|
7
|
+
sub_category: code_changes
|
|
8
|
+
description: >-
|
|
9
|
+
Ensure that changes in the branch protection rules are audited.
|
|
10
|
+
rationale: >-
|
|
11
|
+
Branch protection rules should be configured on every repository. The only users who
|
|
12
|
+
may change such rules are administrators. In a case of an attack on an administrator
|
|
13
|
+
account or of human error on the part of an administrator, protection rules could be
|
|
14
|
+
disabled, and thus decrease source code confidentiality as a result. It is important to
|
|
15
|
+
track and audit such changes to prevent potential incidents as soon as possible.
|
|
16
|
+
impact: >-
|
|
17
|
+
audit: |
|
|
18
|
+
Ensure that changes in the branch protection rules are audited regularly. You can view audit events from user actions across an entire GitLab instance.
|
|
19
|
+
|
|
20
|
+
To view instance audit events:
|
|
21
|
+
1. On the left sidebar, select Search or go to.
|
|
22
|
+
2. Select Admin Area.
|
|
23
|
+
3. On the left sidebar, select Monitoring > Audit Events.
|
|
24
|
+
4. Filter by the following:Event Type protected_branch_updated. This event type is triggered when the setting for protected branches is updated.
|
|
25
|
+
5. Ensure every action is reasonable and secure and is investigated if not.
|
|
26
|
+
remediation: |
|
|
27
|
+
Use the audit log to audit changes in branch protection rules by performing the following:
|
|
28
|
+
1. On the left sidebar, select Search or go to.
|
|
29
|
+
2. Select Admin Area.
|
|
30
|
+
3. On the left sidebar, select Monitoring > Audit Events.
|
|
31
|
+
4. Filter by the following:Event Type protected_branch_updated
|
|
32
|
+
5. Ensure every action is reasonable and secure and is investigated if not.
|
|
33
|
+
default_value:
|
|
34
|
+
references:
|
|
35
|
+
- https://docs.gitlab.com/ee/administration/audit_event_streaming/audit_event_types.html
|
|
36
|
+
cis_controls:
|
|
37
|
+
- id: 8.5
|
|
38
|
+
version: 8
|
|
39
|
+
name: Collect Detailed Audit Logs
|
|
40
|
+
description: >-
|
|
41
|
+
Configure detailed audit logging for enterprise assets containing sensitive data.
|
|
42
|
+
Include event source, date, username, timestamp, source addresses, destination
|
|
43
|
+
addresses, and other useful elements that could assist in a forensic investigation.
|
|
44
|
+
implementation_groups:
|
|
45
|
+
- IG2
|
|
46
|
+
- IG3
|
|
47
|
+
- id: 6.2
|
|
48
|
+
version: 8
|
|
49
|
+
name: Activate audit logging
|
|
50
|
+
description: >-
|
|
51
|
+
Ensure that local logging has been enabled on all systems and networking devices.
|
|
52
|
+
implementation_groups:
|
|
53
|
+
- IG1
|
|
54
|
+
- IG2
|
|
55
|
+
- IG3
|
|
56
|
+
additional_info: >-
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: 1.1.18
|
|
3
|
+
name: auto_risk_scan_merges
|
|
4
|
+
title: Ensure any merging of code is automatically scanned for risks
|
|
5
|
+
profile: 1
|
|
6
|
+
category: source_code
|
|
7
|
+
sub_category: code_changes
|
|
8
|
+
description: >-
|
|
9
|
+
Ensure that every merge request is required to be scanned for risks.
|
|
10
|
+
rationale: >-
|
|
11
|
+
Scanning merge requests to detect risks allows for early detection of vulnerable code
|
|
12
|
+
and/or dependencies and helps mitigate potentially malicious code.
|
|
13
|
+
impact: >-
|
|
14
|
+
audit: |
|
|
15
|
+
For each project in use, ensure that every merge request must be scanned for risks by performing the following:
|
|
16
|
+
On the left sidebar, select Search or go to and search for the go-example-a project.
|
|
17
|
+
1. Go to Secure > Policies.
|
|
18
|
+
2. Review your list of existing policies. The Policy Type column will indicate whether you have enabled a Scan Execution Policy for the specified project.
|
|
19
|
+
3. Click on the Name in order to view the policy details which specifies which scanners run when code is merged.
|
|
20
|
+
remediation: |
|
|
21
|
+
For each project in use, ensure that every merge request must be scanned for risks by creating a scan execution policy:
|
|
22
|
+
1. On the left sidebar, select Search or go to and search for the go-example-a project.
|
|
23
|
+
2. Go to Secure > Policies.
|
|
24
|
+
3. Select New policy.
|
|
25
|
+
4. In the Scan execution policy section, select Select policy.
|
|
26
|
+
5. Complete the fields.
|
|
27
|
+
• Name: Enforce secret detection.
|
|
28
|
+
• Policy status: Enabled.
|
|
29
|
+
• Actions: Run a Secret Detection scan.
|
|
30
|
+
• Conditions: Triggers every time a pipeline runs for all branches.
|
|
31
|
+
6. Select Configure with a merge request.
|
|
32
|
+
The policy project go-example-a - Security project is created, and a merge request is created.
|
|
33
|
+
7. Optional. Review the generated policy YAML in the merge request's Changes tab.
|
|
34
|
+
8. Go to the Overview tab and select Merge.
|
|
35
|
+
9. On the left sidebar, select Search or go to and search for the go-example-a project.
|
|
36
|
+
10. Go to Secure > Policies.
|
|
37
|
+
|
|
38
|
+
You now have a scan execution policy that runs a secret detection scan on every MR,
|
|
39
|
+
for any branch. Test the policy by creating a merge request in project A.
|
|
40
|
+
default_value:
|
|
41
|
+
references:
|
|
42
|
+
- https://docs.gitlab.com/ee/user/application_security/index.html#enforce-scan-execution
|
|
43
|
+
- https://docs.gitlab.com/ee/user/application_security/policies/scan-execution-policies.html
|
|
44
|
+
cis_controls:
|
|
45
|
+
- id: 16.12
|
|
46
|
+
version: 8
|
|
47
|
+
name: Implement Code-Level Security Checks
|
|
48
|
+
description: >-
|
|
49
|
+
Apply static and dynamic analysis tools within the application life cycle to
|
|
50
|
+
verify that secure coding practices are being followed.
|
|
51
|
+
implementation_groups:
|
|
52
|
+
- IG3
|
|
53
|
+
- id: 18.7
|
|
54
|
+
version: 8
|
|
55
|
+
name: Apply Static and Dynamic Code Analysis Tools
|
|
56
|
+
description: >-
|
|
57
|
+
Apply static and dynamic analysis tools to verify that secure coding
|
|
58
|
+
practices are being adhered to for internally developed software.
|
|
59
|
+
implementation_groups:
|
|
60
|
+
- IG2
|
|
61
|
+
- IG3
|
|
62
|
+
additional_info: >-
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: 1.1.14
|
|
3
|
+
name: branch_protections_for_admins
|
|
4
|
+
title: Ensure branch protection rules are enforced for administrators
|
|
5
|
+
profile: 1
|
|
6
|
+
category: source_code
|
|
7
|
+
sub_category: code_changes
|
|
8
|
+
description: >-
|
|
9
|
+
Ensure administrators are subject to branch protection rules.
|
|
10
|
+
rationale: >-
|
|
11
|
+
Administrators by default are excluded from any branch protection rules. This means
|
|
12
|
+
these privileged users (both on the repository and organization levels) are not subject to
|
|
13
|
+
protections meant to prevent untrusted code insertion, including malicious code. This is
|
|
14
|
+
extremely important since administrator accounts are often targeted for account
|
|
15
|
+
hijacking due to their privileged role.
|
|
16
|
+
impact: >-
|
|
17
|
+
Administrator users won't be able to push code directly to the protected branch without
|
|
18
|
+
being compliant with listed branch protection rules.
|
|
19
|
+
audit: |
|
|
20
|
+
GitLab administrators can validate this privilege for group owners, enforcing the instance-level protection rule:
|
|
21
|
+
1. Select Settings > Repository.
|
|
22
|
+
2. On the left sidebar, at the bottom, select Admin Area.
|
|
23
|
+
3. Expand the Default branch section.
|
|
24
|
+
4. Ensure that the Allow owners to manage default branch protection per group is unchecked.
|
|
25
|
+
5. Select Save changes.
|
|
26
|
+
remediation: |
|
|
27
|
+
GitLab administrators can disable this privilege for group owners, enforcing the instance-level protection rule:
|
|
28
|
+
1. On the left sidebar, at the bottom, select Admin Area.
|
|
29
|
+
2. Select Settings > Repository.
|
|
30
|
+
3. Expand the Default branch section.
|
|
31
|
+
4. Uncheck Allow owners to manage default branch protection per group checkbox.
|
|
32
|
+
5. Select Save changes.
|
|
33
|
+
default_value: Administrator accounts are not subject to branch protection rules by default.
|
|
34
|
+
references:
|
|
35
|
+
- https://docs.gitlab.com/ee/user/project/repository/branches/default.html
|
|
36
|
+
- https://docs.gitlab.com/ee/user/project/protected_branches.html#who-can-modify-a-protected-branch
|
|
37
|
+
cis_controls:
|
|
38
|
+
- id: 16.1
|
|
39
|
+
version: 8
|
|
40
|
+
name: Establish and Maintain a Secure Application Development Process
|
|
41
|
+
description: >-
|
|
42
|
+
Establish and maintain a secure application development process. In the
|
|
43
|
+
process, address such items as: secure application design standards, secure coding
|
|
44
|
+
practices, developer training, vulnerability management, security of third-party code,
|
|
45
|
+
and application security testing procedures. Review and update documentation
|
|
46
|
+
annually, or when significant enterprise changes occur that could impact this
|
|
47
|
+
Safeguard.
|
|
48
|
+
implementation_groups:
|
|
49
|
+
- IG2
|
|
50
|
+
- IG3
|
|
51
|
+
- id: 18.1
|
|
52
|
+
version: 7
|
|
53
|
+
name: Establish Secure Coding Practices
|
|
54
|
+
description: >-
|
|
55
|
+
Establish secure coding practices appropriate to the programming language and
|
|
56
|
+
development environment being used.
|
|
57
|
+
implementation_groups:
|
|
58
|
+
- IG2
|
|
59
|
+
- IG3
|
|
60
|
+
additional_info: >-
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: 1.1.10
|
|
3
|
+
name: branches_updated_before_merging
|
|
4
|
+
title: Ensure open Git branches are up to date before they can be merged into code base
|
|
5
|
+
profile: 1
|
|
6
|
+
category: source_code
|
|
7
|
+
sub_category: code_changes
|
|
8
|
+
description: >-
|
|
9
|
+
Organizations should make sure each suggested code change is in full sync with the
|
|
10
|
+
existing state of its origin code repository before allowing merging.
|
|
11
|
+
rationale: >-
|
|
12
|
+
Git branches can easily become outdated since the origin code repository is constantly
|
|
13
|
+
being edited. This means engineers working on separate code branches can
|
|
14
|
+
accidentally include outdated code with potential security issues which might have
|
|
15
|
+
already been fixed, overriding the potential solutions for those security issues when
|
|
16
|
+
merging their own changes.
|
|
17
|
+
impact: >-
|
|
18
|
+
If enforced, outdated branches would not be able to be merged into their origin
|
|
19
|
+
repository without first being updated to contain any recent changes.
|
|
20
|
+
audit: |
|
|
21
|
+
For each project, verify that open branches must be updated before merging by performing the following:
|
|
22
|
+
• Navigate to the main page of the project
|
|
23
|
+
• In the sidebar, select Settings > Merge requests
|
|
24
|
+
• Look at the 'Merge method'. If 'Merge commit with semi-linear history' or 'Fast-forward merge' is selected, the project is compliant.
|
|
25
|
+
remediation: |
|
|
26
|
+
For each project identified as being non-compliant, performing the following:
|
|
27
|
+
• Navigate to the main page of the project
|
|
28
|
+
• In the sidebar, select Settings > Merge requests
|
|
29
|
+
• Under the 'Merge method' select either 'Merge commit with semi-linear history' or 'Fast-forward merge'.
|
|
30
|
+
default_value: By default, there is no requirement to update a branch before merging it.
|
|
31
|
+
references:
|
|
32
|
+
- https://docs.gitlab.com/ee/user/project/merge_requests/methods/
|
|
33
|
+
cis_controls:
|
|
34
|
+
- id: 16.1
|
|
35
|
+
version: 8
|
|
36
|
+
name: Establish and Maintain a Secure Application Development Process
|
|
37
|
+
description: >-
|
|
38
|
+
Establish and maintain a secure application development process. In the
|
|
39
|
+
process, address such items as: secure application design standards, secure coding
|
|
40
|
+
practices, developer training, vulnerability management, security of third-party code,
|
|
41
|
+
and application security testing procedures. Review and update documentation
|
|
42
|
+
annually, or when significant enterprise changes occur that could impact this
|
|
43
|
+
Safeguard.
|
|
44
|
+
implementation_groups:
|
|
45
|
+
- IG2
|
|
46
|
+
- IG3
|
|
47
|
+
- id: 18.1
|
|
48
|
+
version: 7
|
|
49
|
+
name: Establish Secure Coding Practices
|
|
50
|
+
description: >-
|
|
51
|
+
Establish secure coding practices appropriate to the programming language and
|
|
52
|
+
development environment being used.
|
|
53
|
+
implementation_groups:
|
|
54
|
+
- IG2
|
|
55
|
+
- IG3
|
|
56
|
+
additional_info: >-
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: 1.1.9
|
|
3
|
+
name: checks_pass_before_merging
|
|
4
|
+
title: Ensure all checks have passed before merging new code
|
|
5
|
+
profile: 1
|
|
6
|
+
category: source_code
|
|
7
|
+
sub_category: code_changes
|
|
8
|
+
description: >-
|
|
9
|
+
Before a code change request can be merged to the code base, all predefined checks
|
|
10
|
+
must successfully pass.
|
|
11
|
+
rationale: >-
|
|
12
|
+
On top of manual reviews of code changes, a code protect should contain a set of
|
|
13
|
+
prescriptive checks which validate each change. Organizations should enforce those
|
|
14
|
+
status checks so that changes can only be introduced if all checks have successfully
|
|
15
|
+
passed. This set of checks should serve as the absolute quality, stability, and security
|
|
16
|
+
conditions which must be met in order to merge new code to a project.
|
|
17
|
+
impact: >-
|
|
18
|
+
Code changes in which all checks do not pass successfully would not be able to be
|
|
19
|
+
pushed into the code base of the specific code repository.
|
|
20
|
+
audit: |
|
|
21
|
+
Within each project's settings, you can see a list of status check services added to the project:
|
|
22
|
+
1. In your project, go to Settings > Merge requests section.
|
|
23
|
+
2. Scroll down to Status checks.
|
|
24
|
+
3. Ensure that the Status checks must succeed checkbox has been selected.
|
|
25
|
+
remediation: |
|
|
26
|
+
To block the merging of merge requests when checks fail:
|
|
27
|
+
1. On the left sidebar, select Search or go to and find your project.
|
|
28
|
+
2. Select Settings > Merge requests.
|
|
29
|
+
3. Select the Status checks must succeed checkbox.
|
|
30
|
+
4. Select Save changes.
|
|
31
|
+
default_value: By default, no checks are defined per project, and thus no enforcement of checks is made.
|
|
32
|
+
references:
|
|
33
|
+
- https://docs.gitlab.com/ee/user/project/merge_requests/status_checks.html
|
|
34
|
+
cis_controls:
|
|
35
|
+
- id: 16.1
|
|
36
|
+
version: 8
|
|
37
|
+
name: Establish and Maintain a Secure Application Development Process
|
|
38
|
+
description: >-
|
|
39
|
+
Establish and maintain a secure application development process. In the
|
|
40
|
+
process, address such items as: secure application design standards, secure coding
|
|
41
|
+
practices, developer training, vulnerability management, security of third-party code,
|
|
42
|
+
and application security testing procedures. Review and update documentation
|
|
43
|
+
annually, or when significant enterprise changes occur that could impact this
|
|
44
|
+
Safeguard.
|
|
45
|
+
implementation_groups:
|
|
46
|
+
- IG2
|
|
47
|
+
- IG3
|
|
48
|
+
- id: 18.1
|
|
49
|
+
version: 7
|
|
50
|
+
name: Establish Secure Coding Practices
|
|
51
|
+
description: >-
|
|
52
|
+
Establish secure coding practices appropriate to the programming language and
|
|
53
|
+
development environment being used.
|
|
54
|
+
implementation_groups:
|
|
55
|
+
- IG2
|
|
56
|
+
- IG3
|
|
57
|
+
additional_info: >-
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: 1.1.4
|
|
3
|
+
name: code_approval_dismissals
|
|
4
|
+
title: Ensure previous approvals are dismissed when updates are introduced to a code change proposal
|
|
5
|
+
profile: 1
|
|
6
|
+
category: source_code
|
|
7
|
+
sub_category: code_changes
|
|
8
|
+
description: >-
|
|
9
|
+
Ensure that when a proposed code change is updated, previous approvals are declined,
|
|
10
|
+
and new approvals are required.
|
|
11
|
+
rationale: >-
|
|
12
|
+
An approval process is necessary when code changes are suggested. Through this
|
|
13
|
+
approval process, however, changes can still be made to the original proposal even
|
|
14
|
+
after some approvals have already been given. This means malicious code can find its
|
|
15
|
+
way into the code base even if the organization has enforced a review policy. To ensure
|
|
16
|
+
this is not possible, outdated approvals must be declined when changes to the
|
|
17
|
+
suggestion are introduced.
|
|
18
|
+
impact: >-
|
|
19
|
+
If new code changes are pushed to a specific proposal, all previously accepted code
|
|
20
|
+
change proposals must be declined.
|
|
21
|
+
audit: |
|
|
22
|
+
For each code repository in use, perform the next steps to verify that each updated code suggestion declines the previously received approvals:
|
|
23
|
+
• On GitLab, navigate to the main page of a repository.
|
|
24
|
+
• Navigate to Settings > Merge Requests.
|
|
25
|
+
• Click Expand next to the Merge Request Approvals section.
|
|
26
|
+
• Verify the repository has merge request approvals configured on all protected branches.
|
|
27
|
+
• Verify that "Remove all approvals" is selected under Approval Settings for "When a commit is added".
|
|
28
|
+
remediation: |
|
|
29
|
+
For each code repository in use, perform the next steps to enforce dismissal of given approvals to code change suggestions if those suggestions were updated:
|
|
30
|
+
• On GitLab, navigate to the main page of a repository.
|
|
31
|
+
• Navigate to Settings > Merge Requests.
|
|
32
|
+
• Click Expand next to the Merge Request Approvals section.
|
|
33
|
+
• Configure approval rules and a list of eligible approvers for all protected branches (or all branches).
|
|
34
|
+
• Select Remove all approvals under "When a commit is added".
|
|
35
|
+
• Click Save changes
|
|
36
|
+
default_value:
|
|
37
|
+
references:
|
|
38
|
+
- https://docs.gitlab.com/ee/user/project/merge_requests/approvals/rules.html
|
|
39
|
+
cis_controls:
|
|
40
|
+
- id: 16.1
|
|
41
|
+
version: 8
|
|
42
|
+
name: Establish and Maintain a Secure Application Development Process
|
|
43
|
+
description: >-
|
|
44
|
+
Establish and maintain a secure application development process. In the
|
|
45
|
+
process, address such items as: secure application design standards, secure coding
|
|
46
|
+
practices, developer training, vulnerability management, security of third-party code,
|
|
47
|
+
and application security testing procedures. Review and update documentation
|
|
48
|
+
annually, or when significant enterprise changes occur that could impact this
|
|
49
|
+
Safeguard.
|
|
50
|
+
implementation_groups:
|
|
51
|
+
- IG2
|
|
52
|
+
- IG3
|
|
53
|
+
- id: 18.1
|
|
54
|
+
version: 7
|
|
55
|
+
name: Establish Secure Coding Practices
|
|
56
|
+
description: >-
|
|
57
|
+
Establish secure coding practices appropriate to the programming language and
|
|
58
|
+
development environment being used.
|
|
59
|
+
implementation_groups:
|
|
60
|
+
- IG2
|
|
61
|
+
- IG3
|
|
62
|
+
additional_info: >-
|