Review and implement pipeline security best practices

[schrolla]

Description

ScubaGear development leverages a continuous integration pipeline to ensure high code quality throughout the development process. The purpose of this epic is to review current pipeline workflows along with CI/CD security best practices and ensure all reasonable security measures and mitigations are in place to safeguard ScubaGear development.

Initiative / Goal

The goal is to improve ScubaGear code quality through the use of security best practices applied through automated processes.

Relevant Issues

• Enforce least priv with the SP that uses KV #1501
• Create a distinct SP for KV access to enforce least priv. #1502
• Clean up GitHub secrets #1504
• Rewrite all the code to necessary to pull the secrets from AKV #1505
• Verify that secrets pulled from AKV are not sent to GitHub logs #1507

Hypothesis

By improving the security of the development pipeline, ScubaGear security results will be more transparent and provide more assurance in the overall development process.

Acceptance criteria

Criteria that are considered in-scope for this epic include:

• Existing processes, privileges, and secrets reviewed for needed changes
• Unnecessary permissions have been removed
• Secrets are maintained in key vault, either directly or as backup

Stakeholders / Resources

Include CISA decision makers and dev team members in discussions about this epic. Resources needed for this epic include access to development pipeline to test possible solutions.

Timeline

TBD