Extending GitHub to Meet your Open Source Policy
1 like175 views
Jamie Jones, a GitHub solutions lead, discusses the importance of secure development and workflows in the context of public sector projects. The document covers GitHub features, enterprise solutions, security compliance standards, and the use of Probot for automation and integration. It emphasizes the role of GitHub in managing software quality, security, and compliance through collaborative practices and continuous delivery.
Extending GitHub to Meet your Open Source Policy
- 3. Jamie Jones ! @jbjonesjr • GitHub for two and a half years • Previously Developer, Technical Lead & Configuration Manager with Security-conscious Federal agencies. • Casual Open Source enthusiast • Former Colonial Reenactor. GitHub Solutions Lead, Public Sector
- 5. GitHub + Secure Workflows = Secure Development
- 6. ❖ GitHub ❖ Hosting ❖ Features ❖ Workflow ❖ GitHubFlow ❖ Compliance ❖ Extend ❖ GitHubAPI ❖ Probot
- 8. Team Includes: Organization account Unlimited public repositories Unlimited private repositories Team and user permissions Business Hosted on GitHub.com Organization account SAML single sign-on User provisioning 24/5 support with 8-hour response time 99.95% Uptime SLA GitHub Enterprise Multiple organizations SAML, LDAP, and CAS User provisioning 24/7 support for urgent issues Advanced auditing Host on your servers, AWS, Azure, or GCP
- 9. Uptime SLA Top-Tier Support GitHub Hosted Corporate Identity Provider GitHub for Business, Hosted
- 12. Pull Requests and Code Review • Collaborative • Code & human activity • Code Review built-in • Quick reactions • Rich text markup • Audit & traceability
- 18. • CodeReview • Unit/Integrationtesting,StaticCodeAnalysissupport • Auditandtraceability • DependencyProtection • Secretpublishingprevention • ConfigurationManagerapprovals • More 👀 GitHub has Security built in
- 20. GitHub Flow
- 21. • ContinuousDelivery • Collaboration(DevOps?DevSecOps?)enabledend-to-end automation acrossenvironments • AutomateQualityandSecurityTesting • Integrationsandsolutionsfornotjustcode • RepeatableandDependable • Supportslong-runningchangesandzero-daypatching Improving quality with GitHubFlow
- 24. !
- 25. Code Review as security checks Identifying Regular Expressions that might not lead to the expected validations.
- 28. • Whatcodeisrunninginproduction? • Doyouhavetraceabilityfromtestingtodeployment? • Canyoubetterintegratesecurityandprocesseswithout impactingdevelopervelocity? • Howdoyoudocumentyourchangemanagementprocess today? It’snotabouteliminatingrisk,it’smanagingit
- 29. Let’s talk about compliance NIST 800-53 ISO 27001 IA-3,4,5 A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3 AU-6,12 A.12.4.1, A.12.4.3, A.16.1.2, A.16.1.4 SC-2,5,6,8 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3 SA-10,11 A.12.1.2, A.14.2.2, A.14.2.4, A.14.2.7, A. 14.2.8 RA-5 A.12.6.1
- 30. Project Boise ATO in an Instant Safer Software Sooner ATO in a Day Boise
- 31. Extend GitHub
- 34. Rest API WebHooksGraphQL GitHub Apps
- 36. Rest API WebHooksGraphQL SDK GitHub Apps
- 40. Probot is a bot framework for GitHub. It’s the glue for interacting with GitHub, and everything else… https://probot.github.io
- 41. Rest API WebHooksGraphQL SDK GitHub Apps
- 42. https://probot.github.io/probot/latest/index.html Probot enables • Webhook&event registration • GitHubauthentication& integratedSDKviasecure GitHubApps • SimplifiedAPIinteraction withsyntacticalsugar
- 43. module.exports = function(robot) { robot.on('issues.opened', async context => { // Get template from the repository const data = await context.github.repos.getContent(context.repo({path: ‘.github/ ISSUE_REPLY_TEMPLATE.md'})); const template = new Buffer(data.content, ‘base64').toString(); // Reply with the contents of the template return context.github.issues.createComment(context.issue({body: template})); }); } Autoresponder app https://github.com/probot/autoresponder/ 4 Lines of code
- 45. production test/qa development A|B Testing A|B Testing Continuous Delivery with GitHub and OpenShift
- 46. Upcoming Webinar : November 14th, 2017 EXTENDING WITH GITHUB: EASY INTEGRATIONS WITH PROBOThttps://githubuniverse.com KEEP YOUR PROJECTS SECURED WITH THE DEPENDENCY GRAPH & SECURITY ALERTS