Security Reviews
Security reviews ensure that a project, and its commit history, are from of security issues. You should conduct a security review for every new merge request, and the review should fail if the commit history contains any of the previous examples. The security review should be conducted by the same person conducting the code review for the merge request.
Security issues include personally identifiable information (PII) and information about the internal USGS computing environment. PII examples include:
Names
Email addresses
Social Security or credit card numbers
Any other PII
Computing environment examples include:
Usernames or passwords
Absolute file paths
Internal server names
Internal IP addresses
If the merge request contains a security issue, then the merge should be closed and a new merge request should be created after the issues are resolved.
Rubric
The following is a suggested rubric for security reviews:
Item |
Pass |
Fail |
|---|---|---|
Project does not contain PII, usernames, or passwords. |
Project contains any of the previous items. |
|
Project does not contain absolute file paths, internal server host name, or internal IP addresses. |
Project contains any of the previous items. |
Gitlab How-To
You should conduct the security review on the merge request page, before conducting the code review. Navigate to the Commits tab of the merge request:
Show tab
The tab displays all the new commits associated with the merge request:
Show Example
Clicking on a commit will display all the changed lines associated with the commit. The security reviewer should scan through these lines to ensure that none of them contain security issues. Then, repeat this process for every commit in the merge request:
Show Example
If any commit contains a security issue, then the reviewer should notify the author and the merge should be closed.