We use GitHub, GitLab, and BitBucket to manage version control and source code, depending on our client's preferred platform. When using platforms like GitHub it is mandatory that we follow best practices to ensure consistent security for all of the repositories and code we work with.
When committing code we ensure that no credentials are stored as code/config. We use git-secrets on all devices used for development. Git-secrets analyses our commits via git hooks and rejects any code pushed that may include passwords or sensitive information. Git-secrets is also used in our CI/CD services to ensure no build is pushed containing any sensitive information in the code or config files.
We ensure that we are the only ones with access to our repositories, and this single access is secured against any malicious attacks. We do this by:
If we are required to use any application from the GitHub marketplace we follow these strict guidelines:
We refresh our keys and tokens periodically, mitigating any damage caused by keys that have leaked out.
When we set up a new project we ensure that security is our priority from the beginning, even if we feel that in the early stages of the project there may not be any sensitive information. We ensure that all of our projects are fully secure and keep the threat of leakage always in mind.
If we are importing any code into our GitHub we must ensure that the code is audited before we import it into our repository.
Any code committed for the company and our client is never stored in our personal GitHub. All client work is committed to the client's secured GitHub repository.