sop_security_mr_review
Last updated: 2024-09-27 10:48:05.722167 File source: link on GitLab
Process for Security Team for PR Review
Get yourself Familiar with Secure Coding Guidelines here: Secure Coding Guidelines
Get yourself familiar with defect dojo here: Vulnerability Management
See if there are any High/Critical Severity issues found with the commit associated with PR/MR
Login to defectDojo
Go to Actives engagements
Here each engagement correspond to the commit, product gives you information about the repo, each product corresponds to the repo
Click on engagement, it will give you information about the branch, commit hash, findings and other information
Click on findings, it will gives you information about the findings, if there is any finding with high or critical this PR is not suitable for merge.
If the issue/vulnerability is easily understood by developer and can be fixed, then developer should fix it.
If the vulnerability/issue needs enrichment then create an issue on the repo using ticketing template from here: Vulnerability Management
Make sure to include secvuln label
assign it to developer
If the vulnerability cannot be fixed add the label to the ticket as exception along with secvuln and include the reason for the decisions in the comment.
Last updated