sop_security_mr_review

Last updated: 2024-09-27 10:48:05.722167 File source: link on GitLab

Process for Security Team for PR Review

1. Get yourself Familiar with Secure Coding Guidelines here: Secure Coding Guidelines

2. Get yourself familiar with defect dojo here: Vulnerability Management

3. See if there are any High/Critical Severity issues found with the commit associated with PR/MR

   • Login to defectDojo

   • Go to Actives engagements

• Here each engagement correspond to the commit, product gives you information about the repo, each product corresponds to the repo

• Click on engagement, it will give you information about the branch, commit hash, findings and other information

• Click on findings, it will gives you information about the findings, if there is any finding with high or critical this PR is not suitable for merge.

4. If the issue/vulnerability is easily understood by developer and can be fixed, then developer should fix it.

5. If the vulnerability/issue needs enrichment then create an issue on the repo using ticketing template from here: Vulnerability Management

   • Make sure to include secvuln label

   • assign it to developer

6. If the vulnerability cannot be fixed add the label to the ticket as exception along with secvuln and include the reason for the decisions in the comment.