It's always a challenge for a digital community to keep potential security breaches out of our code.
We have decided to use these 4 approaches in combination with each other to optimise the benefits of each at the right time.
The blind approach
If we create no level of security, Every component can be downloaded, and any contributor can add compromising code, and it will stay online until someone reports it.
The automation approach
We could create some automation that detects vulnerabilities with online processes, but this would only be a basic level of vulnerabilities, that would't always return positive resulsts as it wouldn't know the context of in which the code will be used.
The strict approach
If we limit people creativity by blocking progress by introducing bottlenecks of security before anyone can release anything, we are limiting our own speed of innovation. Which wouldn't be very productive (or fun)
The personal approach
We could personally review everything, but this is a very high workload in a thriving community.
What makes a component secure? #
Each component has a repository on Gitlab. This repository is by default maintained by the contributor of the component.
If the contributor decides they want to apply for the
Secured by Compony label, the team of Compony undertakes the following steps:
- We protect the master-branch, so only we can push to the branch.
- We review all the code inside the component's repository by a security expert and with some automated vulnerabilities checker.
- If deemed secure, we give the label, if not, the label is rejected until the contributor applies for it again.
The contributors of the component can still maintain their component, by approving merge requests.Approved merge requests will receive an extra check by our security team, before pushed to the master branch.
We only allow popular enough components to apply for this label to make sure they are tested well enough before we label it
We only allow the safe label on public components, once your component is safe, it's no longer possible to make it private.
Paying members only
We only allow paying members to apply for the safe label. Please note that we gladly grant active community members with a paying member role!
Secure components will have their master-branch on Gitlab protected. This means that changes to the code of the components can only come from pull requests, and those have to be verified by Compony.
Secure collections #
Secure collections are collections where only secure components are being used in.
If one component in the collection is insecure, the collection will become insecure too.