Apply "GitHub Recommended" security configuration to existing and new repos

[consideRatio]

I propose that we pilot use of the GitHub recommended security configuration for all existing and new repositories in a "Don't enforce" way, and that we at a later time consider transitioning to "Enforce" based on gained experience. By piloting this security configuration in our GitHub org, we gain experience of relevance for other Jupyter organizations. jupyter/security#102 tracks this on a Jupyter enterprise level including 16 active Jupyter GitHub orgs.

This is how the security configuration looks as seen from JupyterHub org's settings:

Note that JupyterHub currently have a security configuration applied for four repositories (jupyterhub-container-images, action-get-guayio-tags, pamela, escapism) called "Legacy" which is applied to all new repositories, but I think it is either not doing anything or disabling security features otherwise on by default (see the legacy security config here here).

[manics]

Sounds fine to me.

Note that JupyterHub currently have a security configuration applied for four repositories ...

Sounds like its something to do with transferring a personal repo to the org? Can we reset it to match the org settings?

[consideRatio]

Sounds like its something to do with transferring a personal repo to the org? Can we reset it to match the org settings?

If we apply the "GitHub Recommended" security config to these repo's, we can delete the "Legacy" security config because it wouldn't add anything. I think maybe we can delete it already because maybe it already doesn't do anything - but I'm not sure.

I am not sure what within the security configurations is configurarable on an org level directly, there is https://github.com/organizations/jupyterhub/settings/security_analysis which perhaps have a slight overlap but we aren't configuring much there.

[minrk]

👍 to giving it a try. Since all 4 of the repos with settings are recently migrated repos which have no deliberate configuration to my knowledge, resetting them to match the org default seems fine to me.

[consideRatio]

I have deleted the legacy security conf, and I have created and applied "GitHub Recommended minus Code scanning with CodeQL" which is like its name describes. These security configs can be seen from here.

I enabled this for jupyterhub/jupyterhub in a Don't enforce mode - should we go for all repos now or soon? We could also enable it for ~5 more repos first or so before going for all.

[choldgraf]

As long as we think we have the team capacity to realistically follow these practices I am +1 on it! (I say this without knowing what we are committing to haha)

[minrk]

Can we do oauthenticator, z2jh, and mybinder.org-deploy? If those look okay with the new policy, +1 to org-wide.

[consideRatio]

@minrk I applied the policy for those repos now!

@choldgraf I think this won't incurr much work! This is just systematic security related configuration across all of the orgs repos. I think to summarize this is what we end up with applying this:

• Dependency alerts (example seen here) (not PRs) will be presented
• Accidental exposure of access tokens etc gets prevented, so you can be blocked pushing a commit including cleartext credentials, but you can still bypass it
• Private vulnerability reporting gets enabled in each repo, but I think it already was for most of our repos
• Dependency graph (example seen here) will be enabled in each repo, but I think it already was for all our repos as it is documented as the default for public repos

[minrk]

Looking at what's come up, I think we can go ahead and enable it on the org. Thanks for managing this!

[consideRatio]

Applied for all repos in a non-enforce way! If anyone finds a situation when its relevant to opt-out of any config now applied it would be good to surface here!