Skip to content

bbc-testing/testing

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

249 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Organization Security & Supply-Chain Framework

This repository provides a centralized model for security, dependency analysis, and supply-chain protection across all GitHub repositories.All enforcement is delivered through organization Rulesets and centralized workflows.No consuming repository needs workflow files or configuration.

Purpose

This framework ensures consistent security across the organization by providing:

  • automated dependency and supply-chain checks

  • controlled and protected CI/CD pipelines

  • standardized PR review and approval flow

  • zero maintenance effort for individual repositories

Key Components

Security Summary Workflow (Orchestrator)

  • Runs dependency review, scorecard, and Node compliance (when needed).

  • Posts a single consolidated PR comment.

  • Uploads JSON/SARIF/HTML artifacts for deeper inspection.

  • Detects project type automatically and avoids unnecessary checks.

Reusable Workflows

Reusable workflows consumed by all repos via Rulesets:

  • dependency review

  • scorecard

  • node dependency compliance

  • build-files review

These live centrally and are not duplicated in individual repositories.

Build-Files Review Workflow

  • Triggers only when CI/CD or build-infrastructure files change.

  • Adds a separate PR note explaining the risk and what reviewers should check.

  • Enforcement (approval requirements, protected paths) is managed by Rulesets.

Organization Rulesets (Enforcement Layer)

Rulesets apply governance consistently across the organization.They enforce:

  • required PR reviews

  • CODEOWNERS approval for protected build paths

  • required workflows (security summary, build-files review)

  • protection of CI/CD and infrastructure files

Rulesets ensure that no security checks or critical file changes can be bypassed.

PR Lifecycle

  1. Developer opens a PR

  2. Organization Ruleset triggers required workflows and enforces review rules

  3. Security Summary workflow runs all relevant checks

  4. Build-Files Review workflow runs if infrastructure files changed

  5. Ruleset verifies reviews + required workflow results

  6. PR becomes mergeable

No workflow files or configuration are needed in consuming repositories.

Benefits

For Developers

  • zero setup

  • one clear security summary

  • minimal PR noise

For Security Teams

  • centralized enforcement

  • consistent evaluation

  • artifact-based deep inspection

For the Organization

  • unified supply-chain posture

  • protected CI/CD pipelines

  • scalable and maintainable governance model

Deployment Model

The entire framework operates through:

  • organization Rulesets

  • organization required workflows

No repository-level workflows, scripts, or onboarding steps are required.

Production Readiness

This framework standardizes security checks, protects CI/CD infrastructure, and reduces workflow noise while maintaining strict governance.It scales across all teams and aligns with modern DevSecOps practices.

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors