Process for Security Audits

1. Choose a file or system to audit (from the stariumxcv.dev repository).
2. Review the code locally to make sure that everything is up to snuff.
3. Make changes (if necessary) to enhance the security of the code. If possible, commit these changes to stariumxcv.dev.
4. Create a new branch in stariumxcv.prod for the security audit (be sure to git checkout dev and git pull first). A good naming convention for the branch would be security-{file or system name}.
5. Commit the file (git add path/to/newfile git commit -m "security audit for {file/system name}") and push it up to Github (git push).
6. Go to https://github.com/gwythdarianllc/stariumxcv/pulls
7. Click the New Pull Request button.
8. In the first dropdown, choose base: dev.
9. In the second dropdown, choose compare: security-{file or system name}.
10. Assuming a (relatively) short amount of time has passed between when you started work on the new branch and the time you are opening the pull request, you should receive a message that says Able to merge.
    • If this is not the case, try running git merge dev.
    • At this point, you will likely have to resolve any merge conflicts that exist between your current branch and the dev branch. If you aren't sure what to do, ask David for help.
11. If you are able to merge, go ahead and click Create pull request.
12. In the comment section that appears, provide a short description of the what was audited, what was changed (if anything), and confirmation that everything now looks good.
13. On the right side, add the following options:
    • Reviewers
      • Choose two of the following people: davidmwhynot, trainort, or alan-saari.
    • Labels
      • Apply the label security-audit, as well as another other labels that you think would be relevant to the changes made during your work on this branch.
14. Click Create Pull Request.

Review Process

TODO