Security tooling and processes
This page contains information on tools and processes we run within the Security team.
If you want to document sensitive information, you can either:
- Store it in Google Drive.
- Add it to the
docsfolder in the infrastructure repository. This option is better for technical documentation.
Processes
Terraform Cloud
We use Terraform Cloud to manage the deployment of cloud infrastructure across Sourcegraph. You can find more information on using the platform here.
Notifications for changes to Terraform in folders of interest to the Security team go to #security-terraform.
The configuration of notification settings can be found in infrastructure/terraform-cloud.
SAST scanning
We use a combination of tools within the team to cover a number of different types of vulnerability.
- We use Checkov to scan our Terraform infrastructure.
- We use Trivy to scan containers for issues with dependencies.
- We use Semgrep OSS to scan our code in
sourcegraph/sourcegraphandsourcegraph/codyfor vulnerabilities & bad patterns
Additionally, we have enabled push protection for all public repositories for secret scanning.
Entitle
We use Entitle as our permission management system.
- An Intro on Entitle
- How To Guide using GCP as an example
- Entitle for GitHub teams and elevated permissions access for teammates and managers
- Cloudflare Access Request
Cloudflare Token
We use Cloudflare tokens to manage access to our Cloudflare account.
The token is used by our Terraform code to manage DNS records and other Cloudflare services
Update the token here, here and in the Terraform Cloud varset.
We typically set a 1 year expiry on the token.
Make sure to test that the token works by running terraform plan in the infrastructure repository on the relevant code