[tractusx-dev] Enabling Otterdog for your GitHub organization

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[tractusx-dev] Enabling Otterdog for your GitHub organization

From: Thomas Neidhart <thomas.neidhart@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 17 May 2023 10:59:51 +0200
Delivered-to: tractusx-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/tractusx-dev/>
List-help: <mailto:tractusx-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/tractusx-dev>, <mailto:tractusx-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/tractusx-dev>, <mailto:tractusx-dev-request@eclipse.org?subject=unsubscribe>

Dear all,

the Eclipse Security Team is focused on helping Eclipse projects to secure their development processes and infrastructure. For this purpose we have developed a tool called Otterdog (https://gitlab.eclipse.org/eclipsefdn/security/otterdog) which is able to configure various settings of a GitHub organization based on a configuration that is provided and hosted in a GitHub repository itself.

The tool is able to import the current status quo and allows to gradually secure organization and repo settings by editing the configuration via a standard review process:

project leads have access to the repository hosting the configuration
PL can create PRs with suggested changes to the configuration, a workflow will automatically add comments to the PR highlighting the changes that will be applied by the tool
PRs get approved and merged by the security team
security team will finally apply the changes to the GitHub organization via the otterdog command line tool (this step is intended to be automated in the near future)

The tool is already in use by the Adoptium project and based on the positive feedback that we received so far we would like to roll it out to more organizations.

We see the following benefits by using this tool:

allows project teams to see the current configuration and suggest changes thus goes into the direction of a self-service process to administrate GitHub organizations (inlucding setting up new repositories)
allows the Eclipse Security Team to monitor security related settings for our organizations / projects at scale and suggest changes to further improve the overall security of our development processes
reducing load on the HelpDesk

To get a glimpse of the tool and its capabilities, please find below a link to a presentation of the Head of Security at the EF, Mikael Barbero:

https://docs.google.com/presentation/d/1lLqbhDQf9s5U2A2TkcoFYA39qtODcSot2308vnKbkbA/edit?usp=sharing

Please let me know if this project is interested in starting to use Otterdog. I would be happy to schedule a first meeting to showcase the tool. The required setup is rather small and would be completely done by ourselves: a new (private) repository ".eclipsefdn-private" in your organization would be created to host the configuration.

Best regards,

Thomas Neidhart

Prev by Date: [tractusx-dev] Managed Identity Wallet // Daily Sync Meeting
Next by Date: [tractusx-dev] Github Action minutes are now available
Previous by thread: [tractusx-dev] Managed Identity Wallet // Daily Sync Meeting
Next by thread: [tractusx-dev] Github Action minutes are now available
Index(es):
- Date
- Thread

Breadcrumbs