From 3ed78b9c5182bcc860c29a161b65a58402c6a982 Mon Sep 17 00:00:00 2001 From: andyblundell Date: Wed, 15 Apr 2026 17:28:30 +0100 Subject: [PATCH 1/3] Add SECURITY.md and notes on PVR --- SECURITY.md | 23 +++++++++++++++++++++++ practices/securing-repositories.md | 11 +++++++++++ 2 files changed, 34 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..3d4f54ca --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,23 @@ +# Security + +We take security and the protection of private data extremely seriously. If you believe you have found a vulnerability or other issue which has compromised or could compromise the security of any of our systems and/or private data managed by our systems, please do not hesitate to contact us using the method outlined below. + +## Table of Contents + +- [Security](#security) + - [Table of Contents](#table-of-contents) + - [Reporting a vulnerability](#reporting-a-vulnerability) + - [General Security Enquiries](#general-security-enquiries) + +## Reporting a vulnerability + +If you believe you have found a security issue in this repository, please report it using GitHub's private vulnerability reporting: + +1. [Report a vulnerability](https://github.com/NHSDigital/software-engineering-quality-framework/security/advisories/new) +2. Provide details of the issue and steps to reproduce + +This creates a private channel for discussion and allows us to coordinate a fix before public disclosure. + +## General Security Enquiries + +If you have general enquiries regarding our cybersecurity, please reach out to us at [cybersecurity@nhs.net](cybersecurity@nhs.net) diff --git a/practices/securing-repositories.md b/practices/securing-repositories.md index 397d324e..f4600b70 100644 --- a/practices/securing-repositories.md +++ b/practices/securing-repositories.md @@ -9,6 +9,7 @@ - [Teams setup](#teams-setup) - [Code security](#code-security) - [Branch protection](#branch-protection) + - [Allowing others to report security problems](#allowing-others-to-report-security-problems) This guide lays out security best practice for GitHub repositories. This set of practices is a minimum (nothing stops you from doing more), and they should be implemented alongside other relevant ones that contribute to [security](security.md) as a whole. These are discussed in more detail as part of the [Quality checks](../quality-checks.md). @@ -64,3 +65,13 @@ Depending on your use case, you may want to create additional teams (e.g. teams - Require [signed commits](https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-signed-commits), and, accordingly, check that commits are verified before merging. Git treats authentication and identity separately - any authenticated user can impersonate another developer when committing code. This means that even if a junior account is compromised it could have significant consequences, for example impersonating the lead developer in the hope of an easy merge. Only by requiring signing can identity truly be verified. [Setup Guides](guides/commit-signing.md) for macOS, Windows, GitHub Actions, and AWS CodePipeline. - Invalidate existing reviews when new commits are pushed (`Dismiss stale pull request approvals when new commits are pushed` option). - Require adequate automated status checks prior to merging. This should always include checking that branches are up to date. + +## Allowing others to report security problems + +- Provide a SECURITY.md file describing how other people should report any security issues they discover in your repository. +- Enable Security advisories in your repository as the preferred means of other people reporting security issues. +- If your repository is public, also enable [Private vulnerability reporting](https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/privately-reporting-a-security-vulnerability) so that external users can report issues privately. + - Note: the "Enable vulnerability reporting" button in the "Security and Quality" tab doesn't actually enable this setting: it just takes you to the "Settings" tab where the real "Enable" button is. +- Ensure that you monitor Security advisories and act on them promptly. + +For an example, please see this repository's [SECURITY.md](../SECURITY.md). From e4955b68a5af3d6c75d8d91b78612103f3b93549 Mon Sep 17 00:00:00 2001 From: andyblundell Date: Thu, 23 Apr 2026 10:39:50 +0100 Subject: [PATCH 2/3] Update SECURITY.md Co-authored-by: Alex Young --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 3d4f54ca..2a6f36c9 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -16,7 +16,7 @@ If you believe you have found a security issue in this repository, please report 1. [Report a vulnerability](https://github.com/NHSDigital/software-engineering-quality-framework/security/advisories/new) 2. Provide details of the issue and steps to reproduce -This creates a private channel for discussion and allows us to coordinate a fix before public disclosure. +This creates a private channel for discussion and allows us to coordinate a fix before any public disclosure. ## General Security Enquiries From ee103fd7d8384e620f60fee818797a3dbbbe3fdd Mon Sep 17 00:00:00 2001 From: andyblundell Date: Thu, 23 Apr 2026 10:40:13 +0100 Subject: [PATCH 3/3] Update SECURITY.md Co-authored-by: Alex Young --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 2a6f36c9..d9879f16 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,6 +1,6 @@ # Security -We take security and the protection of private data extremely seriously. If you believe you have found a vulnerability or other issue which has compromised or could compromise the security of any of our systems and/or private data managed by our systems, please do not hesitate to contact us using the method outlined below. +We take security and the protection of private data extremely seriously. If you believe you have found a vulnerability or other issue which has compromised or could compromise the security of any of our systems or private data managed by our systems, please do not hesitate to contact us using the method outlined below. ## Table of Contents