Security should be a top concern in software development, particularly during the code review phase where vulnerabilities can be spotted and rectified before production deployment. GitHub provides various settings to secure code reviews, ensuring that only authorized changes make it to your main branches. This guide details GitHub’s security review settings and integrates with Graphite Protections to further tighten security protocols.
GitHub security review settings
GitHub offers several settings to enhance the security of code reviews:
Require pull requests
Ensuring that all changes pass through a pull request is fundamental. This setting prevents direct pushes to protected branches, requiring changes to be reviewed and approved in a pull request.
Enforce branch protections
Branch protection rules are crucial for securing your codebase:
- Require code review approvals: Set the minimum number of required review approvals before merging. For high-security repositories, consider requiring two or more approvals.
- Dismiss stale pull request approvals when new commits are pushed: This ensures that approvals are specific to the latest code version, preventing outdated reviews from affecting security.
Use CODEOWNERS
The CODEOWNERS file is a GitHub feature that automatically assigns specific individuals or teams to review changes to certain parts of the code. This is particularly useful for sensitive areas of your codebase, such as security configurations or critical infrastructure code.
Enable status checks
Require status checks to pass before merging, including:
- Continuous Integration (CI) tests
- Security analysis tools
- Any other checks that validate the security and functionality of the code
Secure code review settings in GitHub using Graphite Protections
Graphite Protections offer advanced control over the mergeability of pull requests, allowing you to tailor security measures for specific needs, beyond what GitHub's settings provide:
Advanced merge requirements
Graphite Protections allow setting merge requirements based on file path, programming language, or team, which is particularly useful in monorepos:
- Require security team approval for sensitive changes: Only allow the security team to approve PRs that affect security-related configurations.
- Set CI requirements by directory: Minimize the impact of flaky tests by requiring specific CI checks to pass for changes in certain directories.
Integration with GitHub
Graphite Protections integrate seamlessly with GitHub, supporting existing Branch Protection Rules, Rulesets, and CODEOWNERS. When both Graphite and GitHub protections are enabled, they complement each other to ensure all criteria are met before merging.
Overriding Protections
Graphite also allows for temporary overrides, such as when an on-call engineer needs to make urgent changes, enhancing flexibility without compromising security.
Setting up Graphite Protections
- Install the Graphite GitHub app: This is a prerequisite for enabling Protections.
- Navigate to the Protections page in Graphite: Use the visual editor to set up and customize your Protections.
- Create and manage Protections: Configure the required number of reviews, specific file approvers, and required CI checks for each type of change.
By integrating Graphite Protections with GitHub’s security review settings, organizations can achieve a highly secure and flexible code review process tailored to their specific security needs.