GitHub Advanced Security: Code and Secret Scanning Guidance

1. Security Tab Activation:
   Once enabled, the Security tab in GitHub will start displaying extra alerts and the number of issues identified in our repositories.

   

   
   
   
2. Pull Request Notifications:
   Any new pull requests (PRs) or changes to existing PRs will trigger notifications if code issues are detected. These issues will be flagged directly within the PR, allowing you to review them as part of your workflow. These alerts are not blocking unless you explicitly require the status check to pass within your branch protections rules (which is off by default).

   

1. Focus on New PRs:
   We will primarily focus on issues that arise in new PRs. Existing issues in the codebase will be treated separately and addressed in a future initiative. The goal is to ensure that any new code adheres to our security standards without overwhelming the team with existing technical debt.
   
   
2. Reviewing Alerts:
   When an alert pops up in a PR, make it a part of your workflow to review the issue. Most alerts are expected to be minor, and you can make a judgment call on whether to fix the issue immediately or leave it for later. The emphasis is on improving code quality over time, not on slowing down development progress. We recommend dismissing alerts if they fit any of the reasons listed to reduce noise.

   

   
   
   
3. Maintaining Progress:
   We understand the importance of maintaining momentum in our development process. The intent is not to delay progress but to provide opportunities to surface and address potential security issues as they arise. This will help improve our team's overall secure coding practices without adding unnecessary friction.

• Collaborate: If you’re unsure about an alert or how to address it, collaborate with your team members to find the best solution.
• Document Decisions: When deciding to ignore or defer an alert, document the reasoning within the PR for future reference.