Feroz Salam

Vincent

Joe Chen

Mohammad Alam

Andre Eleuterio

Will Dollman

# Security tooling and processes

This page contains information on tools and processes we run within the Security
team.

If you want to document sensitive information, you can either:

- Store it in [Google Drive](https://docs.google.com/document/d/10oocqojeIM0uZpcOl6L76afDYj3-MLsFxRK2jhOg93E/).
- Add it to the `docs` folder in the [infrastructure repository](https://github.com/sourcegraph/infrastructure/tree/main/security/docs).
  This option is better for technical documentation.

## Processes

- [Blocking IPs in Cloudflare](https://docs.google.com/document/d/17FV8pjbJNrhAtW9lvGIbJ1jSkXe0mRw4ci7w0084RBE/edit#heading=h.jpz7uaphhdtk)

## Terraform Cloud

We use Terraform Cloud to manage the deployment of cloud infrastructure across Sourcegraph. You can
find more information on using the platform [here](./terraform-cloud.md).

Notifications for changes to Terraform in folders of interest to the Security team go to #security-terraform.
The configuration of notification settings can be found in `infrastructure/terraform-cloud`.

## SAST scanning

We use a combination of tools within the team to cover a number of different types
of vulnerability.

- We use [Checkov](./checkov.md) to scan our Terraform infrastructure.
- We use [Trivy](./trivy/index.md) to scan containers for issues with dependencies.
- We use [SonarCloud](./sonarcloud.md) to scan our code in `sourcegraph/sourcegraph` for vulnerabilities

## Entitle

We use Entitle as our permission management system.

- An Intro on [Entitle](entitle.md)
- [How To Guide](entitle_request.md)


<section class="h0Wrapper headingWrapper"><section class="h1Wrapper headingWrapper"><h1 id="security-tooling-and-processes"><a class="anchor" aria-hidden tabindex="-1" href="#security-tooling-and-processes"><span class="icon icon-link"></span></a>Security tooling and processes</h1>
<p>This page contains information on tools and processes we run within the Security
team.</p>
<p>If you want to document sensitive information, you can either:</p>
<ul>
<li>Store it in <a href="https://docs.google.com/document/d/10oocqojeIM0uZpcOl6L76afDYj3-MLsFxRK2jhOg93E/">Google Drive</a>.</li>
<li>Add it to the <code>docs</code> folder in the <a href="https://github.com/sourcegraph/infrastructure/tree/main/security/docs">infrastructure repository</a>.
This option is better for technical documentation.</li>
</ul>
<section class="h2Wrapper headingWrapper"><h2 id="processes"><a class="anchor" aria-hidden tabindex="-1" href="#processes"><span class="icon icon-link"></span></a>Processes</h2>
<ul>
<li><a href="https://docs.google.com/document/d/17FV8pjbJNrhAtW9lvGIbJ1jSkXe0mRw4ci7w0084RBE/edit#heading=h.jpz7uaphhdtk">Blocking IPs in Cloudflare</a></li>
</ul>
</section><section class="h2Wrapper headingWrapper"><h2 id="terraform-cloud"><a class="anchor" aria-hidden tabindex="-1" href="#terraform-cloud"><span class="icon icon-link"></span></a>Terraform Cloud</h2>
<p>We use Terraform Cloud to manage the deployment of cloud infrastructure across Sourcegraph. You can
find more information on using the platform <a href="./terraform-cloud">here</a>.</p>
<p>Notifications for changes to Terraform in folders of interest to the Security team go to <a class="slack-channel" href="https://sourcegraph.slack.com/archives/security-terraform" target="_blank" rel="noopener noreferrer">#security-terraform</a>.
The configuration of notification settings can be found in <code>infrastructure/terraform-cloud</code>.</p>
</section><section class="h2Wrapper headingWrapper"><h2 id="sast-scanning"><a class="anchor" aria-hidden tabindex="-1" href="#sast-scanning"><span class="icon icon-link"></span></a>SAST scanning</h2>
<p>We use a combination of tools within the team to cover a number of different types
of vulnerability.</p>
<ul>
<li>We use <a href="./checkov">Checkov</a> to scan our Terraform infrastructure.</li>
<li>We use <a href="trivy/">Trivy</a> to scan containers for issues with dependencies.</li>
<li>We use <a href="./sonarcloud">SonarCloud</a> to scan our code in <code>sourcegraph/sourcegraph</code> for vulnerabilities</li>
</ul>
</section><section class="h2Wrapper headingWrapper"><h2 id="entitle"><a class="anchor" aria-hidden tabindex="-1" href="#entitle"><span class="icon icon-link"></span></a>Entitle</h2>
<p>We use Entitle as our permission management system.</p>
<ul>
<li>An Intro on <a href="entitle">Entitle</a></li>
<li><a href="entitle_request">How To Guide</a></li>
</ul></section></section></section>