diff options
| author | Philippe Lafoucrière <plafoucriere@gitlab.com> | 2018-11-27 21:13:57 +0000 |
|---|---|---|
| committer | Philippe Lafoucrière <plafoucriere@gitlab.com> | 2018-11-27 21:13:57 +0000 |
| commit | ad4eac5589a8c71565429ac30ffb2da912d646be (patch) | |
| tree | 98b7743f2ae5c719815bf4ac44ba65d2410c79b7 | |
| parent | ebea1e7c84e98271a1ced3ffbd58c87b9a322f5a (diff) | |
| download | gitlab-ce-docs/6236-add_security_checks_to_workflow.tar.gz | |
Address reviewers' commentsdocs/6236-add_security_checks_to_workflow
| -rw-r--r-- | doc/development/code_review.md | 13 |
1 files changed, 5 insertions, 8 deletions
diff --git a/doc/development/code_review.md b/doc/development/code_review.md index aabb1f4b707..4fa3ba7a809 100644 --- a/doc/development/code_review.md +++ b/doc/development/code_review.md @@ -53,8 +53,6 @@ from other teams than your own. #### Security requirements - 1. If your merge request is processing, storing, or transferring any kind of [RED data][red data], and/or ORANGE data, it must be - **approved by a [Security Engineer][team]**. 1. If your merge request involves implementing, utilizing, or is otherwise related to any type of authentication, authorization, or session handling mechanism, it must be **approved by a [Security Engineer][team]**. 1. If your merge request has a goal which requires a cryptographic function such as: confidentiality, integrity, authentication, or non-repudiation, it must be @@ -111,7 +109,7 @@ placed to do so without an unreasonable investment of time. In those cases, they will defer to the judgment of the author and earlier reviewers and involved domain experts, in favor of focusing on their primary responsibilities. -If a developer happens to also be a maintainer, and was involved in a merge request +If a developer who happens to also be a maintainer was involved in a merge request as a domain expert and/or reviewer, it is recommended that they are not also picked as the maintainer to ultimately approve and merge it. @@ -120,9 +118,10 @@ required approvers. Maintainers must check before merging if the merge request is introducing new vulnerabilities, by inspecting the list in the Merge Request [Security -Widget][security-widget]. When in doubt, a [Security Engineer][team] can be -involved. The list of detected vulnerabilities must be either empty or -containing: +Widget](https://docs.gitlab.com/ee/user/project/merge_requests/#security-reports-ultimate). +When in doubt, a [Security Engineer][team] can be involved. The list of detected +vulnerabilities must be either empty or containing: + - dismissed vulnerabilities in case of false positives - vulnerabilities converted to issues @@ -306,6 +305,4 @@ Largely based on the [thoughtbot code review guide]. [projects]: https://about.gitlab.com/handbook/engineering/projects/ [team]: https://about.gitlab.com/team/ [build handbook]: https://about.gitlab.com/handbook/build/handbook/build#how-to-work-with-build -[red data]: https://docs.google.com/document/d/15eNKGA3zyZazsJMldqTBFbYMnVUSQSpU14lo22JMZQY/edit -[security-widget]: https://docs.gitlab.com/ee/user/project/merge_requests/#security-reports-ultimate [^1]: Please note that specs other than JavaScript specs are considered backend code. |