Closed Bug 1910781 Opened 10 months ago Closed 9 months ago

Assess use of external action splunk-appinspect in Mozilla's GitHub organization mozilla-services

Categories

(mozilla.org :: Github: Administration, task, P4)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mlarsonweber, Assigned: cknowles)

Details

I want to use the splunk appinspect action in mozilla-services for the following reasons:

It will help facilitate our app building and testing for our internally developed Splunk apps. Appinspect is a cli tool that runs a series of static tests against your app to determine if it's acceptable for installation on Splunk Cloud. Here's the info on appinspect https://github.com/splunk/appinspect-cli-action
Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)
(Note: This mainly applies to applications. Actions are approved for entire GitHub orgs, though having this info can help security with their analysis)
mozilla-services/splunk-ops

** Are any of those repositories private?
yes
** Provide link to vendor's description of permissions needed and why
https://github.com/splunk/appinspect-cli-action I don't know that it requires any permissions, but I'm new to this
** Provide the Install link for a GitHub app

NOTE

Think of this as you would any 3rd party source inclusion into a shipping product, including all the considerations here.

Forwarding to our secops folk so they can look at, ask questions, and weigh in on approving the action for use in the mozilla-services org.

Hal/Clovis/Antony - Let us know your opinions.

Flags: needinfo?(hwine)
Flags: needinfo?(cfoji)
Flags: needinfo?(anrivera)

I'm good with this!

Flags: needinfo?(anrivera)

So, a couple questions for our security folk -
First, what's the specific action string you'd like me to enable - splunk/appinspect-cli-action@* for the widest permissions, or somehow more locked down?
Second, is this a blanket approval? in which case, can you please update https://github.com/MoCo-GHE-Admin/Approved-GHE-add-ons/blob/main/GitHub_Actions.md - Thank you

(In reply to Chris Knowles [:cknowles] from comment #3)

So, a couple questions for our security folk -
First, what's the specific action string you'd like me to enable - splunk/appinspect-cli-action@* for the widest permissions, or somehow more locked down?
Second, is this a blanket approval? in which case, can you please update https://github.com/MoCo-GHE-Admin/Approved-GHE-add-ons/blob/main/GitHub_Actions.md - Thank you

You can enable with splunk/appinspect-cli-action@* to grant it wide access and I believe this will be a blanket approval but let me touch base requester.

Flags: needinfo?(cfoji)

I don't think blanket approval is necessary for this one, since our Splunk access is limited to just a couple of teams within security, and all of our Splunk dev work should take place within the splunk-ops repo in mozilla-services. This action is just to make sure custom, mozilla authored splunk apps we use pass Splunk's static checks, which they require before we install any custom apps on our Splunk Cloud platform.

Alright - based on comment 4, added splunk/appinspect-cli-action@* to the list of available actions for the mozilla-services org.

Let us know if there are any questions or concerns.

Assignee: nobody → cknowles
Status: NEW → RESOLVED
Closed: 9 months ago
Flags: needinfo?(hwine)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.