Skip to content

Operationalise library compliance / security policy

Created by: malomarrec

Problem

When we make the batch changes library available in-product, we will be providing customers with examples that point to docker containers. Running the spec will cause the instance to download and run the container. In the early versions of the library, we will likely bundle example specs inside the release, so it will only be updated monthly for self-hosted.

What expectations and guidance do we give to customers regarding those examples, the containers they point to, security and compliance?

Solution

We discussed this with legals and security. Here's what we're gonna do (at least as long as library batch specs are bundled with the instance and shipped monthly for self-hosted):

Policy

  • We only use Docker official images. This will be enforced through a code review by the Batch Changes team, when merging in a new spec.
  • We only include Docker images that have a license
  • We explicitly state that "if running in commercial environments ensure that the base images (from steps.run) comply with applicable rules and regulations.", in the UI or in the specs.

TODO to close this issue

  • Audit existing library items and remove those that don't comply with the policy
  • Create a docs page explaining what library items are
  • Document this policy in docs.sourcegraph.com, and where applicable in the handbook
  • Evaluate automating a check that we only use Docker official images
  • Add a warning in the library UI (or alternatively in each spec) that "if running in commercial environments ensure that the base images (from steps.run) comply with applicable rules and regulations."