-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create Security Information Management Policy #162
Create Security Information Management Policy #162
Conversation
Codecov Report
@@ Coverage Diff @@
## dev #162 +/- ##
=======================================
Coverage 75.46% 75.46%
=======================================
Files 19 19
Lines 481 481
=======================================
Hits 363 363
Misses 118 118 Continue to review full report at Codecov.
|
README.md
Outdated
@@ -103,3 +103,6 @@ Choice must also be `<None>`. | |||
|
|||
Please see our [Contributing Guide](https://github.com/hammer-io/tyr/blob/master/CONTRIBUTING.md) | |||
for contribution guidelines. | |||
|
|||
## Security Information Management Policy | |||
We need your username and password for some third party applications, check out what we do with your credentials [here](https://github.com/hammer-io/tyr/blob/master/SECURITY_INFORMATION_MANAGEMENT_POLICY.md). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Recommended rewording:
In order to orchestrate the various third party applications for your project, we will periodically ask for your username and password to these applications. To find out more about how we use these credentials and what steps we are taking to keep your information safe, please read the Security Information Management Policy.
* Read your GitHub account details, create a GitHub token, delete a GitHub token, create a GitHub repository, push to your GitHub repository through the official (GitHub API)[https://developer.github.com/v3/]. | ||
* Read your Heroku account details, create a Heroku Application through the official (Heroku API)[https://devcenter.heroku.com/articles/platform-api-reference]. | ||
|
||
## What do we not do with your username and password? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Recommended rewording:
What we do NOT do with your username and password
|
||
In the mean time, we urge you to check out the source code and see exactly how we are using your username and password. | ||
|
||
## What do we do with your username and password? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Recommended rewording:
How we use your username and password
In the mean time, we urge you to check out the source code and see exactly how we are using your username and password. | ||
|
||
## What do we do with your username and password? | ||
* Read your GitHub account details, create a GitHub token, delete a GitHub token, create a GitHub repository, push to your GitHub repository through the official (GitHub API)[https://developer.github.com/v3/]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These two bullets are a bit vague. I think they could be clarified as follows:
- If you opt to use GitHub for source control, your credentials are used to create the new project repository, push the generated source code to the new repository, and facilitate other actions relevant to the Tyr project.
- If you opt to use TravisCI for continuous integration, your GitHub credentials are used to activate and configure the Tyr project in the TravisCI environment.
- If you opt to deploy your project on Heroku, your credentials are used to create and configure the Heroku Application for the Tyr project.
- In general, as more third party applications are integrated into Tyr, the credentials we request are simply used to facilitate DevOps activities for your project.
## What do we not do with your username and password? | ||
* Share your username and password with anyone | ||
* Store your username or password in any database or any temporary/permanent files | ||
* Access information which is not listed above |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would also add:
- Access any projects (on GitHub, Heroku, or elsewhere) other than the one being generated/managed by Tyr.
# SECURITY INFORMATION MANAGEMENT POLICY | ||
|
||
## Why do we need your username and password for different accounts? | ||
We need your username and password to access third party applications. Since we are not in a web browser, we do not have the capability of accessing your information through redirect pages. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Recommended rewording:
The integration of third party applications allows us to automate the setup of the DevOps pipeline for your project. Each component in the pipeline requires authenticated access, so we need to prompt for the various credentials to take the necessary steps to complete the setup.
…curity-information-management-policy to fix a dirty commit from master.
closes #147