Versions Compared

Version Old Version 1 New Version Current
Changes made by

Renata Pereira Juraski (Deactivated)

Julio

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Static

...

Static Code Analysis helps us find potential security vulnerabilities in the codebase. We use "LGTM" on our public GitHub repositories. For every pull request or ad-hoc as queried on other parts of the code, LGTM analyses the code and provides alerts with recommendations to fix. We use LGTM the following way:

  • LGTM is enabled for all public repos

  • To enable LGTM for a repo, you must be admin

  • To access LGTM, use your GitHub account

  • LGTM provides alerts when merging new PRs. The merge process is delayed by a couple of minutes, depending on the size of the code changed. Alerts should be reviewed before the PR is finally merged.

  • To review an alert: Open it in LGTM, review the alert and recommendation, and decide on the mitigation measure. There are different types of alerts (error, warning and recommendation). Errors and warnings must be mitigated, recommendations are optional.

  • To mitigate an alert: change the codebase as per the suggestion and re-submit the PR. Review that the alert does not show up anymore.

  • To dismiss an alert, click the crossed-out eye icon and follow the instructions. As the dismissal involves adding a line in the code, we should limit dismissals of alerts and rather re-tune LGTM or fix the alert at its root.

...

Application Security Testing (SAST)

SAST tools help us scan our code repositories in order to find vulnerabilities and security issues in a static manner - that is, the code is scanned and assessed without the need for runtime analysis. At the moment, Rocket.Chat leverages Github’s CodeQL for all public repositories and is studying implementing Semgrep for private repositories.

Secrets Scanning

Secrets scanning helps us prevent secrets from being added to our code repository as well as it detects secrets that have already been committed. At the moment, Rocket.Chat leverages Github’s secret scanning for all public repositories and is studying implementing Trufflehog for private repositories.

Software Composition Analysis (SCA)

SCA or dependencies scanning helps us find and mitigate security issues in libraries and dependencies used in our code. At the moment, Rocket.Chat leverages Github’s Dependabot for both public and private repositories.