undefined | Better HN

0 pointsbadgersnake3mo ago0 comments

Lots of teams embraced actions to run their CI/CD, and GitHub reviews as part of their merge process. And copilot. Basically their SOC2 (or whatever) says they have to use GitHub.

I’m guessing they’re regretting it.

0 comments

swiftcoder3mo ago

> Basically their SOC2 (or whatever) says they have to use GitHub

Our SOC2 doesn't specify GitHub by name, but it does require we maintain a record of each PR having been reviewed.

I guess in extremis we could email each other patch diffs, and CC the guy responsible for the audit process with the approval...

bostik3mo ago

Every product vendor, especially those that are even within a shouting distance from security, has a wet dream: to have their product explicitly named in corporate policies.

I have cleaned up more than enough of them.

onraglanroad3mo ago

The Linux kernel uses an email based workflow. You can digitally sign email and add it to an immutable store that can be reviewed.

sgt3mo ago

Does SOC2 itself require that or just yours? I'm not too familiar with SOC2 but I know ISO 27001 quite well, and there's no PR specific "requirements" to speak of. But it is something that could be included in your secure development policy.

badgersnakeOP3mo ago

Yeah, it’s what you write in the policy.

swiftcoder3mo ago

And it's pretty common to write in the policy, because its pretty much a gimme, and lets you avoid writing a whole bunch of other equivalent quality measures in the policy.

j / k navigate · click thread line to collapse

0 comments

swiftcoder3mo ago

> Basically their SOC2 (or whatever) says they have to use GitHub

Our SOC2 doesn't specify GitHub by name, but it does require we maintain a record of each PR having been reviewed.

I guess in extremis we could email each other patch diffs, and CC the guy responsible for the audit process with the approval...

bostik3mo ago

Every product vendor, especially those that are even within a shouting distance from security, has a wet dream: to have their product explicitly named in corporate policies.

I have cleaned up more than enough of them.

onraglanroad3mo ago

The Linux kernel uses an email based workflow. You can digitally sign email and add it to an immutable store that can be reviewed.

sgt3mo ago

badgersnakeOP3mo ago

Yeah, it’s what you write in the policy.

swiftcoder3mo ago

And it's pretty common to write in the policy, because its pretty much a gimme, and lets you avoid writing a whole bunch of other equivalent quality measures in the policy.

j / k navigate · click thread line to collapse