You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/cloud/features/security/security.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -46,9 +46,9 @@ A few key components of our internal code requirements:
46
46
47
47
- We used signed Git commits, required approvers, and signed Docker artifacts.
48
48
- Each commit to a `main` branch must be approved by someone other than the author.
49
-
- We sign commits and register the key with GitHub ([Github Docs](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits))
50
-
- Binaries are signed using cosign and OIDC for keyless ([Signing docs](https://docs.sigstore.dev/cosign/signing/overview/)
51
-
- Attestations are created to certify an image, enforced with GCP Binary Authorization ([Attestation docs](https://cloud.google.com/binary-authorization/docs/key-concepts#attestations))
49
+
- We sign commits and register the key with GitHub ([Github Docs](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)).
50
+
- Binaries are signed using cosign and OIDC for keyless ([Signing docs](https://docs.sigstore.dev/cosign/signing/overview/)).
51
+
- Attestations are created to certify an image, enforced with GCP Binary Authorization ([Attestation docs](https://cloud.google.com/binary-authorization/docs/key-concepts#attestations)).
52
52
- Encryption is a key feature of our security posture and is enforced at each stage of access. For example, the state database automatically encrypts all data. Credentials are also securely encrypted and stored.
53
53
- We back up each state database nightly and before upgrades. These backups are stored for 14 days.
54
54
@@ -67,7 +67,7 @@ We use GitHub to sign code commits. At the time the code was committed, the PGP
67
67
68
68
### How do we invalidate PGP keys if someone did steal it and could potentially use it?
69
69
70
-
Revoke access for the GitHub user account associated with the compromised key and not give them access again until the old PGP key is deprecated and a new key issued.
70
+
We would revoke access for the GitHub user account associated with the compromised key and not give it access again until the old PGP key is deprecated and a new key issued.
71
71
72
72
### If someone steals a laptop, what's our continuity plan in protecting code?
0 commit comments