This page contains information on tools and processes we run within the Security team.

If you want to document sensitive information, you can either:

• Store it in Google Drive.
• Add it to the docs folder in the infrastructure repository. This option is better for technical documentation.

Processes

• Blocking IPs in Cloudflare

Terraform Cloud

We use Terraform Cloud to manage the deployment of cloud infrastructure across Sourcegraph. You can find more information on using the platform here.

Notifications for changes to Terraform in folders of interest to the Security team go to #security-terraform. The configuration of notification settings can be found in infrastructure/terraform-cloud.

SAST scanning

Static Application Security Testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities.

At Sourcegraph, we use a combination of tools within the team to cover different types of vulnerability. We use:

• Checkov and OPA policies to scan our Terraform infrastructure.
• Trivy to scan containers for issues with dependencies.
• Semgrep OSS to scan our code in sourcegraph/sourcegraph , sourcegraph/jetbrains and sourcegraph/cody to identify vulnerabilities & bad patterns
• Github push protection on all public repositories for secret scanning.

SAST Scanning Overview

Tenable

We use Tenable for weekly vulnerability scans. The scans are automatically executed through Kubernetes cronjobs and results are ingested into Elasticsearch. Detected issues are prioritized and depending on impact and severity, tracked as a security issue. There they will be tracked as part of our vulnerability management process.

Vulnerability Management Process

Entitle

We use Entitle as our permission management system.

Entitle - Permission management

Cloudflare Token

We use Cloudflare tokens to manage access to our Cloudflare account.