GitHub
Definition
GitHub is a web-based platform for version control and collaboration, allowing multiple developers to work on projects simultaneously. It uses Git, a distributed version control system, to track changes in source code during software development. GitHub provides features such as pull requests, issues, and integrated CI/CD workflows, facilitating efficient project management and code review processes.
Secure Settings Example
# .github/workflows/secure-workflow.yml
name: Secure CI
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 1 # Limit the history fetched to improve security
- name: Set up Node.js
uses: actions/setup-node@v2
with:
node-version: '14'
- name: Install dependencies
run: npm ci # Use 'ci' to ensure a clean install of dependencies
- name: Run tests
run: npm test
- name: Publish results
if: success()
uses: actions/upload-artifact@v2
with:
name: test-results
path: ./test-results
Insecure Settings Example
# .github/workflows/insecure-workflow.yml
name: Insecure CI
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 # Fetching full history unnecessarily
- name: Set up Node.js
uses: actions/setup-node@v2
with:
node-version: 'latest' # Using 'latest' can lead to unpredictable builds
- name: Install dependencies
run: npm install # 'install' can lead to version drift
- name: Run tests
run: npm test