Update trg-8-00.md

eclipse-tractusx · Feb 23, 2024 · 8bfa754 · 8bfa754
1 parent a073b04
commit 8bfa754
Showing 1 changed file with 21 additions and 1 deletion.
diff --git a/docs/release/trg-8/trg-8-00.md b/docs/release/trg-8/trg-8-00.md
@@ -4,7 +4,7 @@ title: TRG 8.00 - Security Scanning Toolchain
 
 | Status | Created     | Post-History                         |
 |--------|-------------|--------------------------------------|
-| Active | 23-Feb-2024 | Initial release                      |
+| Active | 26-Feb-2024 | Initial release                      |
 
 ## Why
 
@@ -14,6 +14,26 @@ Our primary aim is to improve security and define best practices across the Trac
 
 A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond.
 
+### Emphasized Guidelines for Optimizing Security GitHub Actions
+
+Following, here are specific guidelines and best practices for developers:
+
+1.**Action Failures:** Actions should only fail if there is an error with the Action "Engine" itself or if there is a misconfiguration in the workflow. Failures should not occur based solely on high-severity findings.
+
+2.**Manual Execution:** Include the on: workflow_dispatch option in all workflows. This allows you to manually trigger workflows whenever necessary.
+
+3.**Scheduling Workflows:** Workflows should run frequently. Ideally, they should be set to execute once nightly. At a minimum, they should run once per week. Configure the on: schedule option to achieve this frequency.
+
+4.**Exclusions:** Do not exclude files or directories from scans. If false positives are detected, they can be simply ignored. However, when pushing documentation to the main branch, the workflows do not need to be executed. For such cases, configure the exclude option.
+
+5.**Pull Requests (PRs):** It's not mandatory for workflows to run with every PR. Nonetheless, the Secret Scan is strongly recommended and deemed sufficient.
+
+6.**Target Scanning:** Avoid over-scanning. Focusing on scanning the releases and the main branch from which releases are made is adequate.
+
+7.**Issue Reporting:** Should developers encounter issues during scanning or have questions regarding tool usage, they are encouraged to create an issue in our repository. An appropriate issue template has been provided to streamline this process.
+
+By adhering to these guidelines, developers can efficiently integrate GitHub actions into their workflow, ensuring optimal security without compromising productivity.
+
 :::caution
 
 To pass the quality gates, all **critical**, **high** and **medium** security vulnerabilities **must be mitigated**.