{"id":13528137,"url":"https://github.com/slackhq/goSDL","last_synced_at":"2025-04-01T11:31:01.529Z","repository":{"id":46886759,"uuid":"121788829","full_name":"slackhq/goSDL","owner":"slackhq","description":"goSDL","archived":false,"fork":false,"pushed_at":"2022-11-24T15:31:37.000Z","size":97,"stargazers_count":525,"open_issues_count":18,"forks_count":83,"subscribers_count":24,"default_branch":"master","last_synced_at":"2025-03-29T11:02:51.120Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/slackhq.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-02-16T18:59:42.000Z","updated_at":"2025-01-12T17:02:15.000Z","dependencies_parsed_at":"2023-01-22T13:31:24.544Z","dependency_job_id":null,"html_url":"https://github.com/slackhq/goSDL","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slackhq%2FgoSDL","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slackhq%2FgoSDL/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slackhq%2FgoSDL/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slackhq%2FgoSDL/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/slackhq","download_url":"https://codeload.github.com/slackhq/goSDL/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246631714,"owners_count":20808742,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T06:02:14.324Z","updated_at":"2025-04-01T11:31:01.207Z","avatar_url":"https://github.com/slackhq.png","language":"PHP","funding_links":[],"categories":["PHP","Pre-commit time tools"],"sub_categories":[],"readme":"## goSDL\n\n### About\ngoSDL is a web application tool that serves as a self-service entry point for following a Security Development Lifecycle checklist in a software development project. This tool collects relevant information about the feature, determines the risk rating, and generates the appropriate security requirements. The tool tailors the checklist to the developers’ specific needs, without providing unnecessary unrelated security requirements. Security experts can establish custom security guidance and requirements as checklist items for all developers. This checklist is used as a guide and reference for building secure software. This encourages a security mindset among developers when working on a project and can be used to easily track the completion of security goals for that project.\n\n\n\nGoals:\n- Self service : Provide self service tool for Project Lead or Developer to get a Security checklist related to their project. \n- Specific : Project Lead or Developer can pick and choose specific components related to their projects. The tool will tailor the checklist to their specific needs without providing unnecessary unrelated checklist items.\n- Standardize : Security team can create a standardized risk assessment and checklist related items throughout the organization. \n- Pluggable and customized components : JSON base components that are easy to modify and update.\n\n\n### General Usage\n\n1. At the middle or near the end of completion of a project, have a technical person complete the SDL form. \n\n2. After the initial risk assessment is completed, please complete the Component checklist on the next page. The person filling out this form should check anything that is relevant to the code / feature (language-wise and context-wise) and uncheck anything that *they know* will always be irrelevant to the project. It's ok to check more things than you need, as there's a way to \"uncheck\" them later.\n\n3. After the form is submitted there will be a JIRA ticket or Trello board created with the checklist items.\n\n4. The goal of the SDL is to have *everything* checked off. If there is an issue with one of the items, please feel free to ask the Security team for advice and steps on how to move forward. Ideally, a fully-completed SDL checklist will expedite the security review requirement.\n\n\n### Using Trello\n\nTrello is a web-based project management application that has powerful checklist support to enable you to organize your projects. \n\nTo use Trello as part of this tool, enable the Trello setting in the `include/.env`. You also need to generate your Trello application key from https://trello.com/app-key. When using Trello, you don't need to specify any other setting in this file.\n\t\n\tTRELLO=true\n\tTRELLO_API_KEY=xxxxxxxxxxxxxx\n\t\nWhen the web page loads, it will require the user to authorize the app to get their access token to Trello. The output of this tool will create a link to a Trello board that contains security checklist items that can be used by the development team to follow the security guidelines.\n\n### Using JIRA Enterprise\n\nCurrently, this tool only supports JIRA Enterprise (on Premise) and doesn't support JIRA Cloud. This is because we need the support from scriptrunner to create the additional REST API endpoint used to populate the checklist plugin. There are some Add-on dependencies required in your JIRA before using this tool:\n\n1. [ScriptRunner for Jira](https://marketplace.atlassian.com/plugins/com.onresolve.jira.groovy.groovyrunner/server/overview)\n\tRequired to create an additional JIRA API to update custom checklist in a ticket.\n2. [Checklist for Jira](https://marketplace.atlassian.com/plugins/com.okapya.jira.checklist/server/overview)\n\tEnables the checklist custom field in JIRA tickets.\n\nSettings:\n1. Add a custom REST API in scriptrunner.\n\t- Go to \"Administration\" -\u003e \"Script Runner\" -\u003e \"Custom Endpoint\"\n\t- Fill out the `inline script` with the script in `scriptrunner/Scriptrunner_REST_API.groovy`\n2. Create the checklist custom field for each individual SDL component. These custom fields will be used as a placeholder template for the security checklist item.\n\t- Go to \"Administration\" -\u003e \"Issue\" -\u003e \"Custom Fields\" -\u003e \"add custom field\"\n\t- Enter \"SDL General\" as the name. Configure the checklist custom field to not have a default option. You can also associate the new checklist custom field with a specific issue type.\n\t- Also note your custom field id when configuring the new custom field. You can get the id # from the URL (e.g https://your_domain.com/secure/admin/ConfigureCustomField!default.jspa?customFieldId=11909). The custom field id on this sample is \"customfield_11909\". This value is required when setting the `.env`.\n\t- Later you need to update your JIRA screen to include this new checklist custom field.\n\tPlease reach out to your JIRA adminstrator to get more information on how to setup your project with custom checklist.\n\n3. After setting your project, you need to set the `.env` file.\n\tSample file:\n\t```\n\tJIRA_USERNAME=username\n\tJIRA_PASSWORD=password\n\n\tJIRA_PROJECT=PRODSEC\n\tJIRA_URL=\"https://your_domain.com\"\n\n\tJIRA_GENERAL_FIELD=customfield_111\n\tJIRA_LANGUAGE_FIELD=customfield_112\n\tJIRA_NATIVE_FIELD=customfield_113\n\tJIRA_PARSING_FIELD=customfield_114\n\tJIRA_WEB_FIELD=customfield_115\n\tJIRA_THRIDPARTY_FIELD=customfield_116\n\tJIRA_LEGAL_FIELD=customfield_117\n\tJIRA_QA_FIELD=customfield_118\n\t```\n\tDescription:\n\t- JIRA_USERNAME : username of you jira account. Highly recomended to use a service account in your jira \n\t- JIRA_PASSWORD : your jira account password\n\n\t- JIRA_PROJECT : your JIRA project key (e.g. PRODSEC)\n\t- JIRA_URL : your JIRA enterprise API (e.g. \"JIRA_URL=\"https://your_domain.com)\n\n\t- JIRA_GENERAL_FIEL : checklist custom field for SDL General (e.g. customfield_11909)\n\t- JIRA_LANGUAGE_FIELD : checklist custom field for SDL Language\n\t- JIRA_NATIVE_FIELD : checklist custom field for SDL Native Clients\n\t- JIRA_PARSING_FIELD : checklist custom field for SDL Parsing\n\t- JIRA_WEB_FIELD : checklist custom field for SDL Web\n\t- JIRA_THRIDPARTY_FIELD : checklist custom field for SDL Third Party and External\n\t- JIRA_LEGAL_FIELD : checklist custom field for SDL Legal \u0026 Policy\n\t- JIRA_QA_FIELD : checklist custom field for SDL QA\n\n\n### Usage\n1. `git clone git@github.com:slackhq/goSDL.git`\n\n2. `composer install`\n\n3. `cp include/env-sample include/.env` then modify the `.env` setting to fit with your enviroment.\n\n\t```\n\tTRELLO=true\n\tTRELLO_API_KEY=\n\n\tJIRA_USERNAME=\n\tJIRA_PASSWORD=\n\n\tJIRA_PROJECT=\n\tJIRA_URL=\n\n\tJIRA_GENERAL_FIELD=\n\tJIRA_LANGUAGE_FIELD=\n\tJIRA_NATIVE_FIELD=\n\tJIRA_PARSING_FIELD=\n\tJIRA_WEB_FIELD=\n\tJIRA_THRIDPARTY_FIELD=\n\tJIRA_LEGAL_FIELD=\n\tJIRA_QA_FIELD=\n\t```\n\n4. `cd www`\n\n5. `php -S localhost:8000`\n\n6. Visit http://localhost:8000/sdl.php\n\n### Usage with docker\n1. Build locally: `docker build -t gosdl .`\n\n2. Run it: `docker run -ti --rm --env-file \u003cyour dotenv\u003e -p 8080:8080 gosdl`\n\n3. Visit http://localhost:8000/sdl.php\n\n### Customize the checklist contents\nFollow this [guide](https://github.com/slackhq/goSDL/tree/master/www/sdl) to understand the structures of the SDL contents. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fslackhq%2FgoSDL","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fslackhq%2FgoSDL","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fslackhq%2FgoSDL/lists"}