In this article, I’d like to propose best practices and discuss how maintainers, and developers, can adopt DevSecOps tools for open source projects to better improve their security posture.
The post covers the following and takes a deep dive on each:
- Adopt a responsible security disclosure policy and include it in your projects as part of your security guidelines.
- Establish a security process and security guidelines.
- Ensure all maintainers and collaborators have two-factor authentication (2FA) enabled for both GitHub and the npm registry.
- Avoid a data breach and sensitive information exposure by using git pre-commit hooks to prevent developers from leaking passwords and secrets when they commit and push to a repository.
- Integrate open source dependency scanning and fixing to prevent security vulnerabilities in 3rd party open source packages. Integrating Snyk into the git workflow could help you.
- Use the Snyk Advisor to search and compare over 1 million open source packages on the npm registry, and choose the right npm package.