Security Onboarding 🧑‍💻

Setup

• Set up your local development environment. [If you encounter any issues, ask for help in #dev-chat and then update the documentation to reflect the resolution (so the next engineer that we hire doesn’t run into the same problem)]
  • Setup SG tool
• Configure your GitHub notifications:
  • Request access to Sourcegraph organization
  • Because we are an all-remote company and favor asynchronous communication, it is important to configure your notifications correctly so that you receive and read notifications that are important (e.g. someone makes a comment on one of your PRs, someone adds you as a reviewer to a PR) without being overwhelmed by notifications that don’t involve you.
• Add Sourcegraph as a browser search engine.
  • To search our private code, log in to our internal dogfood instance (k8s.sgdev.org) and add another entry: https://k8s.sgdev.org/search?q=%s.
• Request access to the services below via the listed teams:
  • GCP
    • IT-Tech-Ops
  • Buildkite
    • Self-serve via google auth
  • Sourcegraph Github repo
    • IT-Tech-Ops
  • Cloudflare
    • Security
• Setup the google cloud CLI tool and authenticate.
  • That is needed for terraform and kubectl.
• Set up Terraform
• Connect to dogfood with kubectl.
  • For prod and other clusters it’s just a matter of adding the other kubeconfigs
• Get accustomed to Buildkite
• Download and setup Burpsuite community edition on your laptop
  • You can use this Burp project already configured for Sourcegraph

• Secret Rotation:
  • It’s a common ask of the Security team to rotate or help rotate production secrets. We have extensive documentation about Secret Management at Sourcegraph. Don’t worry about how to create new secrets unless you’re interested in the setup. For now what matters is focusing on the Rotating Secrets and Secret Types sections.
  • The goal is rotating two production secrets. You can choose any in these categories:
    • A secret in sourcegraph.com site-config: Sourcegraph instances may contain secrets such as OAuth creds in the site-config file. Choose one secret from dotcom’s site-config and rotate. Hint: Avoid the GitLab OAuth creds - go for GitHub OAuth or SMTP credentials.
    • Any secret in our production pods or CI: Besides site-config, it’s important to know how to rotate secrets that we use as env vars in our pods. Look for any secrets that you think are a good idea to rotate in the deploy-sourcegraph-dotcom or infrastructure repositories. This search can serve as a starting point to find some secrets to rotate.
  • This requires having completed the set up part of your Security onboarding. Dig through our code, GCP, 1Password and especially the Secret Management doc.

• Valuable docs:
  • Docs.sourcegraph.com
  • Secret Management Doc
  • Sourcegraph demo video

Acceptance Criteria

• You are able to run Sourcegraph code locally with dev-private
• You are able to run tf plan on the sourcegraph/infrastructure repository
• You are able to kubectl into our clusters
• Complete hands on tasks assigned to you as a starter task
• Capture traffic via Burpsuite for analysis
• Rotated secrets per instructions above