Adherence check - Code safeguards enabled
Problem to solve
In the field of DevOps Metrics, the "DORA Four" metrics are increasingly popular. In the field of compliance, the "SOC2 Starting Seven" metrics is a similar new idea.
Proposal
Using the following "Starting Seven" criteria we can add SOC2 adherence to the compliance adherence report:
- Code safeguards enabled.
- Deployed branch is a protected branch.
- Deployed branch only changed via Merge Requests.
- Merge Requests must be approved by a non-author before merge.
- Deployment is automated.
Implementation Plan
Copied from the comment below.
- Create an assumption that the project's default branch is the deployed branch.
- Using the above validation we can evaluate the above checks as follows:
- Deployed branch is a protected branch: Check if the default branch is protected or not.
- Deployed branch only changed via Merge Requests: Check if the default branch is protected against pushes.
- Merge Requests must be approved by a non-author before merge: combination of "Prevent authors as approvers" AND "Prevent committers as approvers" AND "At least two approvals" (Probably this can be changed to 'at least one approval' in this case).
- Deployment is automated: Drop this check as we do not have a direct way to infer this.
Edited by Huzaifa Iftikhar