From c3bfd543fd98800f3d0ec2eae6414c60e6a7203b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Salvador=20P=C3=A9rez=20Garc=C3=ADa?= Date: Mon, 17 Nov 2025 15:55:03 +0100 Subject: [PATCH 1/4] MB-88: Define security checks to perform on projects --- .../security/periodical_maintenance_tasks.md | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/guides/security/periodical_maintenance_tasks.md b/guides/security/periodical_maintenance_tasks.md index 5b1cfa6..37b3ddb 100644 --- a/guides/security/periodical_maintenance_tasks.md +++ b/guides/security/periodical_maintenance_tasks.md @@ -12,12 +12,15 @@ There are static analysis tools to automatically detect CVEs and other vulnerabi [Snyk](https://snyk.io/) is one such tool. It is cross-platform and allows detecting vulnerabilities in several language runtimes, in Docker images, Infrastructure-as-Code definitions, and Open Source dependencies. +We will also check the dependency scanner built in GitHub or GitLab. + There are other platform-specific solutions that can also be very useful and complete the more generic scans. ### Rails - [Brakeman](https://brakemanscanner.org/) can scan for several vulnerabilities on Rails projects. It can be used in a Github Action to run on every pull request, run as a git commit hook, or run manually on the demand from the command line. - [Bundler-audit](https://github.com/rubysec/bundler-audit) can find vulnerable library versions and provide an upgrade path to a secure version. +- Ruby version check: Ensure the apps run on a supported Ruby version. ### Next.js @@ -34,10 +37,19 @@ There are other platform-specific solutions that can also be very useful and com - Review authentication and session setup regularly: - Ensure cookies are `HttpOnly`, `Secure`, `SameSite=Lax` and rotated on login. - For Server Actions, set `serverActions.allowedOrigins` when behind proxies and keep `NEXT_SERVER_ACTIONS_ENCRYPTION_KEY` configured in self-hosted setups. +- Ensure that the application runs on a supported Node version. +- Tools or lint rules should flag: + - Any usage of dangerouslySetInnerHTML without sanitization + - Dynamic calls to child_process + - Dynamic require() using untrusted data + - Unvalidated users or session access ### Docker - [Docker scout](https://docs.docker.com/scout/) can be used to detect CVEs in all the layers of a Docker image. +- _docker scan_ or platform-provided scanners +- Snyk container scanning +- Make sure the containers are built on top of OS images that are still supported and receiving security upgrades. ## Remove obsolete 3rd party integrations @@ -104,3 +116,26 @@ Often an application will need to interact with the cloud provider. The most com ## Web application on production and pre-production environments Make sure only people working on the project have access to the application (in any of its environments). This usually translates into checking the admin users on the application, but it may be other types of user accounts or access methods. + +## Logging, Monitoring & Alerts + +Check that: + +- Sensitive data is filtered from logs: + - passwords, tokens, credit cards, secrets +- Alerts exist for: + - login failures +- unusual traffic patterns + - spikes in 4xx/5xx errors +- Logs are retained securely and access is controlled +- Audit logs (if present) are reviewed periodically + +## Dependency & Runtime Updates (All Stacks) + +Make sure: + +- Base images updated (for Docker) +- Frameworks updated (Rails, Next.js) +- Libraries and runtime dependencies upgraded +- EOL/runtime versions are not in use +- CI/CD pipeline has the latest scanning tools enabled From 6573a08ca94943e049beafd210bde916d4629cd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Salvador=20P=C3=A9rez=20Garc=C3=ADa?= Date: Mon, 17 Nov 2025 15:58:00 +0100 Subject: [PATCH 2/4] fix syntax issue --- guides/security/periodical_maintenance_tasks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/periodical_maintenance_tasks.md b/guides/security/periodical_maintenance_tasks.md index 37b3ddb..c9e36d3 100644 --- a/guides/security/periodical_maintenance_tasks.md +++ b/guides/security/periodical_maintenance_tasks.md @@ -130,7 +130,7 @@ Check that: - Logs are retained securely and access is controlled - Audit logs (if present) are reviewed periodically -## Dependency & Runtime Updates (All Stacks) +## Dependency & Runtime Updates (All Stacks) Make sure: From 9bf5f0359c6188b97e03b05e7ec0adadfa353819 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Salvador=20P=C3=A9rez=20Garc=C3=ADa?= Date: Thu, 20 Nov 2025 15:17:46 +0100 Subject: [PATCH 3/4] PR Review comments --- guides/security/periodical_maintenance_tasks.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/guides/security/periodical_maintenance_tasks.md b/guides/security/periodical_maintenance_tasks.md index c9e36d3..d447f04 100644 --- a/guides/security/periodical_maintenance_tasks.md +++ b/guides/security/periodical_maintenance_tasks.md @@ -12,7 +12,7 @@ There are static analysis tools to automatically detect CVEs and other vulnerabi [Snyk](https://snyk.io/) is one such tool. It is cross-platform and allows detecting vulnerabilities in several language runtimes, in Docker images, Infrastructure-as-Code definitions, and Open Source dependencies. -We will also check the dependency scanner built in GitHub or GitLab. +We will also check the dependency scanner built in GitHub. Check the [Dependant bot quickstart guide](https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide) on further details about how to configure it in your repository. There are other platform-specific solutions that can also be very useful and complete the more generic scans. @@ -39,10 +39,12 @@ There are other platform-specific solutions that can also be very useful and com - For Server Actions, set `serverActions.allowedOrigins` when behind proxies and keep `NEXT_SERVER_ACTIONS_ENCRYPTION_KEY` configured in self-hosted setups. - Ensure that the application runs on a supported Node version. - Tools or lint rules should flag: - - Any usage of dangerouslySetInnerHTML without sanitization - - Dynamic calls to child_process + - Any usage of dangerouslySetInnerHTML without sanitization: + - eslint-plugin-react has react/no-danger + - Dynamic calls to child_process: + - eslint-plugin-security has security/detect-child-process - Dynamic require() using untrusted data - - Unvalidated users or session access + - eslint-plugin-import has import/no-dynamic-require ### Docker From 836ea4cd2adcda3ffe96ca7962ba1fa8085630dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Salvador=20P=C3=A9rez=20Garc=C3=ADa?= Date: Thu, 20 Nov 2025 15:18:51 +0100 Subject: [PATCH 4/4] Fix typo --- guides/security/periodical_maintenance_tasks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/periodical_maintenance_tasks.md b/guides/security/periodical_maintenance_tasks.md index d447f04..57ddc4e 100644 --- a/guides/security/periodical_maintenance_tasks.md +++ b/guides/security/periodical_maintenance_tasks.md @@ -12,7 +12,7 @@ There are static analysis tools to automatically detect CVEs and other vulnerabi [Snyk](https://snyk.io/) is one such tool. It is cross-platform and allows detecting vulnerabilities in several language runtimes, in Docker images, Infrastructure-as-Code definitions, and Open Source dependencies. -We will also check the dependency scanner built in GitHub. Check the [Dependant bot quickstart guide](https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide) on further details about how to configure it in your repository. +We will also check the dependency scanner built in GitHub. Check the [Dependant bot quickstart guide](https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide) on further details on how to configure it in your repository. There are other platform-specific solutions that can also be very useful and complete the more generic scans.