-
-
Notifications
You must be signed in to change notification settings - Fork 140
Description
Hi folks, as part of Node.js Security initiative we have created a table of access per group based on available roles under Node.js org. We'd like to get some feedback/review. Feel free to edit the table if you think something is wrong (I can read the history and update our hackmd table).
The idea is to have a table of permissions and then look at the threats each role has and its impact on the nodejs organization.
Access per Group
Levels: (-
) none, (r
) read, (w
) write, (a
) admin/owner (inspiration from https://mason.gmu.edu/~montecin/UNIXpermiss.htm)
Additional notes:
- While some teams can have access to a resource, like the
secrets
, they might have different access level internally based on sub-groups. - Some individuals and team have access such write in different GitHub repositories in the org, like Working groups or subteams.
Note
¹ - All repositories with code that get published or has some impact on nodejs/core
² - Releasers has access to run CI during CI Embargo (Security Release)
Resource | External people | Contributors - Core/Triagers/WG | Build - Test/Infra/Admin | Admin - TSC/Releasers/Moderation | Security Stewards/Triagers/External | GitHub - Actions/Plugins |
---|---|---|---|---|---|---|
HackerOne | - | --- | --- | aw- | www | -- |
MITRE | - | --- | --- | a-- | w-- | -- |
private/node-private | - | --- | www | aw- | w-w | -- |
private/security-release | - | --- | --- | a-- | ww- | -- |
private/secrets | - | --- | www | a-- | --- | -- |
nodejs/node | r | wrr | rrw | awa | rrr | wr |
nodejs/deps¹ | r | rrr | rrw | arr | rrr | wr |
nodejs/build (GH) | r | rrr | rrw | awa | rrr | wr |
nodejs/node-core-utils | r | rrr | rrw | awa | rrr | wr |
npm account | - | - | -a- | a-- | --- | -- |
Jenkins CI - test | r | ww- | wwa | -w²- | --- | ww |
Jenkins CI - release | - | --- | -ww | -w- | --- | -- |
Infra - test | - | w-- | aaa | ww- | -w- | ww |
Infra - release | - | --- | -ww | -w- | --- | -- |
Build infra | - | --- | -a- | --- | --- | -- |
Website Infra | - | --- | -a- | a-- | --- | -- |
Youtube | - | --w | --- | a-- | --- | -- |
Zoom | r | rrw | --- | a-- | --- | -- |
1Password | - | --r | --- | a-- | --- | -- |
Social media accounts | - | --- | --- | --- | --- | -- |
Email (nodejs-sec) | r | rrr | rrr | awr | wrr | rr |
Email (io.js aliases) | r | --- | -a- | w-- | --- | -- |
Repos under nodejs which do not include code, are not covered as they cannot lead to the threats listed.
pkgjs.org is excluded as it does not include code/repos that make it into Node.js binaries