GITHUB SCOPES
FIPS-140-3 with code complexity of $( Ω(n log(n)) > O(n^2) )
| Criteria | Details |
|---|---|
| Efficiency | Typescript code must be efficient, reusable, and modular. Code must be complexity of less than 10. |
| Security & Governance | Code must enforce security policies, governance standards, and rollback scenarios. |
| Code Complexity | Complexity must be < 10 or Ω(n log(n)) or at worst: O(n log(n)) |
| Linted | Code must be linted with Deno Lint or ES Lint |
| Commit Hooks | Code must be pre-commit and pre-push validated with LeftHook using Orchestras Templates |
| DevContainer | Code must maintain an active DevContainer |
| Branch Protection | Branch protection rules must be enabled for all repositories. |
| Coverage | Code should be covered by at least 80% of Unit and 50% of Integration Tests. |
| Portable | Code should maintain 12-factor standards |
| Reviewable | Code should be reviewable and run through Copilot AI code review |
| Checking | Deno code should be checked for binary compile time type checks |
| Versioned | Code should be versioned using SemVer and implement Auto-Bump, and .semver files |
| README | Documentation should be created and contain a logical diagram |
| Task | Requirement |
|---|---|
| Code Review | Must be reviewed and validated for efficiency and compliance. |
| Security Checks | Governance and security enforcement must be validated through automated tests and quality scanning system such as Checkov and Trunk. |
| Documentation | Workflow execution must be documented in Confluence (DevOps BestPractice DevSecOps). |
| SAST | SAST scanning for secrets and CVEs should occur with TruffleHog and Trunk, SonarQube, or BlackDuck at check-in. |
| FIPS-140-3 | SSH Keys and Github Tokens must be secured with FIPS-140 implemented. All secrets must be encrypted, entropy detected, and keys password protected and stored in KeeBase with incremental backup., |
| Transcrypt | Transcrypt must store local secrets using SSH-Agent and GNUPG keys. Public key is stored at .semver.author.gpg.tag |
| Vault | Secrets going over the wire should always be stored in Ansible Vault or Azure Key Vault. |
| YML | YML is preferred over JSON standards. |
| DORA | Reporting should implement DORA and Github Self Actuated Metrics. |
| 12-Factor | All code and documentation should adhere to 12-factor standards |