Profile Applicability:
Level 1
Description:
All forks or copies of the code repository must be tracked, monitored, and accounted for within the organization. This includes maintaining an inventory of forks, understanding their purpose, and ensuring they comply with organizational policies on security, licensing, and data handling.
Rationale:
Tracking all forks helps prevent uncontrolled code divergence, unauthorized distribution, or security risks stemming from unmanaged copies. It supports intellectual property protection, compliance with licensing terms, and governance over code dissemination.
Impact:
Pros:
Enhances oversight of code distribution and usage.
Reduces risks from unauthorized or outdated forks.
Supports compliance with licensing and data policies.
Facilitates security monitoring of all code copies.
Cons:Requires continuous monitoring and inventory management.
May introduce overhead in managing forks and communications.
Default value:
Forks are often created and managed independently without centralized tracking.
Audit:
Review the platform’s fork activity logs and maintain an updated inventory of all forks. Verify that forks are registered and comply with policy requirements.
Remediation:
Implement processes and tools to monitor fork creation and usage. Require fork owners to register their repositories and follow organizational security and licensing guidelines. Communicate policies regarding fork management to all contributors.
References:
GitHub Forks Documentation: https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-forks
GitLab Forks: https://docs.gitlab.com/ee/user/project/forks/
CIS Controls v8, Control 16 - Application Software Security: https://www.cisecurity.org/controls/application-software-security/