How To Automate "Meeting Evidence" As Code

By

Last month, Yvie Djieya wrote a blog post describing how JupiterOne's security team manages "meeting evidence" as code. Yvie covered the difficulty of managing meeting evidence for various auditing frameworks and elaborated on JupiterOne's process for managing meeting evidence as code. Today, I will take this one step further by covering an automated process to ensure all reviewers have approved the meeting notes and then auto merge the meeting evidence into the main code branch.

Need for Automation

When a reviewer clicks "Approve" for the GitHub pull request, it represents two things:

  1. the reviewer has confirmed their presence at the meeting, and
  2. the reviewer agrees that the meeting minutes are accurate.

Before implementing an automated solution, the minutes taker was responsible for ensuring all reviewers approved the pull request before manually merging the pull request into the main branch. However, this step relied on a person to remember to continually check the pull request until all meeting attendees had clicked "Approved" (checking the pull request over a period of minutes, hours, or days after the meeting). Once all reviewers clicked "Approved", the minutes taker could merge pull request. This is yet another task, to add to a plethora of to-dos, for an employee to track.

The other caveat of manually checking reviewers and merging is that a merge could mistakenly happen before all reviewers click "Approve". In this case, the merge will not accurately reflect the evidence of the meeting (i.e. 4 reviewers attended the meeting but only 3 reviewers were accounted for because they clicked "Approve" before the merge happened). The opportunity cost for automating this task is covered by the assurance that the task will not be forgotten by the minutes taker and all reviewers will be accounted for.

Github Action

At this time, there is not an option within GitHub's "Branch Protection Rules" to ensure that all reviewers have approved a pull request. Therefore, JupiterOne wrote a GitHub Action to enforce this desired review behavior.

Installation

Copy verify_all_reviewers.yml and check_for_reviewers.yml to the .github/workflows folder in your repo, in your main branch.

Create an initial run of both workflow actions. These workflows will fail; however, it is required for the following step - configuring branch policy settings.

  1. Go to "Actions" and "Verify All Reviewers"
automate-meeting-evidence-as-code-step-1-1
  1. Click the drop down "Run workflow" and then the "Run workflow" button
automate-meeting-evidence-as-code-step-1-2
  1. Perform the same steps above for "Check for Reviewers"

GitHub Configuration

Set auto-merge

  1. Go to "Settings" -> General"
  2. Select "Allow auto-merge"

Set the branch policies

  1. Go to "Settings" -> "Branches"
automate-meeting-evidence-as-code-step-2-1
  1. Under "Branch protection rules", either edit a current rule or add a new rule
  2. Configure the following rule settings:
  3. "Branch name pattern"
  4. Enter a branch name (usually 'main')
  5. "Protect matching branches"
  6. Select "Require a pull request before merging"
  7. Select "Require approvals"
  8. Select "1"
  9. Select "Require status checks to pass before merging"
  10. Search for and select "Verify All Reviewers"
  11. Search for and select "Check for Reviewers"
automate-meeting-evidence-as-code-step-2-3


Click either "Save changes" or "Create"

Automation in Action

  1. Click on the meeting notes file and click the "Edit" button on the right of the menu
automate-meeting-evidence-as-code-step-3-1
  1. Add notes from the meeting accordingly, then scroll to the bottom.
  2. Create a new branch for the meeting notes and click "Propose changes." Then click "Create pull request"
automate-meeting-evidence-as-code-step-3-2
  1. Click the "Enable auto-merge" button and then "Confirm auto-merge"
automate-meeting-evidence-as-code-step-3-3
  1. Request the reviewers from the meeting.
automate-meeting-evidence-as-code-step-3-4

Conclusion

Policies, procedures, and documentation are an important part of ensuring security. However, there is a delicate balance between security and usability. If processes are too cumbersome, people will circumvent steps in order to accomplish tasks. Therefore, the more we automate, the easier our jobs will be; let computers do what they do best - perform a task repeatedly at a specified cadence. Employees are then free to do what they do best - create, innovate, and inspire.

Cameron Griffin
Cameron Griffin

Cameron is a Senior Security Automation Engineer at JupiterOne. He has spent decades working hard to be lazy - automating and documenting “all the things”. Cameron loves technology, security, and learning something new every day. When away from his keyboard, he enjoys surfing, skateboarding, yoga, reading, and music.

Keep Reading

What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)
February 6, 2023
Blog
What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)

The new JupiterOne Query Builder streamlines your querying experience by eliminating errors, simplifying query builds, and reducing time to value.

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.