Skip to content

Draft: Baseline#237

Open
bra001 wants to merge 1 commit intomainfrom
baseline
Open

Draft: Baseline#237
bra001 wants to merge 1 commit intomainfrom
baseline

Conversation

@bra001
Copy link
Contributor

@bra001 bra001 commented Feb 18, 2026

No description provided.

Copilot AI review requested due to automatic review settings February 18, 2026 11:16
Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a new "AppSec Baseline" documentation page that establishes minimum security expectations for all development teams in Equinor. The baseline serves as a foundational reference point before teams dive into the more detailed AppSec Toolbox.

Changes:

  • Added new baseline documentation outlining six core security expectations
  • Updated navigation to include the baseline section between the main index and toolbox

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
docs/baseline/index.md New documentation establishing minimum security expectations across "What we deliver" (threat modeling, GHAS alerts, application knowledge, governance) and "How we deliver" (Slack participation, knowledge sharing)
docs/.pages Added baseline navigation entry to place it prominently in the site structure

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

steinsiv
steinsiv reviewed Feb 18, 2026
View reviewed changes
docs/baseline/index.md

- **What data does your application handle, and what is its classification?**
- **Who has access to your system and why?**
- **What are your dependencies and where are they running?**
Copy link
Contributor

@steinsiv steinsiv Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am thinking this is dependencies like downstream api's, but could be misunderstood as dependabot dependencies coming right after the GHAS section. One could rephrase to something like

What APIs and services does your application rely on, and where are they hosted?

steinsiv
steinsiv reviewed Feb 18, 2026
View reviewed changes
docs/baseline/index.md

- The AppSec guidelines on [this site](../toolbox/index.md) - our practical take on how to implement secure development
- [OWASP](https://owasp.org/) and the relevant top 10 lists for your technology

Copy link
Contributor

@steinsiv steinsiv Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add:

  • "Where/who to contact when things has gone wrong" (Incident handling)

steinsiv
steinsiv reviewed Feb 18, 2026
View reviewed changes
docs/baseline/index.md
You should be able to answer these questions about your application at any time:

- **What data does your application handle, and what is its classification?**
- **Who has access to your system and why?**
Copy link
Contributor

@steinsiv steinsiv Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the OWASP top 10 broken access control reference, maybe we could add something around principle of least privilege or defense in depth for authorization

Who has access to your system, and do they have only the access they need?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@steinsiv steinsiv steinsiv left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bra001 @steinsiv