Skip to content

thesecurereview/securereview

BranchesTags

Repository files navigation

SecureReview

SecureReview is a security mechanism that can be applied on top of a Git-based code review system to ensure the integrity of the code review process and provide verifiable guarantees that the code review process followed the intended review policy.

To achieve this goal, SecureReview provides three main features:

  • Sing Code Review Policy: SecureReview allows the project owner to compute a digital signature over the code review policy and store it on the code review server so it can be later retrieved from the server to verify the integrity of the code review policy. In order to store the signature, a check status and a code review label are defined on Github and Gerrit, respectively.
  • Sing Code Reviews: SecureReview encapsulates each review in a review unit and embeds it in a Git commit message. Each review unit contains the relevant information in the review, such as the reviewer’s rating, reviewer's comment and a signature over the entire review unit.
  • Create a Verifable Chain of Reviews per Code Change: Each review unit depends on the prior review unit (i.e., includes the signature field of the previous review). This property prevents unauthorized changes in the middle of the chain.

Installation

SecureReview can be installed as an unpacked extension in the Chrome browser as follows:

  1. Download the latest version of the extension at the releases section.

  2. Unzip the extension.

  3. On your Chrome browser, go to chrome://extensions.

  4. Enable the Developer mode.

  5. Click on Load Unpacked and select the Unzip folder.

To the best use of SecureReview, it is recommended that you take a look at the issue tracker before trying it out.

Security Issues and Bugs

Security issues, bugs and feature requests can be reported through GitHub issue tracker. Ideally, an issue documented as follows:

  • Description of issue or feature request
  • Current behavior
  • Expected behavior

Instructions for Contributors

Contributions can be made by submitting GitHub Pull Requests.

License

Use of this source code is governed by the Licensed under the Apache License, Version 2.0 that can be found in the LICENSE file.

About

This project is managed by Prof. Reza Curtmola and other members of the NJIT Cybersecurity Research Center at NJIT and the Secure Systems Lab at NYU.

Contact: hammad.afzali@gmail.com

About

Sign code reviews through the GitHub/Gerrit web UI

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages