How To Automate "Meeting Evidence" As Code

by

Last month, Yvie Djieya wrote a blog post describing how JupiterOne's security team manages "meeting evidence" as code. Yvie covered the difficulty of managing meeting evidence for various auditing frameworks and elaborated on JupiterOne's process for managing meeting evidence as code. Today, I will take this one step further by covering an automated process to ensure all reviewers have approved the meeting notes and then auto merge the meeting evidence into the main code branch.

Need for Automation

When a reviewer clicks "Approve" for the GitHub pull request, it represents two things:

  1. the reviewer has confirmed their presence at the meeting, and
  2. the reviewer agrees that the meeting minutes are accurate.

Before implementing an automated solution, the minutes taker was responsible for ensuring all reviewers approved the pull request before manually merging the pull request into the main branch. However, this step relied on a person to remember to continually check the pull request until all meeting attendees had clicked "Approved" (checking the pull request over a period of minutes, hours, or days after the meeting). Once all reviewers clicked "Approved", the minutes taker could merge pull request. This is yet another task, to add to a plethora of to-dos, for an employee to track.

The other caveat of manually checking reviewers and merging is that a merge could mistakenly happen before all reviewers click "Approve". In this case, the merge will not accurately reflect the evidence of the meeting (i.e. 4 reviewers attended the meeting but only 3 reviewers were accounted for because they clicked "Approve" before the merge happened). The opportunity cost for automating this task is covered by the assurance that the task will not be forgotten by the minutes taker and all reviewers will be accounted for.

Github Action

At this time, there is not an option within GitHub's "Branch Protection Rules" to ensure that all reviewers have approved a pull request. Therefore, JupiterOne wrote a GitHub Action to enforce this desired review behavior.

Installation

Copy verify_all_reviewers.yml and check_for_reviewers.yml to the .github/workflows folder in your repo, in your main branch.

Create an initial run of both workflow actions. These workflows will fail; however, it is required for the following step - configuring branch policy settings.

  1. Go to "Actions" and "Verify All Reviewers"
automate-meeting-evidence-as-code-step-1-1
  1. Click the drop down "Run workflow" and then the "Run workflow" button
automate-meeting-evidence-as-code-step-1-2
  1. Perform the same steps above for "Check for Reviewers"

GitHub Configuration

Set auto-merge

  1. Go to "Settings" -> General"
  2. Select "Allow auto-merge"

Set the branch policies

  1. Go to "Settings" -> "Branches"
automate-meeting-evidence-as-code-step-2-1
  1. Under "Branch protection rules", either edit a current rule or add a new rule
  2. Configure the following rule settings:
  3. "Branch name pattern"
  4. Enter a branch name (usually 'main')
  5. "Protect matching branches"
  6. Select "Require a pull request before merging"
  7. Select "Require approvals"
  8. Select "1"
  9. Select "Require status checks to pass before merging"
  10. Search for and select "Verify All Reviewers"
  11. Search for and select "Check for Reviewers"
automate-meeting-evidence-as-code-step-2-3


Click either "Save changes" or "Create"

Automation in Action

  1. Click on the meeting notes file and click the "Edit" button on the right of the menu
automate-meeting-evidence-as-code-step-3-1
  1. Add notes from the meeting accordingly, then scroll to the bottom.
  2. Create a new branch for the meeting notes and click "Propose changes." Then click "Create pull request"
automate-meeting-evidence-as-code-step-3-2
  1. Click the "Enable auto-merge" button and then "Confirm auto-merge"
automate-meeting-evidence-as-code-step-3-3
  1. Request the reviewers from the meeting.
automate-meeting-evidence-as-code-step-3-4

Conclusion

Policies, procedures, and documentation are an important part of ensuring security. However, there is a delicate balance between security and usability. If processes are too cumbersome, people will circumvent steps in order to accomplish tasks. Therefore, the more we automate, the easier our jobs will be; let computers do what they do best - perform a task repeatedly at a specified cadence. Employees are then free to do what they do best - create, innovate, and inspire.

Cameron Griffin
Cameron Griffin

Cameron is a Senior Security Automation Engineer at JupiterOne. He has spent decades working hard to be lazy - automating and documenting “all the things”. Cameron loves technology, security, and learning something new every day. When away from his keyboard, he enjoys surfing, skateboarding, yoga, reading, and music.

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.