From a037e9f309175c6f8df5cb9b2e1e64d2d9ae5a13 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Tue, 2 Jan 2024 15:03:24 -0600 Subject: [PATCH] Update SECURITY-INSIGHTS.yml with additional information (#108) * Update SECURITY-INSIGHTS.yml with additional information Signed-off-by: John Kjell * Address Scorecard feedback and add dependency policy. Signed-off-by: John Kjell --------- Signed-off-by: John Kjell Signed-off-by: chaosinthecrd --- .github/workflows/release.yml | 16 +++++-- .github/workflows/verify-licence.yml | 4 +- .github/workflows/witness.yml | 6 +++ DEPENDENCY.md | 42 ++++++++++++++++++ SECURITY-INSIGHTS.yml | 65 ++++++++++++++++++++++++++-- 5 files changed, 124 insertions(+), 9 deletions(-) create mode 100644 DEPENDENCY.md diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2861efc3..2785e946 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,14 +12,18 @@ # See the License for the specific language governing permissions and # limitations under the License. -permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout name: release on: [push, pull_request] + +permissions: + contents: read + jobs: fmt: uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read with: pull_request: ${{ github.event_name == 'pull_request' }} step: fmt @@ -29,6 +33,9 @@ jobs: sast: needs: [fmt] uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read with: pull_request: ${{ github.event_name == 'pull_request' }} step: sast @@ -38,6 +45,9 @@ jobs: unit-test: needs: [fmt] uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read with: pull_request: ${{ github.event_name == 'pull_request' }} step: unit-test diff --git a/.github/workflows/verify-licence.yml b/.github/workflows/verify-licence.yml index 593a8d18..8528886d 100644 --- a/.github/workflows/verify-licence.yml +++ b/.github/workflows/verify-licence.yml @@ -34,9 +34,9 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: '1.17.x' + go-version: '1.21.x' - name: Install addlicense - run: go install github.com/google/addlicense@latest + run: go install github.com/google/addlicense@v1.1.1 - name: Check license headers run: | set -e diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index 0cdcf9f5..e02a3049 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -40,9 +40,15 @@ on: required: true type: string +permissions: + contents: read + jobs: witness: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 diff --git a/DEPENDENCY.md b/DEPENDENCY.md new file mode 100644 index 00000000..99f74a1c --- /dev/null +++ b/DEPENDENCY.md @@ -0,0 +1,42 @@ +# Environment Dependencies Policy + +## Purpose + +This policy describes how Witness maintainers consume third-party packages. + +## Scope + +This policy applies to all Witness maintainers and all third-party packages used in the Witness project. + +## Policy + +Witness maintainers must follow these guidelines when consuming third-party packages: + +- Only use third-party packages that are necessary for the functionality of Witness. +- Use the latest version of all third-party packages whenever possible. +- Avoid using third-party packages that are known to have security vulnerabilities. +- Pin all third-party packages to specific versions in the Witness codebase. +- Use a dependency management tool, such as Go modules, to manage third-party dependencies. + +## Procedure + +When adding a new third-party package to Witness, maintainers must follow these steps: + +1. Evaluate the need for the package. Is it necessary for the functionality of Witness? +2. Research the package. Is it well-maintained? Does it have a good reputation? +3. Choose a version of the package. Use the latest version whenever possible. +4. Pin the package to the specific version in the Witness codebase. +5. Update the Witness documentation to reflect the new dependency. + +## Enforcement + +This policy is enforced by the Witness maintainers. +Maintainers are expected to review each other's code changes to ensure that they comply with this policy. + +## Exceptions + +Exceptions to this policy may be granted by the Witness project lead on a case-by-case basis. + +## Credits + +This policy was adapted from the [Kubescape Community](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md) diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml index cf55b9bd..c52c5f1b 100644 --- a/SECURITY-INSIGHTS.yml +++ b/SECURITY-INSIGHTS.yml @@ -15,10 +15,67 @@ header: schema-version: 1.0.0 expiration-date: '2024-08-31T10:10:09.000Z' - last-updated: '2023-12-06' - last-reviewed: '2023-12-06' + last-updated: '2023-12-20' + last-reviewed: '2023-12-20' commit-hash: cd0c222058a8830a8e190b840e466098b25a3c41 project-url: https://github.com/in-toto/go-witness - project-release: 'v0.17.0' - changelog: https://github.com/in-toto/go-witness/releases/tag/v0.17.0 + project-release: 'v0.2.0' + changelog: https://github.com/in-toto/go-witness/releases/tag/v0.2.0 license: https://github.com/in-toto/go-witness/blob/main/LICENSE + +project-lifecycle: + status: active + roadmap: https://github.com/orgs/in-toto/projects/4/views/3 + bug-fixes-only: false + core-maintainers: + - https://github.com/in-toto/go-witness/MAINTAINERS.md + release-cycle: https://github.com/in-toto/go-witness/releases + +contribution-policy: + accepts-pull-requests: true + accepts-automated-pull-requests: true + contributing-policy: https://github.com/in-toto/go-witness/blob/main/CONTRIBUTING.md + code-of-conduct: https://github.com/in-toto/go-witness/blob/main/CODE_OF_CONDUCT.md + +documentation: + - https://witness.dev + +distribution-points: + - https://github.com/in-toto/go-witness/releases + +security-testing: +- tool-type: sca + tool-name: Dependabot + tool-version: 2 + tool-url: https://github.com/dependabot + integration: + ad-hoc: false + ci: true + before-release: false + +security-contacts: +- type: email + value: security@testifysec.com + primary: true + +vulnerability-reporting: + accepts-vulnerability-reports: true + email-contact: security@testifysec.com + security-policy: https://github.com/in-toto/go-witness/SECURITY.md + +dependencies: + third-party-packages: true + dependencies-lists: + - https://github.com/in-toto/go-witness/go.mod + sbom: + - sbom-file: https://foo.bar/sbom + sbom-format: CycloneDX + sbom-url: https://foo.bar + dependencies-lifecycle: + policy-url: https://github.com/in-toto/go-witness/SECURITY.md + comment: | + All dependencies are subject to the Witness Security Policy. + env-dependencies-policy: + policy-url: https://github.com/in-toto/go-witness/DEPENDENCY.md + comment: | + All dependencies are subject to the Witness Dependency Policy.