Add SECURITY-INSIGHTS.md

[thepetk]

What does this PR do?

As part of the CNCF defender tasks we need to add a security-insights.md to reach the 100% on the monitor. More information for the security insights here: https://github.com/ossf/security-insights-spec/blob/main/specification.md

Which issue(s) does this PR fix

Fixes devfile/api#1392

PR acceptance criteria

Testing and documentation do not need to be complete in order for this PR to be approved. We just need to ensure tracking issues are opened.

• Unit/Functional tests

• Documentation

How to test changes / Special notes to the reviewer

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 73.16%. Comparing base (b1b0c21) to head (a0b1d3f).
Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #50   +/-   ##
=======================================
  Coverage   73.16%   73.16%           
=======================================
  Files          11       11           
  Lines        1565     1565           
=======================================
  Hits         1145     1145           
  Misses        351      351           
  Partials       69       69           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Jdubrick]

/lgtm

Will the threat model and vulnerability reporting be added after conclusion of the epic?

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Jdubrick, thepetk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Jdubrick,thepetk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[thepetk]

/lgtm

Will the threat model and vulnerability reporting be added after conclusion of the epic?

Yeap, in the devfile/api#1461 it is mentioned in the acceptance criteria that all SECURITY-INSIGHTS.md should be updated after the security.md file creation.

[Jdubrick]

@thepetk I was looking over the docs again and noticed there has to be a specific naming convention for the security-insights file to be picked up by the clomonitor scan. It has to be named security-insights.yml. From looking at the monitor it isn't tracking properly for alizer.

https://clomonitor.io/docs/topics/checks/#security-insights

[Jdubrick]

@thepetk I was looking over the docs again and noticed there has to be a specific naming convention for the security-insights file to be picked up by the clomonitor scan. It has to be named security-insights.yml. From looking at the monitor it isn't tracking properly for alizer.

https://clomonitor.io/docs/topics/checks/#security-insights

never mind. We did use a yaml file and the title of the PR threw me off. The issue is due to the extension being .yaml instead of .yml. This issue was raised to the developers of the monitor a while back as currently they only support .yml.

[thepetk]

@thepetk I was looking over the docs again and noticed there has to be a specific naming convention for the security-insights file to be picked up by the clomonitor scan. It has to be named security-insights.yml. From looking at the monitor it isn't tracking properly for alizer.
https://clomonitor.io/docs/topics/checks/#security-insights

never mind. We did use a yaml file and the title of the PR threw me off. The issue is due to the extension being .yaml instead of .yml. This issue was raised to the developers of the monitor a while back as currently they only support .yml.

@Jdubrick I've created a PR to rename the file here: #52