-
Notifications
You must be signed in to change notification settings - Fork 60
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Security MD files an add FOSSA scan badge
Signed-off-by: John Kjell <john@testifysec.com>
- Loading branch information
Showing
5 changed files
with
180 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Copyright 2023 The Witness Contributors | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
# CLOMonitor metadata file | ||
# This file must be located at the root of the repository | ||
|
||
# Checks exemptions | ||
exemptions: | ||
- check: artifacthub_badge # Check identifier (see https://github.com/cncf/clomonitor/blob/main/docs/checks.md#exemptions) | ||
reason: "Project is a CLI tool and is not one of the support types for Artifact Hub" # Justification of this exemption (mandatory, it will be displayed on the UI) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# Environment Dependencies Policy | ||
|
||
## Purpose | ||
|
||
This policy describes how Witness maintainers consume third-party packages. | ||
|
||
## Scope | ||
|
||
This policy applies to all Witness maintainers and all third-party packages used in the Witness project. | ||
|
||
## Policy | ||
|
||
Witness maintainers must follow these guidelines when consuming third-party packages: | ||
|
||
- Only use third-party packages that are necessary for the functionality of Witness. | ||
- Use the latest version of all third-party packages whenever possible. | ||
- Avoid using third-party packages that are known to have security vulnerabilities. | ||
- Pin all third-party packages to specific versions in the Witness codebase. | ||
- Use a dependency management tool, such as Go modules, to manage third-party dependencies. | ||
|
||
## Procedure | ||
|
||
When adding a new third-party package to Witness, maintainers must follow these steps: | ||
|
||
1. Evaluate the need for the package. Is it necessary for the functionality of Witness? | ||
2. Research the package. Is it well-maintained? Does it have a good reputation? | ||
3. Choose a version of the package. Use the latest version whenever possible. | ||
4. Pin the package to the specific version in the Witness codebase. | ||
5. Update the Witness documentation to reflect the new dependency. | ||
|
||
## Enforcement | ||
|
||
This policy is enforced by the Witness maintainers. | ||
Maintainers are expected to review each other's code changes to ensure that they comply with this policy. | ||
|
||
## Exceptions | ||
|
||
Exceptions to this policy may be granted by the Witness project lead on a case-by-case basis. | ||
|
||
## Credits | ||
|
||
This policy was adapted from the [Kubescape Community](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
# Copyright 2023 The Witness Contributors | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
header: | ||
schema-version: 1.0.0 | ||
expiration-date: '2024-08-31T10:10:09.000Z' | ||
last-updated: '2023-01-05' | ||
last-reviewed: '2023-01-05' | ||
commit-hash: cd0c222058a8830a8e190b840e466098b25a3c41 | ||
project-url: https://github.com/in-toto/witness | ||
project-release: 'v0.2.0' | ||
changelog: https://github.com/in-toto/witness/releases/tag/v0.2.0 | ||
license: https://github.com/in-toto/witness/blob/main/LICENSE | ||
|
||
project-lifecycle: | ||
status: active | ||
roadmap: https://github.com/orgs/in-toto/projects/4/views/3 | ||
bug-fixes-only: false | ||
core-maintainers: | ||
- https://github.com/in-toto/witness/MAINTAINERS.md | ||
release-cycle: https://github.com/in-toto/witness/releases | ||
|
||
contribution-policy: | ||
accepts-pull-requests: true | ||
accepts-automated-pull-requests: true | ||
contributing-policy: https://github.com/in-toto/witness/blob/main/CONTRIBUTING.md | ||
code-of-conduct: https://github.com/in-toto/witness/blob/main/CODE_OF_CONDUCT.md | ||
|
||
documentation: | ||
- https://witness.dev | ||
|
||
distribution-points: | ||
- https://github.com/in-toto/witness/releases | ||
|
||
security-testing: | ||
- tool-type: sca | ||
tool-name: Dependabot | ||
tool-version: 2 | ||
tool-url: https://github.com/dependabot | ||
integration: | ||
ad-hoc: false | ||
ci: true | ||
before-release: false | ||
|
||
security-contacts: | ||
- type: email | ||
value: security@testifysec.com | ||
primary: true | ||
|
||
vulnerability-reporting: | ||
accepts-vulnerability-reports: true | ||
email-contact: security@testifysec.com | ||
security-policy: https://github.com/in-toto/witness/SECURITY.md | ||
|
||
dependencies: | ||
third-party-packages: true | ||
dependencies-lists: | ||
- https://github.com/in-toto/witness/go.mod | ||
sbom: | ||
- sbom-file: https://foo.bar/sbom | ||
sbom-format: CycloneDX | ||
sbom-url: https://foo.bar | ||
dependencies-lifecycle: | ||
policy-url: https://github.com/in-toto/witness/SECURITY.md | ||
comment: | | ||
All dependencies are subject to the Witness Security Policy. | ||
env-dependencies-policy: | ||
policy-url: https://github.com/in-toto/witness/DEPENDENCY.md | ||
comment: | | ||
All dependencies are subject to the Witness Dependency Policy. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# Security Policy | ||
|
||
## Security Bulletins | ||
|
||
See current security bullentins on GitHub: https://github.com/in-toto/witness/security/advisories | ||
|
||
For information regarding the security of this project please join: | ||
|
||
* in-toto-witness on CNCF Slack | ||
|
||
## Reporting a Vulnerability | ||
|
||
Please use the below process to report a vulnerability to the project: | ||
|
||
Web Form: | ||
|
||
1. Please visit https://github.com/in-toto/witness/security/advisories/new | ||
* You will receive a confirmation email upon submission | ||
1. You may be contacted by a maintainer to further discuss the reported item | ||
within 3 days. Please bear with us as we seek to understand the breadth | ||
and scope of the reported problem, recreate it, and confirm if there is an | ||
vulnerability present. | ||
|
||
This project follows a 30 day disclosure timeline. | ||
|
||
## Supported Versions | ||
|
||
Information regarding supported versions of this project can be found on | ||
in the below table: | ||
|
||
| Version | Supported | | ||
| --- | --- | | ||
| Latest | :white_check_mark: | | ||
| <= Latest - 2 | :x: | |