Skip to content

Commit

Permalink
Add Security MD files an add FOSSA scan badge
Browse files Browse the repository at this point in the history
Signed-off-by: John Kjell <john@testifysec.com>
  • Loading branch information
jkjell committed Jan 8, 2024
1 parent b9e38d5 commit 494d44a
Show file tree
Hide file tree
Showing 5 changed files with 180 additions and 2 deletions.
21 changes: 21 additions & 0 deletions .clomonitor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Copyright 2023 The Witness Contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# CLOMonitor metadata file
# This file must be located at the root of the repository

# Checks exemptions
exemptions:
- check: artifacthub_badge # Check identifier (see https://github.com/cncf/clomonitor/blob/main/docs/checks.md#exemptions)
reason: "Project is a CLI tool and is not one of the support types for Artifact Hub" # Justification of this exemption (mandatory, it will be displayed on the UI)
42 changes: 42 additions & 0 deletions DEPENDENCY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Environment Dependencies Policy

## Purpose

This policy describes how Witness maintainers consume third-party packages.

## Scope

This policy applies to all Witness maintainers and all third-party packages used in the Witness project.

## Policy

Witness maintainers must follow these guidelines when consuming third-party packages:

- Only use third-party packages that are necessary for the functionality of Witness.
- Use the latest version of all third-party packages whenever possible.
- Avoid using third-party packages that are known to have security vulnerabilities.
- Pin all third-party packages to specific versions in the Witness codebase.
- Use a dependency management tool, such as Go modules, to manage third-party dependencies.

## Procedure

When adding a new third-party package to Witness, maintainers must follow these steps:

1. Evaluate the need for the package. Is it necessary for the functionality of Witness?
2. Research the package. Is it well-maintained? Does it have a good reputation?
3. Choose a version of the package. Use the latest version whenever possible.
4. Pin the package to the specific version in the Witness codebase.
5. Update the Witness documentation to reflect the new dependency.

## Enforcement

This policy is enforced by the Witness maintainers.
Maintainers are expected to review each other's code changes to ensure that they comply with this policy.

## Exceptions

Exceptions to this policy may be granted by the Witness project lead on a case-by-case basis.

## Credits

This policy was adapted from the [Kubescape Community](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md)
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
[![OpenSSF
-Scorecard](https://api.securityscorecards.dev/projects/github.com/testifysec/witness/badge)](https://api.securityscorecards.dev/projects/github.com/testifysec/witness)
[![OpenSSF-Scorecard](https://api.securityscorecards.dev/projects/github.com/testifysec/witness/badge)](https://api.securityscorecards.dev/projects/github.com/testifysec/witness)
[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fwitness.svg?type=shield&issueType=license)](https://app.fossa.com/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fwitness?ref=badge_shield&issueType=license)

<p align="center">
<img src="docs/assets/logo.png" width="250">
Expand Down
81 changes: 81 additions & 0 deletions SECURITY-INSIGHTS.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
# Copyright 2023 The Witness Contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

header:
schema-version: 1.0.0
expiration-date: '2024-08-31T10:10:09.000Z'
last-updated: '2023-01-05'
last-reviewed: '2023-01-05'
commit-hash: cd0c222058a8830a8e190b840e466098b25a3c41
project-url: https://github.com/in-toto/witness
project-release: 'v0.2.0'
changelog: https://github.com/in-toto/witness/releases/tag/v0.2.0
license: https://github.com/in-toto/witness/blob/main/LICENSE

project-lifecycle:
status: active
roadmap: https://github.com/orgs/in-toto/projects/4/views/3
bug-fixes-only: false
core-maintainers:
- https://github.com/in-toto/witness/MAINTAINERS.md
release-cycle: https://github.com/in-toto/witness/releases

contribution-policy:
accepts-pull-requests: true
accepts-automated-pull-requests: true
contributing-policy: https://github.com/in-toto/witness/blob/main/CONTRIBUTING.md
code-of-conduct: https://github.com/in-toto/witness/blob/main/CODE_OF_CONDUCT.md

documentation:
- https://witness.dev

distribution-points:
- https://github.com/in-toto/witness/releases

security-testing:
- tool-type: sca
tool-name: Dependabot
tool-version: 2
tool-url: https://github.com/dependabot
integration:
ad-hoc: false
ci: true
before-release: false

security-contacts:
- type: email
value: security@testifysec.com
primary: true

vulnerability-reporting:
accepts-vulnerability-reports: true
email-contact: security@testifysec.com
security-policy: https://github.com/in-toto/witness/SECURITY.md

dependencies:
third-party-packages: true
dependencies-lists:
- https://github.com/in-toto/witness/go.mod
sbom:
- sbom-file: https://foo.bar/sbom
sbom-format: CycloneDX
sbom-url: https://foo.bar
dependencies-lifecycle:
policy-url: https://github.com/in-toto/witness/SECURITY.md
comment: |
All dependencies are subject to the Witness Security Policy.
env-dependencies-policy:
policy-url: https://github.com/in-toto/witness/DEPENDENCY.md
comment: |
All dependencies are subject to the Witness Dependency Policy.
34 changes: 34 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Security Policy

## Security Bulletins

See current security bullentins on GitHub: https://github.com/in-toto/witness/security/advisories

For information regarding the security of this project please join:

* in-toto-witness on CNCF Slack

## Reporting a Vulnerability

Please use the below process to report a vulnerability to the project:

Web Form:

1. Please visit https://github.com/in-toto/witness/security/advisories/new
* You will receive a confirmation email upon submission
1. You may be contacted by a maintainer to further discuss the reported item
within 3 days. Please bear with us as we seek to understand the breadth
and scope of the reported problem, recreate it, and confirm if there is an
vulnerability present.

This project follows a 30 day disclosure timeline.

## Supported Versions

Information regarding supported versions of this project can be found on
in the below table:

| Version | Supported |
| --- | --- |
| Latest | :white_check_mark: |
| <= Latest - 2 | :x: |

0 comments on commit 494d44a

Please sign in to comment.