Skip to content

Commit

Permalink
Update SECURITY-INSIGHTS.yml with additional information (#108)
Browse files Browse the repository at this point in the history
* Update SECURITY-INSIGHTS.yml with additional information

Signed-off-by: John Kjell <[email protected]>

* Address Scorecard feedback and add dependency policy.

Signed-off-by: John Kjell <[email protected]>

---------

Signed-off-by: John Kjell <[email protected]>
  • Loading branch information
jkjell authored Jan 2, 2024
1 parent 3088442 commit 9875fcc
Show file tree
Hide file tree
Showing 5 changed files with 124 additions and 9 deletions.
16 changes: 13 additions & 3 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,18 @@
# See the License for the specific language governing permissions and
# limitations under the License.

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
name: release
on: [push, pull_request]

permissions:
contents: read

jobs:
fmt:
uses: ./.github/workflows/witness.yml
permissions:
id-token: write # This is required for requesting the JWT
contents: read
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: fmt
Expand All @@ -29,6 +33,9 @@ jobs:
sast:
needs: [fmt]
uses: ./.github/workflows/witness.yml
permissions:
id-token: write # This is required for requesting the JWT
contents: read
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: sast
Expand All @@ -38,6 +45,9 @@ jobs:
unit-test:
needs: [fmt]
uses: ./.github/workflows/witness.yml
permissions:
id-token: write # This is required for requesting the JWT
contents: read
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: unit-test
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/verify-licence.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,9 @@ jobs:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: '1.17.x'
go-version: '1.21.x'
- name: Install addlicense
run: go install github.com/google/addlicense@latest
run: go install github.com/google/addlicense@v1.1.1
- name: Check license headers
run: |
set -e
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/witness.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,15 @@ on:
required: true
type: string

permissions:
contents: read

jobs:
witness:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
Expand Down
42 changes: 42 additions & 0 deletions DEPENDENCY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Environment Dependencies Policy

## Purpose

This policy describes how Witness maintainers consume third-party packages.

## Scope

This policy applies to all Witness maintainers and all third-party packages used in the Witness project.

## Policy

Witness maintainers must follow these guidelines when consuming third-party packages:

- Only use third-party packages that are necessary for the functionality of Witness.
- Use the latest version of all third-party packages whenever possible.
- Avoid using third-party packages that are known to have security vulnerabilities.
- Pin all third-party packages to specific versions in the Witness codebase.
- Use a dependency management tool, such as Go modules, to manage third-party dependencies.

## Procedure

When adding a new third-party package to Witness, maintainers must follow these steps:

1. Evaluate the need for the package. Is it necessary for the functionality of Witness?
2. Research the package. Is it well-maintained? Does it have a good reputation?
3. Choose a version of the package. Use the latest version whenever possible.
4. Pin the package to the specific version in the Witness codebase.
5. Update the Witness documentation to reflect the new dependency.

## Enforcement

This policy is enforced by the Witness maintainers.
Maintainers are expected to review each other's code changes to ensure that they comply with this policy.

## Exceptions

Exceptions to this policy may be granted by the Witness project lead on a case-by-case basis.

## Credits

This policy was adapted from the [Kubescape Community](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md)
65 changes: 61 additions & 4 deletions SECURITY-INSIGHTS.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,67 @@
header:
schema-version: 1.0.0
expiration-date: '2024-08-31T10:10:09.000Z'
last-updated: '2023-12-06'
last-reviewed: '2023-12-06'
last-updated: '2023-12-20'
last-reviewed: '2023-12-20'
commit-hash: cd0c222058a8830a8e190b840e466098b25a3c41
project-url: https://github.com/in-toto/go-witness
project-release: 'v0.17.0'
changelog: https://github.com/in-toto/go-witness/releases/tag/v0.17.0
project-release: 'v0.2.0'
changelog: https://github.com/in-toto/go-witness/releases/tag/v0.2.0
license: https://github.com/in-toto/go-witness/blob/main/LICENSE

project-lifecycle:
status: active
roadmap: https://github.com/orgs/in-toto/projects/4/views/3
bug-fixes-only: false
core-maintainers:
- https://github.com/in-toto/go-witness/MAINTAINERS.md
release-cycle: https://github.com/in-toto/go-witness/releases

contribution-policy:
accepts-pull-requests: true
accepts-automated-pull-requests: true
contributing-policy: https://github.com/in-toto/go-witness/blob/main/CONTRIBUTING.md
code-of-conduct: https://github.com/in-toto/go-witness/blob/main/CODE_OF_CONDUCT.md

documentation:
- https://witness.dev

distribution-points:
- https://github.com/in-toto/go-witness/releases

security-testing:
- tool-type: sca
tool-name: Dependabot
tool-version: 2
tool-url: https://github.com/dependabot
integration:
ad-hoc: false
ci: true
before-release: false

security-contacts:
- type: email
value: [email protected]
primary: true

vulnerability-reporting:
accepts-vulnerability-reports: true
email-contact: [email protected]
security-policy: https://github.com/in-toto/go-witness/SECURITY.md

dependencies:
third-party-packages: true
dependencies-lists:
- https://github.com/in-toto/go-witness/go.mod
sbom:
- sbom-file: https://foo.bar/sbom
sbom-format: CycloneDX
sbom-url: https://foo.bar
dependencies-lifecycle:
policy-url: https://github.com/in-toto/go-witness/SECURITY.md
comment: |
All dependencies are subject to the Witness Security Policy.
env-dependencies-policy:
policy-url: https://github.com/in-toto/go-witness/DEPENDENCY.md
comment: |
All dependencies are subject to the Witness Dependency Policy.

0 comments on commit 9875fcc

Please sign in to comment.