Skip to content

Commit 51fd16c

Browse files
authored
Merge pull request #866 from viccuad/main
ci: Add OpenSSF Scorecard workflow and badge
2 parents 46c69bd + 733f0bb commit 51fd16c

File tree

3 files changed

+99
-0
lines changed

3 files changed

+99
-0
lines changed

.github/workflows/openssf.yml

+32
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
name: Scorecards supply-chain security
2+
on:
3+
push:
4+
branches: [main]
5+
6+
# Declare default permissions as read only.
7+
permissions: read-all
8+
9+
jobs:
10+
analysis:
11+
name: Scorecards analysis
12+
runs-on: ubuntu-latest
13+
permissions:
14+
# Needed to upload the results to code-scanning dashboard.
15+
security-events: write
16+
# Used to receive a badge. (Upcoming feature)
17+
id-token: write
18+
19+
steps:
20+
- name: "Checkout code"
21+
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
22+
with:
23+
persist-credentials: false
24+
25+
- name: "Run analysis"
26+
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
27+
with:
28+
results_file: results.sarif
29+
results_format: sarif
30+
# Publish the results for public repositories to enable scorecard badges. For more details, see
31+
# https://github.com/ossf/scorecard-action#publishing-results.
32+
publish_results: true

README.md

+6
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,9 @@
22
[![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)
33
[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubewarden-defaults)](https://artifacthub.io/packages/helm/kubewarden/kubewarden-defaults)
44
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6626/badge)](https://bestpractices.coreinfrastructure.org/projects/6626)
5+
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/6626/badge)](https://www.bestpractices.dev/projects/6626)
56
[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B25850%2Fgithub.com%2Fkubewarden%2Fpolicy-server.svg?type=shield)](https://app.fossa.com/projects/custom%2B25850%2Fgithub.com%2Fkubewarden%2Fpolicy-server?ref=badge_shield)
7+
[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/kubewarden/policy-server/badge)](https://scorecard.dev/viewer/?uri=github.com/kubewarden/policy-server)
68

79
> **Note well:** don't forget to checkout [Kubewarden's documentation](https://docs.kubewarden.io)
810
> for more information
@@ -231,3 +233,7 @@ The Kubewarden team is security conscious. You can find our [threat model
231233
assessment](https://docs.kubewarden.io/security/threat-model) and
232234
[responsible disclosure approach](https://docs.kubewarden.io/security/disclosure)
233235
in our Kubewarden docs.
236+
237+
## Changelog
238+
239+
See [GitHub Releases content](https://github.com/kubewarden/policy-server/releases).

SECURITY_INSIGHTS.yml

+61
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
header:
2+
schema-version: 1.0.0
3+
last-updated: "2024-08-12"
4+
last-reviewed: "2023-08-12"
5+
expiration-date: "2025-10-01T01:00:00.000Z"
6+
project-url: https://github.com/kubewarden/policy-server/
7+
changelog: https://github.com/kubewarden/policy-server/releases/latest
8+
license: https://github.com/kubewarden/policy-server/blob/main/LICENSE
9+
project-lifecycle:
10+
bug-fixes-only: false
11+
core-maintainers:
12+
- https://github.com/kubewarden/community?tab=readme-ov-file#maintainers
13+
roadmap: https://github.com/kubewarden/community?tab=readme-ov-file#roadmap
14+
status: active
15+
contribution-policy:
16+
accepts-pull-requests: true
17+
accepts-automated-pull-requests: true
18+
contributing-policy: https://github.com/kubewarden/policy-server/blob/main/CONTRIBUTING.md
19+
code-of-conduct: https://github.com/kubewarden/community/blob/main/CODE_OF_CONDUCT.md
20+
documentation:
21+
- https://docs.kubewarden.io
22+
distribution-points:
23+
- https://github.com/kubewarden/policy-server/
24+
- https://artifacthub.io/packages/helm/kubewarden/kubewarden-defaults
25+
- https://github.com/orgs/kubewarden/packages?repo_name=helm-charts
26+
security-artifacts:
27+
threat-model:
28+
threat-model-created: true
29+
evidence-url:
30+
- https://docs.kubewarden.io/reference/threat-model
31+
security-testing:
32+
- tool-type: sca
33+
tool-name: Dependabot
34+
tool-version: latest
35+
integration:
36+
ad-hoc: false
37+
ci: true
38+
before-release: true
39+
comment: |
40+
Dependabot is enabled for this repo.
41+
security-contacts:
42+
- type: website
43+
value: https://docs.kubewarden.io/disclosure
44+
vulnerability-reporting:
45+
accepts-vulnerability-reports: true
46+
security-policy: https://github.com/kubewarden/community/blob/main/SECURITY.md
47+
email-contact: cncf-kubewarden-maintainers@lists.cncf.io
48+
comment: |
49+
The first and best way to report a vulnerability is by using private security issues in GitHub or opening an issue on Github. We are also available on the Kubernetes Slack in the #kubewaden-dev channel.
50+
dependencies:
51+
third-party-packages: true
52+
dependencies-lists:
53+
- https://github.com/kubewarden/policy-server/blob/main/Cargo.lock
54+
sbom:
55+
- sbom-file: https://github.com/kubewarden/policy-server/releases/latest/download/policy-server-sbom-adm64.spdx
56+
sbom-format: SPDX
57+
sbom-url: https://github.com/anchore/sbom-action
58+
dependencies-lifecycle:
59+
policy-url: https://github.com/kubewarden/community/blob/main/SECURITY.md#security-patch-policy
60+
env-dependencies-policy:
61+
policy-url: https://github.com/kubewarden/community/blob/main/SECURITY.md#dependency-policy

0 commit comments

Comments
 (0)