diff --git a/.github/workflows/check-pr.yml b/.github/workflows/check-pr.yml index afb2120b..835d7ada 100644 --- a/.github/workflows/check-pr.yml +++ b/.github/workflows/check-pr.yml @@ -8,7 +8,7 @@ on: - synchronize permissions: - pull-requests: read + pull-requests: write jobs: main: diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml new file mode 100644 index 00000000..c22d0b29 --- /dev/null +++ b/SECURITY-INSIGHTS.yml @@ -0,0 +1,38 @@ +# Reference https://github.com/ossf/security-insights-spec/blob/v1.0.0/specification.md +header: + schema-version: 1.0.0 + expiration-date: '2024-10-24T01:00:00.000Z' + last-updated: '2023-10-24' + last-reviewed: '2023-10-24' + project-url: https://github.com/projectcapsule/capsule + changelog: https://github.com/projectcapsule/capsule/blob/main/CHANGELOG.md + license: https://github.com/projectcapsule/capsule/blob/main/LICENSE +project-lifecycle: + status: active + bug-fixes-only: false + core-maintainers: + - github:prometherion + - github:oliverbaehler + - github:bsctl + - github:MaxFedotov +contribution-policy: + accepts-pull-requests: true + accepts-automated-pull-requests: true + contributing-policy: https://github.com/projectcapsule/capsule/blob/main/CONTRIBUTING.md + code-of-conduct: https://github.com/projectcapsule/capsule/blob/main/CODE_OF_CONDUCT.md +vulnerability-reporting: + accepts-vulnerability-reports: true + security-policy: https://github.com/projectcapsule/capsule/blob/main/SECURITY.md + email-contact: cncf-capsule-maintainers@lists.cncf.io + comment: | + Report a vulnerability by using private security issues in GitHub. +security-testing: +- tool-type: sca + tool-name: Dependabot + tool-version: latest + integration: + ad-hoc: false + ci: true + before-release: true + comment: | + Dependabot is enabled for this repo. diff --git a/SECURITY.md b/SECURITY.md index eb5801a2..72beb770 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -30,18 +30,16 @@ reported by the tool _actually exists_ in capsule. ## Reporting a Vulnerability +To report a security issue or vulnerability, [submit a private vulnerability report via GitHub](https://github.com/projectcapsule/capsule/security/advisories/new) to the repository maintainers with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue. + +Describe the issue in English, ideally with some example configuration or code which allows the issue to be reproduced. Explain why you believe this to be a security issue in capsule, if that's not obvious. should contain the following: - 1. Describe the issue in English, ideally with some example configuration or code which allows the issue to be reproduced. Explain why you believe this to be a security issue in capsule, if that's not obvious. Emails should contain: - * description of the problem * precise and detailed steps (include screenshots) * the affected version(s). This may also include environment relevant versions. * any possible mitigations - - - 2. Send the email to [`projectcapsule-security@googlegroups.com`](mailto:projectcapsule-security@googlegroups.com) - 3. You may be contacted by a project maintainer to further discuss the reported item. Please bear with us as we seek to understand the breadth and scope of the reported problem, recreate it, and confirm if there is a vulnerability present. +If the issue is confirmed as a vulnerability, we will open a Security Advisory and acknowledge your contributions as part of it. ## Reponse @@ -53,8 +51,7 @@ Response times could be affected by weekends, holidays, breaks or time zone diff # Release Artifacts -All packages are published in the package registry of the repository. - +[See all the available artifacts](https://github.com/orgs/projectcapsule/packages?repo_name=capsule) ## Verifing