From e9a362a39b328a1a1da9cc6b1711310316103f51 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20B=C3=A4hler?= <oliverbaehler@hotmail.com>
Date: Tue, 24 Oct 2023 14:12:25 +0200
Subject: [PATCH 1/3] docs(repo): improve report process
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
---
 SECURITY.md | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index eb5801a2..72beb770 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -30,18 +30,16 @@ reported by the tool _actually exists_ in capsule.
 
 ## Reporting a Vulnerability
 
+To report a security issue or vulnerability, [submit a private vulnerability report via GitHub](https://github.com/projectcapsule/capsule/security/advisories/new) to the repository maintainers with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
+
+Describe the issue in English, ideally with some example configuration or code which allows the issue to be reproduced. Explain why you believe this to be a security issue in capsule, if that's not obvious. should contain the following:
 
-  1. Describe the issue in English, ideally with some example configuration or code which allows the issue to be reproduced. Explain why you believe this to be a security issue in capsule, if that's not obvious. Emails should contain:
-   
      * description of the problem
      * precise and detailed steps (include screenshots) 
      * the affected version(s). This may also include environment relevant versions.
      * any possible mitigations
-  
-
 
-   2. Send the email to [`projectcapsule-security@googlegroups.com`](mailto:projectcapsule-security@googlegroups.com)
-   3. You may be contacted by a project maintainer to further discuss the reported item. Please bear with us as we seek to understand the breadth and scope of the reported problem, recreate it, and confirm if there is a vulnerability present.
+If the issue is confirmed as a vulnerability, we will open a Security Advisory and acknowledge your contributions as part of it.
 
 ## Reponse
 
@@ -53,8 +51,7 @@ Response times could be affected by weekends, holidays, breaks or time zone diff
 
 # Release Artifacts
 
-All packages are published in the package registry of the repository.
-
+[See all the available artifacts](https://github.com/orgs/projectcapsule/packages?repo_name=capsule)
 
 ## Verifing
 

From 8565f3046bde572c7e143800c2bd46532a2b405c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20B=C3=A4hler?= <oliverbaehler@hotmail.com>
Date: Tue, 24 Oct 2023 14:12:57 +0200
Subject: [PATCH 2/3] docs(repo): add security insights
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
---
 SECURITY-INSIGHTS.yml | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 SECURITY-INSIGHTS.yml

diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml
new file mode 100644
index 00000000..c22d0b29
--- /dev/null
+++ b/SECURITY-INSIGHTS.yml
@@ -0,0 +1,38 @@
+# Reference https://github.com/ossf/security-insights-spec/blob/v1.0.0/specification.md
+header:
+  schema-version: 1.0.0
+  expiration-date: '2024-10-24T01:00:00.000Z'
+  last-updated: '2023-10-24'
+  last-reviewed: '2023-10-24'
+  project-url: https://github.com/projectcapsule/capsule
+  changelog: https://github.com/projectcapsule/capsule/blob/main/CHANGELOG.md
+  license: https://github.com/projectcapsule/capsule/blob/main/LICENSE
+project-lifecycle:
+  status: active
+  bug-fixes-only: false
+  core-maintainers:
+  - github:prometherion
+  - github:oliverbaehler
+  - github:bsctl
+  - github:MaxFedotov
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: true
+  contributing-policy: https://github.com/projectcapsule/capsule/blob/main/CONTRIBUTING.md
+  code-of-conduct: https://github.com/projectcapsule/capsule/blob/main/CODE_OF_CONDUCT.md
+vulnerability-reporting:
+  accepts-vulnerability-reports: true
+  security-policy: https://github.com/projectcapsule/capsule/blob/main/SECURITY.md
+  email-contact: cncf-capsule-maintainers@lists.cncf.io
+  comment: |
+    Report a vulnerability by using private security issues in GitHub.
+security-testing:
+- tool-type: sca
+  tool-name: Dependabot
+  tool-version: latest
+  integration:
+    ad-hoc: false
+    ci: true
+    before-release: true
+  comment: |
+    Dependabot is enabled for this repo.

From f62ba152f887734dc785064d5538f8b3748618fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20B=C3=A4hler?= <oliverbaehler@hotmail.com>
Date: Tue, 24 Oct 2023 14:14:35 +0200
Subject: [PATCH 3/3] ci(repo): fix token permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
---
 .github/workflows/check-pr.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/check-pr.yml b/.github/workflows/check-pr.yml
index afb2120b..835d7ada 100644
--- a/.github/workflows/check-pr.yml
+++ b/.github/workflows/check-pr.yml
@@ -8,7 +8,7 @@ on:
       - synchronize
 
 permissions:
-  pull-requests: read
+  pull-requests: write
 
 jobs:
   main: