Merge pull request #884 from viccuad/main

ci: Add OpenSSF scorecard job and badge
kubewarden · Aug 12, 2024 · 011f420 · 011f420
2 parents f1e69fa + 22f33fe
commit 011f420
Show file tree

Hide file tree

Showing 4 changed files with 100 additions and 14 deletions.
diff --git a/.github/workflows/openssf.yml b/.github/workflows/openssf.yml
@@ -0,0 +1,32 @@
+name: Scorecards supply-chain security
+on:
+  push:
+    branches: [main]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          publish_results: true
diff --git a/README.md b/README.md
@@ -2,6 +2,7 @@
 [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9180/badge)](https://www.bestpractices.dev/projects/9180)
 [![FOSSA Status](https://app.fossa.com/api/projects/custom%2B25850%2Fgithub.com%2Fkubewarden%2Fkwctl.svg?type=shield)](https://app.fossa.com/projects/cjustom%2B25850%2Fgithub.com%2Fkubewarden%2Fkwctl?ref=badge_shield)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/kubewarden/kwctl/badge)](https://scorecard.dev/viewer/?uri=github.com/kubewarden/kwctl)
 
 # `kwctl`
 
@@ -331,3 +332,11 @@ The output should be:
 ```
 Verified OK
 ```
+
+## Security disclosure
+
+See [SECURITY.md](https://github.com/kubewarden/community/blob/main/SECURITY.md) on the kubewarden/community repo.
+
+## Changelog
+
+See [GitHub Releases content](https://github.com/kubewarden/kwctl/releases).
diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml
@@ -0,0 +1,59 @@
+header:
+  schema-version: 1.0.0
+  last-updated: "2024-08-12"
+  last-reviewed: "2023-08-12"
+  expiration-date: "2025-10-01T01:00:00.000Z"
+  project-url: https://github.com/kubewarden/kwctl/
+  changelog: https://github.com/kubewarden/kwctl/releases/latest
+  license: https://github.com/kubewarden/kwctl/blob/main/LICENSE
+project-lifecycle:
+  bug-fixes-only: false
+  core-maintainers:
+    - https://github.com/kubewarden/community?tab=readme-ov-file#maintainers
+  roadmap: https://github.com/kubewarden/community?tab=readme-ov-file#roadmap
+  status: active
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: true
+  contributing-policy: https://github.com/kubewarden/kwctl/blob/main/CONTRIBUTING.md
+  code-of-conduct: https://github.com/kubewarden/community/blob/main/CODE_OF_CONDUCT.md
+documentation:
+  - https://docs.kubewarden.io
+distribution-points:
+  - https://github.com/kubewarden/kwctl/
+security-artifacts:
+  threat-model:
+    threat-model-created: true
+    evidence-url:
+      - https://docs.kubewarden.io/reference/threat-model
+security-testing:
+  - tool-type: sca
+    tool-name: Dependabot
+    tool-version: latest
+    integration:
+      ad-hoc: false
+      ci: true
+      before-release: true
+    comment: |
+      Dependabot is enabled for this repo.
+security-contacts:
+  - type: website
+    value: https://docs.kubewarden.io/disclosure
+vulnerability-reporting:
+  accepts-vulnerability-reports: true
+  security-policy: https://github.com/kubewarden/community/blob/main/SECURITY.md
+  email-contact: cncf-kubewarden-maintainers@lists.cncf.io
+  comment: |
+    The first and best way to report a vulnerability is by using private security issues in GitHub or opening an issue on Github. We are also available on the Kubernetes Slack in the #kubewaden-dev channel.
+dependencies:
+  third-party-packages: true
+  dependencies-lists:
+    - https://github.com/kubewarden/kwctl/blob/main/Cargo.lock
+  sbom:
+    - sbom-file: https://github.com/kubewarden/kwctl/releases/latest/download/kwctl-linux-x86_64-sbom.spdx
+      sbom-format: SPDX
+      sbom-url: https://github.com/anchore/sbom-action
+  dependencies-lifecycle:
+    policy-url: https://github.com/kubewarden/community/blob/main/SECURITY.md#security-patch-policy
+  env-dependencies-policy:
+    policy-url: https://github.com/kubewarden/community/blob/main/SECURITY.md#dependency-policy
diff --git a/SECURITY.md b/SECURITY.md