Add Security MD files an add FOSSA scan badge

Signed-off-by: John Kjell <john@testifysec.com>
in-toto · Jan 6, 2024 · b07cb38 · b07cb38
1 parent ba89120
commit b07cb38
Show file tree

Hide file tree

Showing 5 changed files with 180 additions and 2 deletions.
diff --git a/.clomonitor.yml b/.clomonitor.yml
@@ -0,0 +1,21 @@
+# Copyright 2023 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# CLOMonitor metadata file
+# This file must be located at the root of the repository
+
+# Checks exemptions
+exemptions:
+  - check: artifacthub_badge # Check identifier (see https://github.com/cncf/clomonitor/blob/main/docs/checks.md#exemptions)
+    reason: "Project is a CLI tool and is not one of the support types for Artifact Hub" # Justification of this exemption (mandatory, it will be displayed on the UI)
diff --git a/DEPENDENCY.md b/DEPENDENCY.md
@@ -0,0 +1,42 @@
+# Environment Dependencies Policy
+
+## Purpose
+
+This policy describes how Witness maintainers consume third-party packages.
+
+## Scope
+
+This policy applies to all Witness maintainers and all third-party packages used in the Witness project.
+
+## Policy
+
+Witness maintainers must follow these guidelines when consuming third-party packages:
+
+- Only use third-party packages that are necessary for the functionality of Witness.
+- Use the latest version of all third-party packages whenever possible.
+- Avoid using third-party packages that are known to have security vulnerabilities.
+- Pin all third-party packages to specific versions in the Witness codebase.
+- Use a dependency management tool, such as Go modules, to manage third-party dependencies.
+
+## Procedure
+
+When adding a new third-party package to Witness, maintainers must follow these steps:
+
+1. Evaluate the need for the package. Is it necessary for the functionality of Witness?
+2. Research the package. Is it well-maintained? Does it have a good reputation?
+3. Choose a version of the package. Use the latest version whenever possible.
+4. Pin the package to the specific version in the Witness codebase.
+5. Update the Witness documentation to reflect the new dependency.
+
+## Enforcement
+
+This policy is enforced by the Witness maintainers.
+Maintainers are expected to review each other's code changes to ensure that they comply with this policy.
+
+## Exceptions
+
+Exceptions to this policy may be granted by the Witness project lead on a case-by-case basis.
+
+## Credits
+
+This policy was adapted from the [Kubescape Community](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md)
diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
-[![OpenSSF
--Scorecard](https://api.securityscorecards.dev/projects/github.com/testifysec/witness/badge)](https://api.securityscorecards.dev/projects/github.com/testifysec/witness)
+[![OpenSSF-Scorecard](https://api.securityscorecards.dev/projects/github.com/testifysec/witness/badge)](https://api.securityscorecards.dev/projects/github.com/testifysec/witness)
+[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fwitness.svg?type=shield&issueType=license)](https://app.fossa.com/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fwitness?ref=badge_shield&issueType=license)
 
 <p align="center">
   <img src="docs/assets/logo.png" width="250">

diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml
@@ -0,0 +1,81 @@
+# Copyright 2023 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+header:
+  schema-version: 1.0.0
+  expiration-date: '2024-08-31T10:10:09.000Z'
+  last-updated: '2023-01-05'
+  last-reviewed: '2023-01-05'
+  commit-hash: cd0c222058a8830a8e190b840e466098b25a3c41
+  project-url: https://github.com/in-toto/witness
+  project-release: 'v0.2.0'
+  changelog: https://github.com/in-toto/witness/releases/tag/v0.2.0
+  license: https://github.com/in-toto/witness/blob/main/LICENSE
+
+project-lifecycle:
+  status: active
+  roadmap: https://github.com/orgs/in-toto/projects/4/views/3
+  bug-fixes-only: false
+  core-maintainers:
+  - https://github.com/in-toto/witness/MAINTAINERS.md
+  release-cycle: https://github.com/in-toto/witness/releases
+
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: true
+  contributing-policy: https://github.com/in-toto/witness/blob/main/CONTRIBUTING.md
+  code-of-conduct: https://github.com/in-toto/witness/blob/main/CODE_OF_CONDUCT.md
+
+documentation:
+  - https://witness.dev
+
+distribution-points:
+  - https://github.com/in-toto/witness/releases
+
+security-testing:
+- tool-type: sca
+  tool-name: Dependabot
+  tool-version: 2
+  tool-url: https://github.com/dependabot
+  integration:
+    ad-hoc: false
+    ci: true
+    before-release: false
+
+security-contacts:
+- type: email
+  value: security@testifysec.com
+  primary: true
+
+vulnerability-reporting:
+  accepts-vulnerability-reports: true
+  email-contact: security@testifysec.com
+  security-policy: https://github.com/in-toto/witness/SECURITY.md
+
+dependencies:
+  third-party-packages: true
+  dependencies-lists:
+  - https://github.com/in-toto/witness/go.mod
+  sbom:
+  - sbom-file: https://foo.bar/sbom
+    sbom-format: CycloneDX
+    sbom-url: https://foo.bar
+  dependencies-lifecycle:
+    policy-url: https://github.com/in-toto/witness/SECURITY.md
+    comment: |
+      All dependencies are subject to the Witness Security Policy.
+  env-dependencies-policy:
+    policy-url: https://github.com/in-toto/witness/DEPENDENCY.md
+    comment: |
+      All dependencies are subject to the Witness Dependency Policy.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,34 @@
+# Security Policy
+
+## Security Bulletins
+
+See current security bullentins on GitHub: https://github.com/in-toto/witness/security/advisories
+
+For information regarding the security of this project please join:
+
+* in-toto-witness on CNCF Slack
+
+## Reporting a Vulnerability
+
+Please use the below process to report a vulnerability to the project:
+
+Web Form:
+
+1. Please visit https://github.com/in-toto/witness/security/advisories/new
+   * You will receive a confirmation email upon submission
+1. You may be contacted by a maintainer to further discuss the reported item
+   within 3 days. Please bear with us as we seek to understand the breadth
+   and scope of the reported problem, recreate it, and confirm if there is an
+   vulnerability present.
+
+This project follows a 30 day disclosure timeline.
+
+## Supported Versions
+
+Information regarding supported versions of this project can be found on
+in the below table:
+
+| Version | Supported |
+| --- | --- |
+| Latest | :white_check_mark: |
+| <= Latest - 2 | :x: |