diff --git a/.clomonitor.yml b/.clomonitor.yml index 9f1fff8c4..c75e8a7b4 100644 --- a/.clomonitor.yml +++ b/.clomonitor.yml @@ -7,6 +7,12 @@ exemptions: reason: "Helm deps are not currently scanned. Maintainers are watching developments to dependabot-core #2237" # Justification of this exemption (mandatory, it will be displayed on the UI) - check: sbom reason: "Tracking Helm dependencies is not yet a stable practice." + - check: self_assessment + reason: "Refer to self assessments supplied by the codebases Argo Helm supports." + - check: signed_releases + reason: "Argo Helm releases are made via Artifact Hub, where they are signed. The unsigned GitHub releases are for reference only." + - check: license_scanning + reason: "Temporary exemption: pending response from CNCF Service Desk" # TODO: # License scanning information diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d67ddefc5..f9861dcba 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -47,6 +47,8 @@ Any breaking changes to a chart (backwards incompatible) require: ### New Application Versions +Helm charts are intended to be created for all non-patched releases of Argo CD, Workflows, Rollouts, and Events. Associated dependencies, such as Redis, will use the version recommended by the associated release. + When selecting new application versions ensure you make the following changes: * `values.yaml`: Bump all instances of the container image version diff --git a/README.md b/README.md index b29bb3d13..0c5c67989 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argo)](https://artifacthub.io/packages/search?repo=argo) [![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/argo/badge)](https://clomonitor.io/projects/cncf/argo) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-helm/badge)](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-helm) +[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/7942/badge)](https://www.bestpractices.dev/projects/7942) Argo Helm is a collection of **community maintained** charts for [https://argoproj.github.io](https://argoproj.github.io) projects. The charts can be added using following command: diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml new file mode 100644 index 000000000..a983c4f1d --- /dev/null +++ b/SECURITY-INSIGHTS.yml @@ -0,0 +1,23 @@ +header: + schema-version: '1.0.0' + expiration-date: '2024-11-04T10:00:00.000Z' + project-url: https://github.com/argoproj/argo-helm +project-lifecycle: + status: active + bug-fixes-only: false + core-maintainers: + - https://github.com/mkilchhofer + - https://github.com/jmeridth +contribution-policy: + accepts-pull-requests: true + accepts-automated-pull-requests: true +distribution-points: + - https://github.com/argoproj/argo-helm/blob/main/SECURITY.md +vulnerability-reporting: + accepts-vulnerability-reports: true + email-contact: cncf-argo-maintainers@lists.cncf.io + security-policy: https://github.com/argoproj/argo-helm/blob/main/SECURITY.md + comment: Please refer to the security policy for reporting information prior to using the email contact. +dependencies: + env-dependencies-policy: + policy-url: https://github.com/argoproj/argo-helm/blob/master/CONTRIBUTING.md#new-application-versions