From 16e8ebc635782b21820b82d35e4be749e3747025 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Sun, 5 Nov 2023 07:25:50 -0600 Subject: [PATCH 1/3] Updated security documentation and CLOMonitor exemptions Signed-off-by: Eddie Knight --- .clomonitor.yml | 4 ++++ CONTRIBUTING.md | 2 ++ SECURITY-INSIGHTS.yml | 23 +++++++++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 SECURITY-INSIGHTS.yml diff --git a/.clomonitor.yml b/.clomonitor.yml index 9f1fff8c4..04fe1aadc 100644 --- a/.clomonitor.yml +++ b/.clomonitor.yml @@ -7,6 +7,10 @@ exemptions: reason: "Helm deps are not currently scanned. Maintainers are watching developments to dependabot-core #2237" # Justification of this exemption (mandatory, it will be displayed on the UI) - check: sbom reason: "Tracking Helm dependencies is not yet a stable practice." + - check: self_assessment + reason: "Refer to self assessments supplied by the codebases Argo Helm supports." + - check: signed_releases + reason: "Argo Helm releases are made via Artifact Hub, where they are signed. The unsigned GitHub releases are for reference only." # TODO: # License scanning information diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d67ddefc5..f9861dcba 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -47,6 +47,8 @@ Any breaking changes to a chart (backwards incompatible) require: ### New Application Versions +Helm charts are intended to be created for all non-patched releases of Argo CD, Workflows, Rollouts, and Events. Associated dependencies, such as Redis, will use the version recommended by the associated release. + When selecting new application versions ensure you make the following changes: * `values.yaml`: Bump all instances of the container image version diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml new file mode 100644 index 000000000..a983c4f1d --- /dev/null +++ b/SECURITY-INSIGHTS.yml @@ -0,0 +1,23 @@ +header: + schema-version: '1.0.0' + expiration-date: '2024-11-04T10:00:00.000Z' + project-url: https://github.com/argoproj/argo-helm +project-lifecycle: + status: active + bug-fixes-only: false + core-maintainers: + - https://github.com/mkilchhofer + - https://github.com/jmeridth +contribution-policy: + accepts-pull-requests: true + accepts-automated-pull-requests: true +distribution-points: + - https://github.com/argoproj/argo-helm/blob/main/SECURITY.md +vulnerability-reporting: + accepts-vulnerability-reports: true + email-contact: cncf-argo-maintainers@lists.cncf.io + security-policy: https://github.com/argoproj/argo-helm/blob/main/SECURITY.md + comment: Please refer to the security policy for reporting information prior to using the email contact. +dependencies: + env-dependencies-policy: + policy-url: https://github.com/argoproj/argo-helm/blob/master/CONTRIBUTING.md#new-application-versions From 131fbc113b967c8db2b31ca11a76aed8138859a9 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Mon, 6 Nov 2023 08:06:41 -0600 Subject: [PATCH 2/3] Added license scanning exepmtion Signed-off-by: Eddie Knight --- .clomonitor.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.clomonitor.yml b/.clomonitor.yml index 04fe1aadc..c75e8a7b4 100644 --- a/.clomonitor.yml +++ b/.clomonitor.yml @@ -11,6 +11,8 @@ exemptions: reason: "Refer to self assessments supplied by the codebases Argo Helm supports." - check: signed_releases reason: "Argo Helm releases are made via Artifact Hub, where they are signed. The unsigned GitHub releases are for reference only." + - check: license_scanning + reason: "Temporary exemption: pending response from CNCF Service Desk" # TODO: # License scanning information From 0e96232b1c4557e33fb0ac96f3885279f4944742 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Mon, 6 Nov 2023 08:11:58 -0600 Subject: [PATCH 3/3] Added best practices badge to README Signed-off-by: Eddie Knight --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b29bb3d13..0c5c67989 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argo)](https://artifacthub.io/packages/search?repo=argo) [![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/argo/badge)](https://clomonitor.io/projects/cncf/argo) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-helm/badge)](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-helm) +[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/7942/badge)](https://www.bestpractices.dev/projects/7942) Argo Helm is a collection of **community maintained** charts for [https://argoproj.github.io](https://argoproj.github.io) projects. The charts can be added using following command: