Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(github): Updated security documentation and CLOMonitor exemptions #2333

Merged
merged 4 commits into from
Nov 6, 2023
Merged

chore(github): Updated security documentation and CLOMonitor exemptions #2333

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
16e8ebc
Updated security documentation and CLOMonitor exemptions
eddie-knight Nov 5, 2023
131fbc1
Added license scanning exepmtion
eddie-knight Nov 6, 2023
0e96232
Added best practices badge to README
eddie-knight Nov 6, 2023
b51aa2e
Merge branch 'main' into sec-docs
jmeridth Nov 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .clomonitor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ exemptions:
reason: "Helm deps are not currently scanned. Maintainers are watching developments to dependabot-core #2237" # Justification of this exemption (mandatory, it will be displayed on the UI)
- check: sbom
reason: "Tracking Helm dependencies is not yet a stable practice."
- check: self_assessment
reason: "Refer to self assessments supplied by the codebases Argo Helm supports."
- check: signed_releases
reason: "Argo Helm releases are made via Artifact Hub, where they are signed. The unsigned GitHub releases are for reference only."

# TODO:
# License scanning information
Expand Down
2 changes: 2 additions & 0 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ Any breaking changes to a chart (backwards incompatible) require:

### New Application Versions

Helm charts are intended to be created for all non-patched releases of Argo CD, Workflows, Rollouts, and Events. Associated dependencies, such as Redis, will use the version recommended by the associated release.

When selecting new application versions ensure you make the following changes:

* `values.yaml`: Bump all instances of the container image version
Expand Down
23 changes: 23 additions & 0 deletions SECURITY-INSIGHTS.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
header:
schema-version: '1.0.0'
expiration-date: '2024-11-04T10:00:00.000Z'
project-url: https://github.com/argoproj/argo-helm
project-lifecycle:
status: active
bug-fixes-only: false
core-maintainers:
- https://github.com/mkilchhofer
- https://github.com/jmeridth
contribution-policy:
accepts-pull-requests: true
accepts-automated-pull-requests: true
distribution-points:
- https://github.com/argoproj/argo-helm/blob/main/SECURITY.md
vulnerability-reporting:
accepts-vulnerability-reports: true
email-contact: cncf-argo-maintainers@lists.cncf.io
security-policy: https://github.com/argoproj/argo-helm/blob/main/SECURITY.md
comment: Please refer to the security policy for reporting information prior to using the email contact.
dependencies:
env-dependencies-policy:
policy-url: https://github.com/argoproj/argo-helm/blob/master/CONTRIBUTING.md#new-application-versions