[Devtools] Add Security Insights for CNCF

[Jdubrick]

What does this PR do?

This PR adds the SECURITY-INSIGHTS.yml file that is required as part of devfile/api#1396. This is due to an effort to increase our score on the CLOMonitor where we are actively trying to improve our repositories and adhere to open source best practices. The addition of this file will provide the monitor with valuable information such as current release, licensing, repo activity status, current maintainers, contributing policy and dependencies.

What issues does this PR fix or reference?

fixes devfile/api#1396

Is it tested? How?

No testing required the file does not alter the way the project works.

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Jdubrick
Once this PR has been reviewed and has the lgtm label, please assign aobuchow for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[AObuchow]

@Jdubrick Thank you for the PR :) I added some comments for clarification on certain details.

Is there a link to the schema for SECURITY-INSIGHTS.yml that I should consult?

[AObuchow]

I assume this needs to be updated at every release of DWO?

[AObuchow]

Is this commit hash supposed to relate to the released version (i.e. 0.26.0) or the latest commit on the main branch?

[AObuchow]

Not entirely sure if this field is supposed to point to the release documentation or the release cadence? We usually release DWO upstream in advance of an Eclipse Che release, as Eclipse Che depends on DWO.

[Jdubrick]

@Jdubrick Thank you for the PR :) I added some comments for clarification on certain details.

Is there a link to the schema for SECURITY-INSIGHTS.yml that I should consult?

Hey Andrew that is my fault, I forgot to include the link in my description. You can find it here: https://github.com/ossf/security-insights-spec/blob/main/specification.md

To answer your comments:

1. project-release is just the release number that the SECURITY-INSIGHTS.yml file is confirmed to cover, I believe you can release and not update the insights but then it would technically be 'outdated'.

2. commit-hash is the last commit that the SECURITY-INSIGHTS.yml file covers.

3. Yes that is correct it should point to the cycle, is there a better link that I should place there?

[Jdubrick]

@Jdubrick Thank you for the PR :) I added some comments for clarification on certain details.
Is there a link to the schema for SECURITY-INSIGHTS.yml that I should consult?

Hey Andrew that is my fault, I forgot to include the link in my description. You can find it here: https://github.com/ossf/security-insights-spec/blob/main/specification.md

To answer your comments:

1. project-release is just the release number that the SECURITY-INSIGHTS.yml file is confirmed to cover, I believe you can release and not update the insights but then it would technically be 'outdated'.
2. commit-hash is the last commit that the SECURITY-INSIGHTS.yml file covers.
3. Yes that is correct it should point to the cycle, is there a better link that I should place there?

As we are currently working through this to add the insight file to Devfile repos can we place this PR on hold until it is fully hashed out? Noticing issues related to certain fields in one of our other repos.

cc @AObuchow