Add security policy #12194
Merged
Add security policy #12194
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thaJeztah
commented
Oct 8, 2024
SECURITY.md
Outdated
Comment on lines
38
to
43
| ## Supported Versions | ||
|
|
||
| This project docs not provide long-term supported versions, and only the current | ||
| release and `main` branch are actively maintained. Docker Compose v1, and the | ||
| corresponding [v1 branch](https://github.com/docker/compose/tree/v1) reached | ||
| EOL and are no longer supported. |
There was a problem hiding this comment.
The OpenSSF scorecard scans for some keywords, such as supported releases; I tried to capture what I think is supported.
Add a security policy to inform users where to report security issues, and to make the OpenSSF scorecard slightly happier; https://securityscorecards.dev/viewer/?uri=github.com/docker/compose Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
add_security
branch
from
aa7c8a6 to
d223b0d
Compare
glours
approved these changes
Oct 9, 2024
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Nov 21, 2024
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [docker/compose](https://github.com/docker/compose) | minor | `v2.29.7` -> `v2.30.3` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>docker/compose (docker/compose)</summary> ### [`v2.30.3`](https://github.com/docker/compose/releases/tag/v2.30.3) [Compare Source](docker/compose@v2.30.2...v2.30.3) #### What's Changed ##### 🐛 Fixes - Avoid starting all services on rebuild by [@​jhrotko](https://github.com/jhrotko) [(12258)](docker/compose#12258) ##### ⚙️ Dependencies - Bump compose-go v2.4.4 by [@​glours](https://github.com/glours) [(12274)](docker/compose#12274) **Full Changelog**: docker/compose@v2.30.2...v2.30.3 ### [`v2.30.2`](https://github.com/docker/compose/releases/tag/v2.30.2) [Compare Source](docker/compose@v2.30.1...v2.30.2) #### What's Changed ##### 🐛 Fixes - Service being declared in a profile must not trigger re-creation by [@​ndeloof](https://github.com/ndeloof) in [(12265)](docker/compose#12265) - Remove ArtifactType from Config in OCI v1.1 definition of the artifact by [@​glours](https://github.com/glours) [(12266)](docker/compose#12266) ##### 🔧 Internal - Add Joana Hrotko to Maintainers by [@​laurazard](https://github.com/laurazard) [(12253)](docker/compose#12253) - Add profile e2e test case to document in compose by [@​jhrotko](https://github.com/jhrotko) [(12252)](docker/compose#12252) ##### ⚙️ Dependencies - Bump `compose-go` to version `v2.4.3` by [@​glours](https://github.com/glours) in docker/compose#12261 **Full Changelog**: docker/compose@v2.30.1...v2.30.2 ### [`v2.30.1`](https://github.com/docker/compose/releases/tag/v2.30.1) [Compare Source](docker/compose@v2.30.0...v2.30.1) #### What's Changed ##### 🐛 Fixes Fix regression when using stdin as input of `-f` flag [(12248)](docker/compose#12248) Fix regression when using multiple time the same YAML anchor in a Compose file [(12247)](docker/compose#12247) ##### ⚙️ Dependencies - bump compose-go to version v2.4.2 by [@​glours](https://github.com/glours) in docker/compose#12249 **Full Changelog**: docker/compose@v2.30.0...v2.30.1 ### [`v2.30.0`](https://github.com/docker/compose/releases/tag/v2.30.0) [Compare Source](docker/compose@v2.29.7...v2.30.0) #### What's Changed ##### ✨ Improvements - Introduce service hooks by [@​ndeloof](https://github.com/ndeloof) [(12166)](docker/compose#12166) - Introduce generate command as alpha command by [@​glours](https://github.com/glours) [(12209)](docker/compose#12209) - Add export command by [@​jarqvi](https://github.com/jarqvi) [(12120)](docker/compose#12120) - Add support for CDI device request using `devices` by [@​ndeloof](https://github.com/ndeloof) [(12184)](docker/compose#12184) - Add support for bind recursive by [@​ndeloof](https://github.com/ndeloof) [(12210)](docker/compose#12210) - Allow usage of `-f` flag with OCI Compose artifacts by [@​glours](https://github.com/glours) [(12220)](docker/compose#12220) ##### 🐛 Fixes - Append unix-style relative path when computing container target path by [@​ndeloof](https://github.com/ndeloof) [(12145)](docker/compose#12145) - Wait for dependent service up to delay set by --wait-timeout by [@​ndeloof](https://github.com/ndeloof) [(12156)](docker/compose#12156) - Check secret source exists, as bind mount would create target by [@​ndeloof](https://github.com/ndeloof) [(12151)](docker/compose#12151) - After container restart register printer consumer by [@​jhrotko](https://github.com/jhrotko) [(12158)](docker/compose#12158) - Fix(down): Fix down command if specified services are not running by [@​idsulik](https://github.com/idsulik) [(12164)](docker/compose#12164) - Show watch error message and open DD only when w is pressed by [@​jhrotko](https://github.com/jhrotko) [(12165)](docker/compose#12165) - Fix(push): Fix unexpected EOF on alpha publish by [@​idsulik](https://github.com/idsulik) [(12169)](docker/compose#12169) - Fix(convergence): Serialize access to observed state by [@​anantadwi13](https://github.com/anantadwi13) [(12150)](docker/compose#12150) - Remove feature flag integration with Docker Desktop for ComposeUI and ComposeNav by [@​jhrotko](https://github.com/jhrotko) [(12192)](docker/compose#12192) - Support Dockerfile-specific ignore-file with watch by [@​ndeloof](https://github.com/ndeloof) [(12193)](docker/compose#12193) - Add support for raw env_file format by [@​ndeloof](https://github.com/ndeloof) [(12179)](docker/compose#12179) - Convert GPUs to DeviceRequests with implicit "gpu" capability by [@​ndeloof](https://github.com/ndeloof) [(12197)](docker/compose#12197) - Improve error message to include expected network label by [@​divinity76](https://github.com/divinity76) [(12213)](docker/compose#12213) - Don't use progress to render restart, which hides logs by [@​ndeloof](https://github.com/ndeloof) [(12226)](docker/compose#12226) - One-off containers are not indexed, and must be ignored by `exec --index` command by [@​ndeloof](https://github.com/ndeloof) [(12224)](docker/compose#12224) - Don't warn about uid/gid not being supported while ... they are by [@​ndeloof](https://github.com/ndeloof) [(12232)](docker/compose#12232) - Connect to external networks by name by [@​ndeloof](https://github.com/ndeloof) [(12234)](docker/compose#12234) - Fix push error message typo by [@​chris-crone](https://github.com/chris-crone) [(12237)](docker/compose#12237) - Fix(dockerignore): Add wildcard support to dockerignore.go by [@​idsulik](https://github.com/idsulik) [(12239)](docker/compose#12239) ##### 🔧 Internal - Remove bind options when creating a volume type by [@​jhrotko](https://github.com/jhrotko) [(12177)](docker/compose#12177) - pass device.options to engine by [@​ndeloof](https://github.com/ndeloof) [(12183)](docker/compose#12183) - Add security policy by [@​thaJeztah](https://github.com/thaJeztah) [(12194)](docker/compose#12194) - Gha: set default permissions to "contents: read" by [@​thaJeztah](https://github.com/thaJeztah) [(12195)](docker/compose#12195) - Desktop: allow this client to be identified via user-agent by [@​djs55](https://github.com/djs55) [(12212)](docker/compose#12212) - Compose-go clean volume target to avoid ambiguous comparisons by [@​ndeloof](https://github.com/ndeloof) [(12208)](docker/compose#12208) ##### ⚙️ Dependencies - Bump docker `v27.3.1` by [@​ndeloof](https://github.com/ndeloof) [(12178)](docker/compose#12178) - Build(deps): bump `golang.org/x/sys` from `0.25.0` to `0.26.0` by [@​dependabot](https://github.com/dependabot) [(12189)](docker/compose#12189) - Bump `compose-go` to `v2.3.0` by [@​glours](https://github.com/glours) [(12198)](docker/compose#12198) - Bump `compose-go` to `v2.4.0` by [@​glours](https://github.com/glours) [(12231)](docker/compose#12231) - Bump `compose-go` to `v2.4.1` by [@​glours](https://github.com/glours) [(12243)](docker/compose#12242) - Build(deps): bump github.com/containerd/containerd from 1.7.22 to 1.7.23 by [@​dependabot](https://github.com/dependabot) [(12211)](docker/compose#12211) - Bump golang minimal version to `1.22` in go.mod by [@​glours](https://github.com/glours) [(12246)](docker/compose#12246) - Bump `go.uber.org/mock` to `v0.5.0` and `google.golang.org/grpc` to `v1.67.1` by [@​glours](https://github.com/glours) [(12245)](docker/compose#12245) #### New Contributors - [@​anantadwi13](https://github.com/anantadwi13) made their first contribution in docker/compose#12150 - [@​jarqvi](https://github.com/jarqvi) made their first contribution in docker/compose#12120 - [@​djs55](https://github.com/djs55) made their first contribution in docker/compose#12212 - [@​divinity76](https://github.com/divinity76) made their first contribution in docker/compose#12213 **Full Changelog**: docker/compose@v2.29.7...v2.30.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a security policy to inform users where to report security issues, and to make the OpenSSF scorecard slightly happier; https://securityscorecards.dev/viewer/?uri=github.com/docker/compose
What I did
Related issue
(not mandatory) A picture of a cute animal, if possible in relation to what you did