Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: change company #878

Merged
merged 5 commits into from
Nov 1, 2023
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
docs(repo): add dependency policy
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
  • Loading branch information
oliverbaehler committed Oct 28, 2023

Partially verified

This commit is signed with the committer’s verified signature.
ruyadorno’s contribution has been verified via GPG key.
We cannot verify signatures from co-authors, and some of the co-authors attributed to this commit require their commits to be signed.
commit 3ad437ee2e2aa5b88c1fb130913c4c9d6f781798
47 changes: 47 additions & 0 deletions DEPENDENCY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Environment Dependencies Policy

## Purpose

This policy describes how Capsule maintainers consume third-party packages.

## Scope

This policy applies to all Capsule maintainers and all third-party packages used in the Capsule project.

## Policy

Capsule maintainers must follow these guidelines when consuming third-party packages:

- Only use third-party packages that are necessary for the functionality of Capsule.
- Use the latest version of all third-party packages whenever possible.
- Avoid using third-party packages that are known to have security vulnerabilities.
- Pin all third-party packages to specific versions in the Capsule codebase.
- Use a dependency management tool, such as Go modules, to manage third-party dependencies.
- Dependencies must pass all automated tests before being merged into the Capsule codebase.

## Procedure

When adding a new third-party package to Capsule, maintainers must follow these steps:

1. Evaluate the need for the package. Is it necessary for the functionality of Capsule?
2. Research the package. Is it well-maintained? Does it have a good reputation?
3. Choose a version of the package. Use the latest version whenever possible.
4. Pin the package to the specific version in the Capsule codebase.
5. Update the Capsule documentation to reflect the new dependency.

## Archive/Deprecation

When a third-party package is discontinued, the Capsule maintainers must fensure to replace the package with a suitable alternative.

## Enforcement

This policy is enforced by the Capsule maintainers.
Maintainers are expected to review each other's code changes to ensure that they comply with this policy.

## Exceptions

Exceptions to this policy may be granted by the Capsule project lead on a case-by-case basis.

## Credits

This policy was adapted from the [Kubescape Community](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md)
2 changes: 2 additions & 0 deletions SECURITY-INSIGHTS.yml
Original file line number Diff line number Diff line change
@@ -42,6 +42,8 @@ dependencies:
third-party-packages: true
dependencies-lists:
- https://github.com/projectcapsule/capsule/blob/main/go.mod
env-dependencies-policy:
policy-url: https://github.com/projectcapsule/capsule/blob/main/DEPENDENCY.md
sbom:
- sbom-file: https://github.com/projectcapsule/capsule/pkgs/container/sbom
sbom-format: CycloneDX