-
Notifications
You must be signed in to change notification settings - Fork 8
/
security-insights-sample.yml
172 lines (171 loc) · 6.93 KB
/
security-insights-sample.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
header:
schema-version: 1.0.0
expiration-date: '2023-08-31T10:10:09.000Z'
last-updated: '2021-09-01'
last-reviewed: '2022-09-01'
commit-hash: 4dbf78ebc006ee5f668c0a74876ef8d6db9485be
project-url: https://github.com/foo/bar
project-release: '1.2.0'
changelog: https://github.com/foo/changelog.md
license: https://git.foo/license
project-lifecycle:
status: active
roadmap: https://foo.bar/roadmap.html
bug-fixes-only: false
core-maintainers:
- github:example
- joe.bob@email.com
core-team:
- name: Alice White
contact: github:example
- name: Joe Dohn
contact: joe.bob@email.com
release-cycle: https://foo/release
release-process: |
Lorem ipsum dolor sit amet, consectetur adipisci elit,
sed do eiusmod tempor incidunt ut labore et dolore magna aliqua.
Ut enim ad minim veniam, quis nostrum exercitationem ullamco laboriosam,
nisi ut aliquid ex ea commodi consequatur. Duis aute irure reprehenderit
in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur
sint obcaecat cupiditat non proident, sunt in culpa qui officia deserunt
mollit anim id est laborum
contribution-policy:
accepts-pull-requests: true
accepts-automated-pull-requests: true
automated-tools-list:
- automated-tool: example/security-research
action: denied
path:
- main/foo/bar
- main/examples
comment: |
Lorem ipsum dolor sit amet, consectetur adipisci elit,
sed do eiusmod tempor incidunt ut labore et dolore magna aliqua.
Ut enim ad minim veniam, quis nostrum exercitationem ullamco laboriosam,
nisi ut aliquid ex ea commodi consequatur. Duis aute irure reprehenderit
in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur
sint obcaecat cupiditat non proident, sunt in culpa qui officia deserunt
mollit anim id est laborum
contributing-policy: https://example.com/development-policy.html
code-of-conduct: https://example.com/code-of-conduct.html
documentation:
- http://foo.bar/wiki
distribution-points:
- https://example.com/foo
- pkg:npm/foobar
security-artifacts:
threat-model:
threat-model-created: true
evidence-url:
- https://foo.com/model.html
comment: |
Lorem ipsum dolor sit amet, consectetur adipisci elit,
sed do eiusmod tempor incidunt ut labore et dolore magna aliqua.
Ut enim ad minim veniam, quis nostrum exercitationem ullamco laboriosam,
nisi ut aliquid ex ea commodi consequatur. Duis aute irure reprehenderit
in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur
sint obcaecat cupiditat non proident, sunt in culpa qui officia deserunt
mollit anim id est laborum
self-assessment:
self-assessment-created: true
evidence-url:
- https://foo.com/assessment.html
comment: |
Lorem ipsum dolor sit amet, consectetur adipisci elit,
sed do eiusmod tempor incidunt ut labore et dolore magna aliqua.
Ut enim ad minim veniam, quis nostrum exercitationem ullamco laboriosam,
nisi ut aliquid ex ea commodi consequatur. Duis aute irure reprehenderit
in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur
sint obcaecat cupiditat non proident, sunt in culpa qui officia deserunt
mollit anim id est laborum
other-artifacts:
- artifact-name: example-artifact
artifact-created: true
evidence-url:
- https://foo.com/artifact.html
comment: |
Lorem ipsum dolor sit amet, consectetur adipisci elit,
sed do eiusmod tempor incidunt ut labore et dolore magna aliqua.
Ut enim ad minim veniam, quis nostrum exercitationem ullamco laboriosam,
nisi ut aliquid ex ea commodi consequatur. Duis aute irure reprehenderit
in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur
sint obcaecat cupiditat non proident, sunt in culpa qui officia deserunt
mollit anim id est laborum
security-testing:
- tool-type: sca
tool-name: Dependabot
tool-version: 1.2.3
tool-url: https://example.org
tool-rulesets:
- built-in
integration:
ad-hoc: false
ci: true
before-release: true
comment: |
Lorem ipsum dolor sit amet, consectetur adipisci elit,
sed do eiusmod tempor incidunt ut labore et dolore magna aliqua.
Ut enim ad minim veniam, quis nostrum exercitationem ullamco laboriosam,
nisi ut aliquid ex ea commodi consequatur. Duis aute irure reprehenderit
in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur
sint obcaecat cupiditat non proident, sunt in culpa qui officia deserunt
mollit anim id est laborum
security-assessments:
- auditor-name: third-party auditor
auditor-url: https://auditor.foo.bar.com
auditor-report: https://foo.bar/report.pdf
report-year: 2021
comment: |
Lorem ipsum dolor sit amet, consectetur adipisci elit,
sed do eiusmod tempor incidunt ut labore et dolore magna aliqua.
Ut enim ad minim veniam, quis nostrum exercitationem ullamco laboriosam,
nisi ut aliquid ex ea commodi consequatur. Duis aute irure reprehenderit
in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur
sint obcaecat cupiditat non proident, sunt in culpa qui officia deserunt
mollit anim id est laborum
security-contacts:
- type: email
value: joe.bob@email.com
primary: true
- type: email
value: alice.bob@email.com
primary: false
vulnerability-reporting:
accepts-vulnerability-reports: true
email-contact: security@something.com
security-policy: https://foo.bar/reporting.html
bug-bounty-available: true
bug-bounty-url: https://foo.bar/bugs.html
in-scope:
- broken access control
- other
out-scope:
- other
dependencies:
third-party-packages: true
dependencies-lists:
- https://github.com/foo/packages.json
sbom:
- sbom-file: https://foo.bar/sbom
sbom-format: CycloneDX
sbom-url: https://foo.bar
dependencies-lifecycle:
policy-url: https://example.org
comment: |
Lorem ipsum dolor sit amet, consectetur adipisci elit,
sed do eiusmod tempor incidunt ut labore et dolore magna aliqua.
Ut enim ad minim veniam, quis nostrum exercitationem ullamco laboriosam,
nisi ut aliquid ex ea commodi consequatur. Duis aute irure reprehenderit
in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur
sint obcaecat cupiditat non proident, sunt in culpa qui officia deserunt
mollit anim id est laborum
env-dependencies-policy:
policy-url: https://example.org
comment: |
Lorem ipsum dolor sit amet, consectetur adipisci elit,
sed do eiusmod tempor incidunt ut labore et dolore magna aliqua.
Ut enim ad minim veniam, quis nostrum exercitationem ullamco laboriosam,
nisi ut aliquid ex ea commodi consequatur. Duis aute irure reprehenderit
in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur
sint obcaecat cupiditat non proident, sunt in culpa qui officia deserunt
mollit anim id est laborum