Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

📖 Update security policy to be specific to OpenSSF Scorecard #4212

Merged
merged 5 commits into from
Jul 3, 2024

Conversation

justaugustus
Copy link
Member

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

What is the current behavior?

The current security policy was last updated three years and appears to be boilerplate from Google open source projects.

What is the new behavior (if this is a feature change)?**

This updated security policy is specific to the OpenSSF Scorecard project and considers:

Which issue(s) this PR fixes

Partially addresses #4194.

Special notes for your reviewer

Tagging a few different groups for review here, as the new standard for OpenSSF Scorecard subproject security policies should be something along the lines of:

This project adheres to the OpenSSF Scorecard security policy.

(to minimize drift across the project)

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

NONE

@justaugustus justaugustus requested review from a team, naveensrinivasan and raghavkaul and removed request for a team July 3, 2024 20:02
@justaugustus justaugustus marked this pull request as ready for review July 3, 2024 20:03
@justaugustus justaugustus temporarily deployed to integration-test July 3, 2024 20:03 — with GitHub Actions Inactive
Copy link

codecov bot commented Jul 3, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 61.89%. Comparing base (da0f2b4) to head (211c2c0).
Report is 17 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #4212      +/-   ##
==========================================
+ Coverage   60.17%   61.89%   +1.71%     
==========================================
  Files         212      212              
  Lines       15556    15552       -4     
==========================================
+ Hits         9361     9626     +265     
+ Misses       5492     5206     -286     
- Partials      703      720      +17     

@jeffmendoza
Copy link
Member

Taking a look at "the inherited SECURITY.md from ossf/.github" Should we also mention either:

?

Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to Jeff's suggestion on fallback mention.

I'm otherwise happy with the content, but will leave for others to review

SECURITY.md Outdated Show resolved Hide resolved
Co-authored-by: Spencer Schrock <[email protected]>
Signed-off-by: Stephen Augustus <[email protected]>
@spencerschrock
Copy link
Member

Tagging a few different groups for review here, as the new standard for OpenSSF Scorecard subproject security policies should be something along the lines of:

This project adheres to the OpenSSF Scorecard security policy.

(to minimize drift across the project)

Ironically this may cause subprojects to only score a 9/10 for Security-Policy based on the last point being awarded for certain terms. (Personally I find that scoring a little too picky but that's how it is currently)

@justaugustus justaugustus temporarily deployed to integration-test July 3, 2024 20:36 — with GitHub Actions Inactive
@justaugustus
Copy link
Member Author

Taking a look at "the inherited SECURITY.md from ossf/.github" Should we also mention either:

* [[email protected]](mailto:[email protected]) is a fallback

* This policy adheres to the overall policy at https://www.linuxfoundation.org/security

?

I was thinking the same, but initially decided to leave it out, as I think we should have our own list for this eventually.
That said, it makes to have it here at this stage and I've added that note in 1a8adee.

@justaugustus justaugustus enabled auto-merge (squash) July 3, 2024 20:50
@justaugustus
Copy link
Member Author

Ironically this may cause subprojects to only score a 9/10 for Security-Policy based on the last point being awarded for certain terms. (Personally I find that scoring a little too picky but that's how it is currently)

@spencerschrock — Good call-out! I've opened #4215 so we don't lose that thread.

@justaugustus justaugustus merged commit 3f38548 into ossf:main Jul 3, 2024
36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

3 participants