[go: up one dir, main page]

Skip to content

Latest commit

 

History

History
 
 

project-resources

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

Security resources for projects

This directory is intended to provide CNCF and other open source projects with resources and templates to assist in kick-starting their security practices. The templates, guides, and other documents herein assist projects in completion of the self-assessment as well as a few items in the CII badging process.

We use <!-- TODO: ... --> to indicate where action is required but you won't see those comments when viewing the markdown file in GitHub unless you view the raw text.

A special thank you to Google's OSS vulnerability guide folks for making the Security TAG aware of this collection of resources upon which much of this content was built on.

  • SECURITY.md
    • draft security file that outlines subscribing to security bulletins, how to report issues, and supported versions.
  • SECURITY_CONTACTS.md
    • a draft security contacts file to allow potential issue submitters to know who they can expect to hear from or how to follow up on issues.
  • ISSUE_TEMPLATE.md
    • a draft issue template to remind issue submitters that potential vulnerabilities do not get submitted as issues.
  • incident-response.md
    • a draft, detailed incident response plan that covers how to triage issues, confirm vulnerabilities, leverage security advisories, and push a patch/release.
  • embargo-policy.md
    • a draft embargo policy that outlines the time frame and conditions surrounding disclosures.
  • embargo.md
    • a draft embargo notification that details the contents a notification should contain.

Disclaimer: These resources are designed to be helpful to projects and organizations, they require customization and configuration by the project intending to use them. It does not prevent security issues from being found on a project, will not automatically resolve them, and does not place CNCF Security TAG as the responsible party. If changes are made to these templates, projects are not required to pull in a new update.

Dependabot Configuration

All public repositories have dependabot graphs and alerts enabled. Projects are encouraged to also enable Dependabot security updates and create a custom configuration for their project.

CNCF project templates

In addition to the security resources provided here, CNCF's TAG Contributor Strategy has put together an initial project template collection with information on getting started.

Updates to this directory

The project-resources directory is intended to be a living directory to include a lot of resources and templates any project or community may find useful as well as making those projects more security aware through simple and easy-to-adopt documentation. Updates, suggestions for updates, or discussions for updates should initiate with an issue and labeled with "suggestion".

Contributing updates

All members of the community and projects are welcome to contribute updates to this directory. We ask potential contributors to refer to the existing content and discussions as guidance when determining the content of their updates.

It is highly recommended that you seek peer review for your updates beyond that of the Technical Leads and Chairs. More information on contributions to this repo may be found in the contributing file.

New templates & updating contribute.cncf.io

The templates within this folder are linked for availability on the contribute.cncf.io site. Should new templates be added to this folder or additional security insights and instructions for maintainers be added, the contribute.cncf.io site should be updated. There are two core areas that updates need to occur:

  • maintainers > github > templates for new templates
  • maintainers > community > project-health for general security guidance on keeping the project secure

To make updates to contribute.cncf.io, please refer to their contributing guide.