-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Devtools] Add Security Insights for CNCF #1236
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Jordan Dubrick <[email protected]>
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Jdubrick The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Jdubrick Thank you for the PR :) I added some comments for clarification on certain details.
Is there a link to the schema for SECURITY-INSIGHTS.yml
that I should consult?
last-reviewed: '2024-03-01' | ||
expiration-date: '2025-03-01T10:00:00.000Z' | ||
project-url: https://github.com/devfile/devworkspace-operator | ||
project-release: '0.26.0' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume this needs to be updated at every release of DWO?
expiration-date: '2025-03-01T10:00:00.000Z' | ||
project-url: https://github.com/devfile/devworkspace-operator | ||
project-release: '0.26.0' | ||
commit-hash: '067847d900c18a3fe0d47de920a9ce77af29e722' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this commit hash supposed to relate to the released version (i.e. 0.26.0) or the latest commit on the main branch?
core-maintainers: | ||
- github:AObuchow | ||
- github:dkwon17 | ||
release-cycle: https://github.com/devfile/devworkspace-operator/blob/main/docs/release/README.md |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not entirely sure if this field is supposed to point to the release documentation or the release cadence? We usually release DWO upstream in advance of an Eclipse Che release, as Eclipse Che depends on DWO.
Signed-off-by: Jordan Dubrick <[email protected]>
Hey Andrew that is my fault, I forgot to include the link in my description. You can find it here: https://github.com/ossf/security-insights-spec/blob/main/specification.md To answer your comments:
|
As we are currently working through this to add the insight file to Devfile repos can we place this PR on hold until it is fully hashed out? Noticing issues related to certain fields in one of our other repos. cc @AObuchow |
What does this PR do?
This PR adds the
SECURITY-INSIGHTS.yml
file that is required as part of devfile/api#1396. This is due to an effort to increase our score on the CLOMonitor where we are actively trying to improve our repositories and adhere to open source best practices. The addition of this file will provide the monitor with valuable information such as current release, licensing, repo activity status, current maintainers, contributing policy and dependencies.What issues does this PR fix or reference?
fixes devfile/api#1396
Is it tested? How?
No testing required the file does not alter the way the project works.
PR Checklist
/test v8-devworkspace-operator-e2e, v8-che-happy-path
to trigger)v8-devworkspace-operator-e2e
: DevWorkspace e2e testv8-che-happy-path
: Happy path for verification integration with Che