diff --git a/.github/workflows/validate-security-insights.yml b/.github/workflows/validate-security-insights.yml new file mode 100644 index 000000000..6581f265e --- /dev/null +++ b/.github/workflows/validate-security-insights.yml @@ -0,0 +1,23 @@ +name: Validate SECURITY_INSIGHTS.yml +on: + pull_request: + paths: + - SECURITY_INSIGHTS.yml + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + + - name: Install CUE + uses: cue-lang/setup-cue@a93fa358375740cd8b0078f76355512b9208acb1 # v1.0.1 + + - name: Fetch Security Insights schema + run: | + mkdir -p /tmp/si-spec + curl -sSfL -o /tmp/si-spec/schema.cue \ + https://raw.githubusercontent.com/ossf/security-insights/v2.2.0/spec/schema.cue + + - name: Validate schema + run: cue vet -d '#SecurityInsights' /tmp/si-spec/schema.cue SECURITY_INSIGHTS.yml diff --git a/SECURITY_INSIGHTS.yml b/SECURITY_INSIGHTS.yml new file mode 100644 index 000000000..27f596476 --- /dev/null +++ b/SECURITY_INSIGHTS.yml @@ -0,0 +1,90 @@ +header: + schema-version: 2.2.0 + last-updated: '2026-02-24' + last-reviewed: '2026-02-24' + url: https://raw.githubusercontent.com/metal3-io/ironic-image/main/SECURITY_INSIGHTS.yml + project-si-source: https://raw.githubusercontent.com/metal3-io/community/main/SECURITY_INSIGHTS.yml +repository: + url: https://github.com/metal3-io/ironic-image + status: active + accepts-change-request: true + accepts-automated-change-request: true + core-team: + - name: dtantsur + primary: false + - name: elfosardo + primary: true + - name: iurygregory + primary: false + - name: Rozzii + primary: false + documentation: + contributing-guide: https://github.com/metal3-io/ironic-image/blob/main/CONTRIBUTING.md + security-policy: https://github.com/metal3-io/.github/blob/main/SECURITY.md + governance: https://github.com/metal3-io/community/blob/main/GOVERNANCE.md + license: + url: https://github.com/metal3-io/ironic-image/blob/main/LICENSE + expression: Apache-2.0 + release: + automated-pipeline: true + distribution-points: + - uri: https://quay.io/repository/metal3-io/ironic + comment: Container images with SBOM and cosign signatures. + security: + assessments: + self: + name: Metal3 Security Self-Assessment + date: '2024-11-19' + evidence: https://github.com/metal3-io/metal3-docs/blob/main/security/self-assessment.md + comment: Project-wide self-assessment covering all Metal3 components. + tools: + - name: Renovate + type: SCA + rulesets: [default] + comment: Automated dependency updates for Dockerfile build args and Python packages. + integration: + adhoc: false + ci: true + release: false + results: {} + - name: ShellCheck + type: SAST + rulesets: [default] + comment: Shell script linter. Runs in Prow presubmit. + integration: + adhoc: false + ci: true + release: false + results: {} + - name: cosign + type: other + rulesets: [default] + comment: | + Container images are signed with cosign via the reusable + container-image-build workflow in project-infra. + integration: + adhoc: false + ci: false + release: true + results: + release: + name: Container image cosign signature + location: https://quay.io/repository/metal3-io/ironic + predicate-uri: https://github.com/sigstore/cosign + comment: Signatures attached to container images in quay.io. + - name: kubernetes-sigs/bom + type: SCA + rulesets: [default] + comment: | + SBOM generation for container images via the reusable + container-image-build workflow in project-infra. + integration: + adhoc: false + ci: false + release: true + results: + release: + name: Container image SBOM + location: https://quay.io/repository/metal3-io/ironic + predicate-uri: https://spdx.dev/Document + comment: SPDX SBOMs attached to container images in quay.io.