Merge pull request #557 from Nordix/tuomo/add-security-insights

metal3-io-bot · web-flow · commit 59b46762da7f · 2026-02-25T19:31:27.000+02:00
🌱 add SECURITY_INSIGHTS.yml
diff --git a/.github/workflows/validate-security-insights.yml b/.github/workflows/validate-security-insights.yml
@@ -0,0 +1,23 @@
+name: Validate SECURITY_INSIGHTS.yml
+on:
+  pull_request:
+    paths:
+    - SECURITY_INSIGHTS.yml
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+    - name: Install CUE
+      uses: cue-lang/setup-cue@a93fa358375740cd8b0078f76355512b9208acb1 # v1.0.1
+
+    - name: Fetch Security Insights schema
+      run: |
+        mkdir -p /tmp/si-spec
+        curl -sSfL -o /tmp/si-spec/schema.cue \
+          https://raw.githubusercontent.com/ossf/security-insights/v2.2.0/spec/schema.cue
+
+    - name: Validate schema
+      run: cue vet -d '#SecurityInsights' /tmp/si-spec/schema.cue SECURITY_INSIGHTS.yml
diff --git a/SECURITY_INSIGHTS.yml b/SECURITY_INSIGHTS.yml
@@ -0,0 +1,122 @@
+header:
+  schema-version: 2.2.0
+  last-updated: '2026-02-24'
+  last-reviewed: '2026-02-24'
+  url: https://raw.githubusercontent.com/metal3-io/ironic-standalone-operator/main/SECURITY_INSIGHTS.yml
+  project-si-source: https://raw.githubusercontent.com/metal3-io/community/main/SECURITY_INSIGHTS.yml
+repository:
+  url: https://github.com/metal3-io/ironic-standalone-operator
+  status: active
+  accepts-change-request: true
+  accepts-automated-change-request: true
+  core-team:
+  - name: dtantsur
+    primary: true
+  - name: elfosardo
+    primary: false
+  - name: lentzi90
+    primary: false
+  - name: Rozzii
+    primary: false
+  - name: tuminoid
+    primary: false
+  documentation:
+    contributing-guide: https://github.com/metal3-io/ironic-standalone-operator/blob/main/CONTRIBUTING.md
+    security-policy: https://github.com/metal3-io/.github/blob/main/SECURITY.md
+    governance: https://github.com/metal3-io/community/blob/main/GOVERNANCE.md
+  license:
+    url: https://github.com/metal3-io/ironic-standalone-operator/blob/main/LICENSE
+    expression: Apache-2.0
+  release:
+    automated-pipeline: true
+    distribution-points:
+    - uri: https://github.com/metal3-io/ironic-standalone-operator/releases
+      comment: GitHub Releases with signed container image references.
+    - uri: https://quay.io/repository/metal3-io/ironic-standalone-operator
+      comment: Container images with SBOM and cosign signatures.
+  security:
+    assessments:
+      self:
+        name: Metal3 Security Self-Assessment
+        date: '2024-11-19'
+        evidence: https://github.com/metal3-io/metal3-docs/blob/main/security/self-assessment.md
+        comment: Project-wide self-assessment covering all Metal3 components.
+    tools:
+    - name: golangci-lint
+      type: SAST
+      rulesets: [default]
+      comment: Go static analysis. Runs in GitHub Actions and Prow presubmit.
+      integration:
+        adhoc: false
+        ci: true
+        release: false
+      results: {}
+    - name: Dependabot
+      type: SCA
+      rulesets: [default]
+      comment: |
+        Monitors github-actions and gomod dependencies for known
+        vulnerabilities and outdated versions.
+      integration:
+        adhoc: false
+        ci: true
+        release: false
+      results: {}
+    - name: OSV-Scanner
+      type: SCA
+      rulesets: [default]
+      comment: |
+        Runs via Jenkins (osv_scanner_metal3) on main, last 2 release
+        branches, and latest tags. Also runs locally via
+        hack/verify-release.sh during the release process.
+      integration:
+        adhoc: true
+        ci: false
+        release: true
+      results:
+        adhoc:
+          name: OSV-Scanner periodic scan
+          location: https://jenkins.nordix.org/view/Metal3%20Periodic/
+          predicate-uri: https://github.com/google/osv-scanner
+          comment: Periodic Jenkins job scanning for known vulnerabilities.
+    - name: ShellCheck
+      type: SAST
+      rulesets: [default]
+      comment: Shell script linter. Runs in Prow presubmit.
+      integration:
+        adhoc: false
+        ci: true
+        release: false
+      results: {}
+    - name: cosign
+      type: other
+      rulesets: [default]
+      comment: |
+        Container images are signed with cosign via the reusable
+        container-image-build workflow in project-infra.
+      integration:
+        adhoc: false
+        ci: false
+        release: true
+      results:
+        release:
+          name: Container image cosign signature
+          location: https://quay.io/repository/metal3-io/ironic-standalone-operator
+          predicate-uri: https://github.com/sigstore/cosign
+          comment: Signatures attached to container images in quay.io.
+    - name: kubernetes-sigs/bom
+      type: SCA
+      rulesets: [default]
+      comment: |
+        SBOM generation for container images via the reusable
+        container-image-build workflow in project-infra.
+      integration:
+        adhoc: false
+        ci: false
+        release: true
+      results:
+        release:
+          name: Container image SBOM
+          location: https://quay.io/repository/metal3-io/ironic-standalone-operator
+          predicate-uri: https://spdx.dev/Document
+          comment: SPDX SBOMs attached to container images in quay.io.
