Skip to content

Adding security-insights.yml starter template #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Adding security-insights.yml starter template #6

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e009b59
Adding security-insights.yml starter template
trumant Apr 3, 2025
716047b
Adding default repository.documentation.dependency-management-policy
trumant Apr 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions security-insights.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
# https://openssf.org/projects/security-insights-spec/
#
# This specification provides a mechanism for projects to report information about
# their security in a machine-processable way. It is formatted as a YAML file to
# make it easy to read and edit by humans.

# The data tracked within this specification is intended to fill the gaps between
# simplified solutions such as SECURITY.md and comprehensive automatable solutions
# such as SBOMs. In that gap lay elements that must be self-reported by projects
# to allow end-users to make informed security decisions.

# See https://github.com/ossf/security-insights-spec/blob/v2.0.0/specification/header.md
header:
schema-version: 2.0.0
last-updated: '2021-09-01' #TODO: update with last updated
last-reviewed: '2022-09-01' #TODO: update with last reviewed
url: https://foo.bar/foo/bar #TODO: update with your project URL
comment: |
This file contains the minimum information for both project and repository.
It not required to include both a project and repository section if the project
section is intended to be inherited by repositories via header.project-si-source

# See https://github.com/ossf/security-insights-spec/blob/v2.0.0/specification/project.md
project:
name: FooBar #TODO: update with your project name
administrators: #TODO: update with your project administrators
- name: Joe Dohn
affiliation: Foo
email: [email protected]
social: https://bsky.com/joebob
primary: true
repositories: #TODO: update with your project repositories
- name: Foo
url: https://my.vcs/foobar/foo
comment: |
Foo is the core repo for FooBar.
vulnerability-reporting: #TODO: update with your project vulnerability reporting details
reports-accepted: true
bug-bounty-available: true
security-policy: https://github.com/foo/bar?tab=security-ov-file #TODO: update with your project security policy URL

# See https://github.com/ossf/security-insights-spec/blob/v2.0.0/specification/repository.md
repository: #TODO: update with your repository details
url: https://my.vcs/foobar/foo
status: active
accepts-change-request: true
accepts-automated-change-request: true
core-team:
- name: Alice White
affiliation: Foo Bar
email: [email protected]
social: https://bsky.com/alicewhite
primary: true
documentation:
dependency-management-policy: https://best.openssf.org/Concise-Guide-for-Evaluating-Open-Source-Software
license:
url: https://github.com/foo/bar/blob/main/LICENSE #TODO: update with your repository license URL
expression: Apache-2.0
security:
assessments:
self:
comment: |
Self assessment has not yet been completed.