Merge pull request #13458 from mmorel-35/ossf-security-insight

chore: provide OSSF security insight
2025-03-05 20:59:13 -08:00 · 2024-07-31 11:10:38 +01:00 · 2024-07-31 11:10:38 +01:00 · f9d9b9ddbb
parent d0d41cfebd 2880ee8e46
commit f9d9b9ddbb
2 changed files with 50 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -12,9 +12,10 @@ examples and guides.</p>
 [![Docker Pulls](https://img.shields.io/docker/pulls/prom/prometheus.svg?maxAge=604800)][hub]
 [![Go Report Card](https://goreportcard.com/badge/github.com/prometheus/prometheus)](https://goreportcard.com/report/github.com/prometheus/prometheus)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/486/badge)](https://bestpractices.coreinfrastructure.org/projects/486)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/prometheus/prometheus/badge)](https://securityscorecards.dev/viewer/?uri=github.com/prometheus/prometheus)
 [![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/prometheus/badge)](https://clomonitor.io/projects/cncf/prometheus)
 [![Gitpod ready-to-code](https://img.shields.io/badge/Gitpod-ready--to--code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/prometheus/prometheus)
 [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/prometheus.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:prometheus)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/prometheus/prometheus/badge)](https://securityscorecards.dev/viewer/?uri=github.com/prometheus/prometheus)
 </div>
--- a/SECURITY-INSIGHTS.yml
+++ b/SECURITY-INSIGHTS.yml
@ -0,0 +1,48 @@
 header:
  schema-version: '1.0.0'
  expiration-date: '2025-07-30T01:00:00.000Z'
  last-updated: '2024-07-30'
  last-reviewed: '2024-07-30'
  project-url: https://github.com/prometheus/prometheus
  changelog: https://github.com/prometheus/prometheus/blob/main/CHANGELOG.md
  license: https://github.com/prometheus/prometheus/blob/main/LICENSE
 project-lifecycle:
  status: active
  bug-fixes-only: false
  core-maintainers:
    - https://github.com/prometheus/prometheus/blob/main/MAINTAINERS.md
 contribution-policy:
  accepts-pull-requests: true
  accepts-automated-pull-requests: true
 dependencies:
  third-party-packages: true
  dependencies-lists:
    - https://github.com/prometheus/prometheus/blob/main/go.mod
    - https://github.com/prometheus/prometheus/blob/main/web/ui/package.json
  env-dependencies-policy:
    policy-url: https://github.com/prometheus/prometheus/blob/main/CONTRIBUTING.md#dependency-management
 distribution-points:
  - https://github.com/prometheus/prometheus/releases
 documentation:
  - https://prometheus.io/docs/introduction/overview/
 security-contacts:
  - type: email
    value: prometheus-team@googlegroups.com
 security-testing:
  - tool-type: sca
    tool-name: Dependabot
    tool-version: latest
    integration:
      ad-hoc: false
      ci: true
      before-release: true
  - tool-type: sast
    tool-name: CodeQL
    tool-version: latest
    integration:
      ad-hoc: false
      ci: true
      before-release: true
 vulnerability-reporting:
  accepts-vulnerability-reports: true
  security-policy: https://github.com/prometheus/prometheus/security/policy