chore: provide OSSF security-insight

Signed-off-by: Matthieu MOREL <[email protected]>
etcd-io · Nov 24, 2024 · c797b74 · c797b74
1 parent fd02589
commit c797b74
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -8,7 +8,9 @@
 [![Godoc](http://img.shields.io/badge/go-documentation-blue.svg?style=flat-square)](https://godoc.org/github.com/etcd-io/etcd)
 [![Releases](https://img.shields.io/github/release/etcd-io/etcd/all.svg?style=flat-square)](https://github.com/etcd-io/etcd/releases)
 [![LICENSE](https://img.shields.io/github/license/etcd-io/etcd.svg?style=flat-square)](https://github.com/etcd-io/etcd/blob/main/LICENSE)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/3192/badge)](https://www.bestpractices.dev/projects/3192)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/etcd-io/etcd/badge)](https://scorecard.dev/viewer/?uri=github.com/etcd-io/etcd)
+[![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/etcd/badge)](https://clomonitor.io/projects/cncf/etcd)
 
 **Note**: The `main` branch may be in an *unstable or even broken state* during development. For stable versions, see [releases][github-release].
 

diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml
@@ -0,0 +1,55 @@
+header:
+  schema-version: '1.0.0'
+  expiration-date: '2025-11-24T01:00:00.000Z'
+  last-updated: '2024-11-24'
+  last-reviewed: '2024-11-24'
+  project-url: https://github.com/etcd-io/etcd
+  changelog: https://github.com/etcd-io/etcd/tree/main/CHANGELOG
+  license: https://github.com/etcd-io/etcd/blob/main/LICENSE
+project-lifecycle:
+  status: active
+  bug-fixes-only: false
+  core-maintainers:
+    - https://github.com/etcd-io/etcd/blob/main/OWNERS
+  roadmap: 
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: true
+  contributing-policy: https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md
+  code-of-conduct: https://github.com/etcd-io/etcd/blob/main/code-of-conduct.md
+dependencies:
+  third-party-packages: true
+  dependencies-lists:
+    - https://github.com/etcd-io/etcd/blob/main/go.mod
+  sbom:
+    - sbom-url: https://github.com/etcd-io/etcd/blob/main/bill-of-materials.json
+distribution-points:
+  - https://github.com/etcd-io/etcd/releases
+documentation:
+  - https://etcd.io/docs/
+security-assessments:
+  - auditor-name: Trail of Bits
+    auditor-url: https://www.trailofbits.com/
+    auditor-report: https://github.com/etcd-io/etcd/blob/main/security/SECURITY_AUDIT.pdf
+    report-year: 2020
+security-contacts:
+  - type: email
+    value: [email protected]
+security-testing:
+  - tool-type: sca
+    tool-name: Dependabot
+    tool-version: latest
+    integration:
+      ad-hoc: false
+      ci: true
+      before-release: true
+  - tool-type: sast
+    tool-name: CodeQL
+    tool-version: latest
+    integration:
+      ad-hoc: false
+      ci: true
+      before-release: true
+vulnerability-reporting:
+  accepts-vulnerability-reports: false
+  security-policy: https://github.com/etcd-io/etcd/blob/main/security/README.md