-
Notifications
You must be signed in to change notification settings - Fork 2k
/
SECURITY-INSIGHTS.yml
49 lines (49 loc) · 2.17 KB
/
SECURITY-INSIGHTS.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Refer: https://github.com/ossf/security-insights-spec/blob/main/specification.md#specification
header:
schema-version: "1.0.0"
expiration-date: "2024-12-15T19:10:00.000Z"
project-url: https://github.com/kubernetes/kube-state-metrics
changelog: https://github.com/kubernetes/kube-state-metrics/blob/main/CHANGELOG.md
license: https://github.com/kubernetes/kube-state-metrics/blob/main/LICENSE
project-lifecycle:
status: active
bug-fixes-only: false
core-maintainers:
- github:dgrisonnet
- github:mrueg
- github:rexagod
release-process: https://github.com/kubernetes/kube-state-metrics/blob/main/RELEASE.md
contribution-policy:
accepts-pull-requests: true
accepts-automated-pull-requests: true
contributing-policy: https://github.com/kubernetes/kube-state-metrics/blob/main/CONTRIBUTING.md
code-of-conduct: https://github.com/kubernetes/kube-state-metrics/blob/main/code-of-conduct.md
distribution-points:
- https://github.com/kubernetes/kube-state-metrics/releases
- https://github.com/kubernetes/k8s.io/blob/main/registry.k8s.io/images/k8s-staging-kube-state-metrics/images.yaml
security-contacts:
- type: website
value: https://github.com/kubernetes/kube-state-metrics/blob/main/SECURITY_CONTACTS
vulnerability-reporting:
accepts-vulnerability-reports: true
security-policy: https://github.com/kubernetes/kube-state-metrics/blob/main/SECURITY.md
dependencies:
third-party-packages: true
dependencies-lists:
- https://github.com/kubernetes/kube-state-metrics/blob/main/go.mod
- https://github.com/kubernetes/kube-state-metrics/blob/main/Dockerfile
env-dependencies-policy:
policy-url: https://github.com/kubernetes/kube-state-metrics/blob/main/docs/dependencies-policy.md
documentation:
- https://github.com/kubernetes/kube-state-metrics/tree/main/docs
security-testing:
- tool-type: dast
tool-name: govulncheck
tool-version: latest
tool-url: https://go.googlesource.com/vuln
tool-rulesets:
- built-in
integration:
ci: true
comment: |
Detects vulnerabilities as a result of the affected call-paths being invoked directly in the repository, while reducing false positives by ignoring dormant call-paths for package dependencies.