From 16e8ebc635782b21820b82d35e4be749e3747025 Mon Sep 17 00:00:00 2001
From: Eddie Knight <knight@linux.com>
Date: Sun, 5 Nov 2023 07:25:50 -0600
Subject: [PATCH] Updated security documentation and CLOMonitor exemptions

Signed-off-by: Eddie Knight <knight@linux.com>
---
 .clomonitor.yml       |  4 ++++
 CONTRIBUTING.md       |  2 ++
 SECURITY-INSIGHTS.yml | 23 +++++++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 SECURITY-INSIGHTS.yml

diff --git a/.clomonitor.yml b/.clomonitor.yml
index 9f1fff8c..04fe1aad 100644
--- a/.clomonitor.yml
+++ b/.clomonitor.yml
@@ -7,6 +7,10 @@ exemptions:
     reason: "Helm deps are not currently scanned. Maintainers are watching developments to dependabot-core #2237" # Justification of this exemption (mandatory, it will be displayed on the UI)
   - check: sbom
     reason: "Tracking Helm dependencies is not yet a stable practice."
+  - check: self_assessment
+    reason: "Refer to self assessments supplied by the codebases Argo Helm supports."
+  - check: signed_releases
+    reason: "Argo Helm releases are made via Artifact Hub, where they are signed. The unsigned GitHub releases are for reference only."
 
 # TODO:
 # License scanning information
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index d67ddefc..f9861dcb 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -47,6 +47,8 @@ Any breaking changes to a chart (backwards incompatible) require:
 
 ### New Application Versions
 
+Helm charts are intended to be created for all non-patched releases of Argo CD, Workflows, Rollouts, and Events. Associated dependencies, such as Redis, will use the version recommended by the associated release.
+
 When selecting new application versions ensure you make the following changes:
 
 * `values.yaml`: Bump all instances of the container image version
diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml
new file mode 100644
index 00000000..a983c4f1
--- /dev/null
+++ b/SECURITY-INSIGHTS.yml
@@ -0,0 +1,23 @@
+header:
+  schema-version: '1.0.0'
+  expiration-date: '2024-11-04T10:00:00.000Z'
+  project-url: https://github.com/argoproj/argo-helm
+project-lifecycle:
+  status: active
+  bug-fixes-only: false
+  core-maintainers:
+  - https://github.com/mkilchhofer
+  - https://github.com/jmeridth
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: true
+distribution-points:
+  - https://github.com/argoproj/argo-helm/blob/main/SECURITY.md
+vulnerability-reporting:
+  accepts-vulnerability-reports: true
+  email-contact: cncf-argo-maintainers@lists.cncf.io
+  security-policy: https://github.com/argoproj/argo-helm/blob/main/SECURITY.md
+  comment: Please refer to the security policy for reporting information prior to using the email contact.
+dependencies:
+  env-dependencies-policy:
+    policy-url: https://github.com/argoproj/argo-helm/blob/master/CONTRIBUTING.md#new-application-versions