Updated security documentation and CLOMonitor exemptions

Signed-off-by: Eddie Knight <knight@linux.com>
2023-11-05 07:25:50 -06:00 · 2023-11-05 07:25:50 -06:00 · 16e8ebc635
commit 16e8ebc635
parent 8b17cdf924
3 changed files with 29 additions and 0 deletions
--- a/.clomonitor.yml
+++ b/.clomonitor.yml
@ -7,6 +7,10 @@ exemptions:
    reason: "Helm deps are not currently scanned. Maintainers are watching developments to dependabot-core #2237" # Justification of this exemption (mandatory, it will be displayed on the UI)
  - check: sbom
    reason: "Tracking Helm dependencies is not yet a stable practice."
+  - check: self_assessment
+    reason: "Refer to self assessments supplied by the codebases Argo Helm supports."
+  - check: signed_releases
+    reason: "Argo Helm releases are made via Artifact Hub, where they are signed. The unsigned GitHub releases are for reference only."

 # TODO:
 # License scanning information
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -47,6 +47,8 @@ Any breaking changes to a chart (backwards incompatible) require:

 ### New Application Versions

+Helm charts are intended to be created for all non-patched releases of Argo CD, Workflows, Rollouts, and Events. Associated dependencies, such as Redis, will use the version recommended by the associated release.
+
 When selecting new application versions ensure you make the following changes:

 * `values.yaml`: Bump all instances of the container image version
--- a/SECURITY-INSIGHTS.yml
+++ b/SECURITY-INSIGHTS.yml
@ -0,0 +1,23 @@
+header:
+  schema-version: '1.0.0'
+  expiration-date: '2024-11-04T10:00:00.000Z'
+  project-url: https://github.com/argoproj/argo-helm
+project-lifecycle:
+  status: active
+  bug-fixes-only: false
+  core-maintainers:
+  - https://github.com/mkilchhofer
+  - https://github.com/jmeridth
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: true
+distribution-points:
+  - https://github.com/argoproj/argo-helm/blob/main/SECURITY.md
+vulnerability-reporting:
+  accepts-vulnerability-reports: true
+  email-contact: cncf-argo-maintainers@lists.cncf.io
+  security-policy: https://github.com/argoproj/argo-helm/blob/main/SECURITY.md
+  comment: Please refer to the security policy for reporting information prior to using the email contact.
+dependencies:
+  env-dependencies-policy:
+    policy-url: https://github.com/argoproj/argo-helm/blob/master/CONTRIBUTING.md#new-application-versions