Address Scorecard feedback and add dependency policy.

Signed-off-by: John Kjell <[email protected]>
in-toto · Jan 2, 2024 · 628d436 · 628d436
1 parent 01df9b4
commit 628d436
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 9 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,14 +12,18 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-permissions:
-  id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
 name: release
 on: [push, pull_request]
+
+permissions:
+  contents: read
+
 jobs:
   fmt:
     uses: ./.github/workflows/witness.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: fmt
@@ -29,6 +33,9 @@ jobs:
   sast:
     needs: [fmt]
     uses: ./.github/workflows/witness.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: sast
@@ -38,6 +45,9 @@ jobs:
   unit-test:
     needs: [fmt]
     uses: ./.github/workflows/witness.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: unit-test

diff --git a/.github/workflows/verify-licence.yml b/.github/workflows/verify-licence.yml
@@ -34,9 +34,9 @@ jobs:
         - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
           with:
-            go-version: '1.17.x'
+            go-version: '1.21.x'
         - name: Install addlicense
-          run: go install github.com/google/addlicense@latest
+          run: go install github.com/google/addlicense@v1.1.1
         - name: Check license headers
           run: |
             set -e

diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml
@@ -40,9 +40,15 @@ on:
                 required: true
                 type: string
 
+permissions:
+  contents: read
+
 jobs:
     witness:
         runs-on: ubuntu-latest
+        permissions:
+            contents: read
+            id-token: write
         steps:
           - name: Harden Runner
             uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1

diff --git a/DEPENDENCY.md b/DEPENDENCY.md
@@ -0,0 +1,42 @@
+# Environment Dependencies Policy
+
+## Purpose
+
+This policy describes how Witness maintainers consume third-party packages.
+
+## Scope
+
+This policy applies to all Witness maintainers and all third-party packages used in the Witness project.
+
+## Policy
+
+Witness maintainers must follow these guidelines when consuming third-party packages:
+
+- Only use third-party packages that are necessary for the functionality of Witness.
+- Use the latest version of all third-party packages whenever possible.
+- Avoid using third-party packages that are known to have security vulnerabilities.
+- Pin all third-party packages to specific versions in the Witness codebase.
+- Use a dependency management tool, such as Go modules, to manage third-party dependencies.
+
+## Procedure
+
+When adding a new third-party package to Witness, maintainers must follow these steps:
+
+1. Evaluate the need for the package. Is it necessary for the functionality of Witness?
+2. Research the package. Is it well-maintained? Does it have a good reputation?
+3. Choose a version of the package. Use the latest version whenever possible.
+4. Pin the package to the specific version in the Witness codebase.
+5. Update the Witness documentation to reflect the new dependency.
+
+## Enforcement
+
+This policy is enforced by the Witness maintainers.
+Maintainers are expected to review each other's code changes to ensure that they comply with this policy.
+
+## Exceptions
+
+Exceptions to this policy may be granted by the Witness project lead on a case-by-case basis.
+
+## Credits
+
+This policy was adapted from the [Kubescape Community](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md)
diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml
@@ -15,8 +15,8 @@
 header:
   schema-version: 1.0.0
   expiration-date: '2024-08-31T10:10:09.000Z'
-  last-updated: '2023-12-17'
-  last-reviewed: '2023-12-17'
+  last-updated: '2023-12-20'
+  last-reviewed: '2023-12-20'
   commit-hash: cd0c222058a8830a8e190b840e466098b25a3c41
   project-url: https://github.com/in-toto/go-witness
   project-release: 'v0.2.0'
@@ -76,6 +76,6 @@ dependencies:
     comment: |
       All dependencies are subject to the Witness Security Policy.
   env-dependencies-policy:
-    policy-url: https://github.com/in-toto/go-witness/SECURITY.md
+    policy-url: https://github.com/in-toto/go-witness/DEPENDENCY.md
     comment: |
-      All dependencies are subject to the Witness Security Policy.
+      All dependencies are subject to the Witness Dependency Policy.