From bec608e169965f8e295e4dd30fbb670c325d1e4c Mon Sep 17 00:00:00 2001 From: John Kjell Date: Thu, 7 Dec 2023 11:36:56 -0600 Subject: [PATCH] Changes to improve CLOMonitor Score (#88) * Changes to improve CLOMonitor Score --------- Signed-off-by: John Kjell --- .clomonitor.yml | 21 ++++++++++++++ .github/dependabot.yml | 14 +++++++++ .github/workflows/codeql.yml | 14 +++++++++ .github/workflows/dependency-review.yml | 14 +++++++++ .github/workflows/fossa.yml | 38 +++++++++++++++++++++++++ .github/workflows/scorecards.yml | 14 +++++++++ .pre-commit-config.yaml | 14 +++++++++ CONTRIBUTORS.md => CONTRIBUTING.md | 0 README.md | 3 ++ SECURITY-INSIGHTS.yml | 24 ++++++++++++++++ 10 files changed, 156 insertions(+) create mode 100644 .clomonitor.yml create mode 100644 .github/workflows/fossa.yml rename CONTRIBUTORS.md => CONTRIBUTING.md (100%) create mode 100644 SECURITY-INSIGHTS.yml diff --git a/.clomonitor.yml b/.clomonitor.yml new file mode 100644 index 00000000..8a14c3b1 --- /dev/null +++ b/.clomonitor.yml @@ -0,0 +1,21 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# CLOMonitor metadata file +# This file must be located at the root of the repository + +# Checks exemptions +exemptions: + - check: artifacthub_badge # Check identifier (see https://github.com/cncf/clomonitor/blob/main/docs/checks.md#exemptions) + reason: "Project is a library and does not create an artifact" # Justification of this exemption (mandatory, it will be displayed on the UI) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8d2b1f50..ccd96740 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,3 +1,17 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + version: 2 updates: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fe259ee4..20484106 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,3 +1,17 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # For most projects, this workflow file will not need changing; you simply need # to commit it to your repository. # diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index fd27e55b..57d25081 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,3 +1,17 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # Dependency Review Action # # This Action will scan dependency manifest files that change as part of a Pull Request, diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml new file mode 100644 index 00000000..aa365a8e --- /dev/null +++ b/.github/workflows/fossa.yml @@ -0,0 +1,38 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: "Fossa Scan" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + fossa-scan: + runs-on: ubuntu-latest + steps: + - name: "Checkout Code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: "Run FOSSA Scan" + uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 + with: + api-key: ${{ secrets.fossaApiKey }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index dd7ff683..bdcf613e 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -1,3 +1,17 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # This workflow uses actions that are not certified by GitHub. They are provided # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 919f2c44..221048da 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,3 +1,17 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + repos: - repo: https://github.com/gitleaks/gitleaks rev: v8.16.3 diff --git a/CONTRIBUTORS.md b/CONTRIBUTING.md similarity index 100% rename from CONTRIBUTORS.md rename to CONTRIBUTING.md diff --git a/README.md b/README.md index 5c28f7d2..53428b47 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,6 @@ +[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8164/badge)](https://www.bestpractices.dev/projects/8164) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/in-toto/go-witness/badge)](https://securityscorecards.dev/viewer/?uri=github.com/in-toto/go-witness) +[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fgo-witness.svg?type=shield&issueType=license)](https://app.fossa.com/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fgo-witness?ref=badge_shield&issueType=license) [![asciicast](https://asciinema.org/a/2DZRRh8uzrzHcUVL8md86Zj4D.svg)](https://asciinema.org/a/2DZRRh8uzrzHcUVL8md86Zj4D) diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml new file mode 100644 index 00000000..cf55b9bd --- /dev/null +++ b/SECURITY-INSIGHTS.yml @@ -0,0 +1,24 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +header: + schema-version: 1.0.0 + expiration-date: '2024-08-31T10:10:09.000Z' + last-updated: '2023-12-06' + last-reviewed: '2023-12-06' + commit-hash: cd0c222058a8830a8e190b840e466098b25a3c41 + project-url: https://github.com/in-toto/go-witness + project-release: 'v0.17.0' + changelog: https://github.com/in-toto/go-witness/releases/tag/v0.17.0 + license: https://github.com/in-toto/go-witness/blob/main/LICENSE