github/kubescape
1
0
Fork 0
mirror of https://github.com/kubescape/kubescape.git synced 2026-02-14 09:59:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

add env-dependencies-policy to security insights

Browse Source 
Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
This commit is contained in:
Matthias Bertschy
2023-10-20 09:30:41 +02:00
parent e2044338c8
commit 915d5d993b
2 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
SECURITY-INSIGHTS.yml
View File

@@ -17,6 +17,13 @@ contribution-policy:
accepts-pull-requests: true
accepts-automated-pull-requests: false
code-of-conduct: https://github.com/kubescape/kubescape/blob/master/CODE_OF_CONDUCT.md
dependencies:
third-party-packages: true
dependencies-lists:
- https://github.com/kubescape/kubescape/blob/master/go.mod
- https://github.com/kubescape/kubescape/blob/master/httphandler/go.mod
env-dependencies-policy:
policy-url: https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md
documentation:
- https://github.com/kubescape/kubescape/tree/master/docs
distribution-points:

38
docs/environment-dependencies-policy.md Normal file
View File

@@ -0,0 +1,38 @@
# Environment Dependencies Policy
## Purpose
This policy describes how Kubescape maintainers consume third-party packages.
## Scope
This policy applies to all Kubescape maintainers and all third-party packages used in the Kubescape project.
## Policy
Kubescape maintainers must follow these guidelines when consuming third-party packages:
- Only use third-party packages that are necessary for the functionality of Kubescape.
- Use the latest version of all third-party packages whenever possible.
- Avoid using third-party packages that are known to have security vulnerabilities.
- Pin all third-party packages to specific versions in the Kubescape codebase.
- Use a dependency management tool, such as Go modules, to manage third-party dependencies.
## Procedure
When adding a new third-party package to Kubescape, maintainers must follow these steps:
1. Evaluate the need for the package. Is it necessary for the functionality of Kubescape?
2. Research the package. Is it well-maintained? Does it have a good reputation?
3. Choose a version of the package. Use the latest version whenever possible.
4. Pin the package to the specific version in the Kubescape codebase.
5. Update the Kubescape documentation to reflect the new dependency.
## Enforcement
This policy is enforced by the Kubescape maintainers.
Maintainers are expected to review each other's code changes to ensure that they comply with this policy.
## Exceptions
Exceptions to this policy may be granted by the Kubescape project lead on a case-by-case basis.