diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml index 4c4f4e79..d720551f 100644 --- a/SECURITY-INSIGHTS.yml +++ b/SECURITY-INSIGHTS.yml @@ -17,6 +17,13 @@ contribution-policy: accepts-pull-requests: true accepts-automated-pull-requests: false code-of-conduct: https://github.com/kubescape/kubescape/blob/master/CODE_OF_CONDUCT.md +dependencies: + third-party-packages: true + dependencies-lists: + - https://github.com/kubescape/kubescape/blob/master/go.mod + - https://github.com/kubescape/kubescape/blob/master/httphandler/go.mod + env-dependencies-policy: + policy-url: https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md documentation: - https://github.com/kubescape/kubescape/tree/master/docs distribution-points: diff --git a/docs/environment-dependencies-policy.md b/docs/environment-dependencies-policy.md new file mode 100644 index 00000000..8e2d3c80 --- /dev/null +++ b/docs/environment-dependencies-policy.md @@ -0,0 +1,38 @@ +# Environment Dependencies Policy + +## Purpose + +This policy describes how Kubescape maintainers consume third-party packages. + +## Scope + +This policy applies to all Kubescape maintainers and all third-party packages used in the Kubescape project. + +## Policy + +Kubescape maintainers must follow these guidelines when consuming third-party packages: + +- Only use third-party packages that are necessary for the functionality of Kubescape. +- Use the latest version of all third-party packages whenever possible. +- Avoid using third-party packages that are known to have security vulnerabilities. +- Pin all third-party packages to specific versions in the Kubescape codebase. +- Use a dependency management tool, such as Go modules, to manage third-party dependencies. + +## Procedure + +When adding a new third-party package to Kubescape, maintainers must follow these steps: + +1. Evaluate the need for the package. Is it necessary for the functionality of Kubescape? +2. Research the package. Is it well-maintained? Does it have a good reputation? +3. Choose a version of the package. Use the latest version whenever possible. +4. Pin the package to the specific version in the Kubescape codebase. +5. Update the Kubescape documentation to reflect the new dependency. + +## Enforcement + +This policy is enforced by the Kubescape maintainers. +Maintainers are expected to review each other's code changes to ensure that they comply with this policy. + +## Exceptions + +Exceptions to this policy may be granted by the Kubescape project lead on a case-by-case basis.