Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs(security): add Draft GHSA option #12747

Merged
merged 1 commit into from
Apr 4, 2024
Merged

docs(security): add Draft GHSA option #12747

merged 1 commit into from
Apr 4, 2024

Conversation

agilgur5
Copy link
Member

@agilgur5 agilgur5 commented Mar 6, 2024
edited
Loading

Fixes #12745

Motivation

  • for ease of use, built-in templates, crediting, single source of truth, etc
    • built-in private fork generation for resolution is another nice feature
  • as well as consistency with CD

Modifications

  • Add another reporting option to the SECURITY.md (we already have email), which is using draft GHSAs.

Verification

See the rendered markdown in this PR

Notes to Reviewers

Do not merge until Draft GHSAs are enabled by an admin, i.e. until this link works: https://github.com/argoproj/argo-workflows/security/advisories/new

For clarity and explicitness, draft GHSAs are not equivalent to CVEs. If a draft GHSA is determined to be an active vuln (as opposed to false positive etc), then a CVE can be assigned. It is just another method of private disclosure, one that keeps things consistent and in the same place as public disclosures.

@agilgur5
docs(security): add Draft GHSA option
7ab7f2a 
- for ease of use, built-in templates, crediting, single source of truth, etc
- as well as consistency with CD: https://github.com/argoproj/argo-cd/blob/a4b50515381bad9d6db316d49d33efae351c6222/SECURITY.md?plain=1#L68

Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
@agilgur5 agilgur5 added type/security Security related area/contributing Contributing docs, ownership, etc. Also devtools like devcontainer and Nix labels Mar 6, 2024
@agilgur5 agilgur5 mentioned this pull request Mar 6, 2024
Closed
@agilgur5 agilgur5 marked this pull request as ready for review April 4, 2024 00:16
@terrytangyuan terrytangyuan merged commit f521c30 into argoproj:main Apr 4, 2024
16 checks passed
@agilgur5 agilgur5 deleted the security-add-draft-ghsa-option branch April 4, 2024 00:40
@agilgur5 agilgur5 mentioned this pull request Apr 12, 2024
Open
4 tasks
agilgur5 added a commit that referenced this pull request May 4, 2024
@agilgur5
docs(security): add Draft GHSA option (#12747)
c2c4655 
Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
(cherry picked from commit f521c30)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrytangyuan terrytangyuan terrytangyuan approved these changes

Assignees

@terrytangyuan terrytangyuan

Labels
area/contributing Contributing docs, ownership, etc. Also devtools like devcontainer and Nix type/security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enable draft GHSAs
2 participants
@agilgur5 @terrytangyuan