-
Notifications
You must be signed in to change notification settings - Fork 164
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: schristoff <28318173+schristoff@users.noreply.github.com>
- Loading branch information
1 parent
057df41
commit c0b58b2
Showing
154 changed files
with
3,972 additions
and
2,888 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Reporting Security Issues | ||
|
||
To report a security issue or vulnerability in Zarf, please use the confidential GitHub Security Advisory ["Report a Vulnerability"](https://github.com/defenseunicorns/zarf/security/advisories) tab. The Zarf team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. | ||
|
||
### When Should I Report a Vulnerability? | ||
|
||
* You found a vulnerability in the Zarf code. | ||
* You found a vulnerability in one of the Zarf dependencies that affects the project that has not been patched yet. | ||
|
||
### When Should I NOT Report a Vulnerability? | ||
|
||
* You found a bug or malfunction in the Zarf code (not security related). | ||
* You want to add a feature to Zarf. | ||
|
||
## Supported Versions | ||
|
||
As Zarf has not yet reached v1.0.0, only the current latest minor release is supported. | ||
|
||
## Contacting Us | ||
|
||
To discuss security related issues, please email the maintainers at zarf-dev-private@googlegroups.com. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
name: Compare CVEs to main | ||
|
||
permissions: | ||
contents: read | ||
|
||
on: | ||
pull_request: | ||
paths: | ||
- "go.mod" | ||
- "go.sum" | ||
- "cargo.toml" | ||
- "cargo.lock" | ||
|
||
jobs: | ||
validate: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout repo | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
with: | ||
ref: ${{ github.head_ref || github.ref_name }} | ||
|
||
- name: fetch main | ||
run: git fetch origin main --depth 1 | ||
|
||
- name: Setup golang | ||
uses: ./.github/actions/golang | ||
|
||
- name: Install tools | ||
uses: ./.github/actions/install-tools | ||
|
||
- name: Check for CVEs in Dependencies | ||
run: "hack/check-vulnerabilities.sh" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
run: | ||
timeout: 5m | ||
linters: | ||
disable-all: true | ||
enable: | ||
- gosimple | ||
- govet | ||
- staticcheck | ||
- unused | ||
- revive | ||
- goheader | ||
- goimports | ||
- nolintlint | ||
linters-settings: | ||
govet: | ||
enable-all: true | ||
disable: | ||
- shadow | ||
- fieldalignment | ||
- unusedwrite | ||
nolintlint: | ||
require-specific: true | ||
goheader: | ||
template: |- | ||
SPDX-License-Identifier: Apache-2.0 | ||
SPDX-FileCopyrightText: 2021-Present The Zarf Authors | ||
revive: | ||
rules: | ||
- name: blank-imports | ||
- name: context-as-argument | ||
- name: context-keys-type | ||
- name: dot-imports | ||
- name: error-return | ||
- name: error-strings | ||
- name: error-naming | ||
- name: exported | ||
- name: if-return | ||
- name: increment-decrement | ||
- name: var-naming | ||
- name: var-declaration | ||
- name: package-comments | ||
- name: range | ||
- name: receiver-naming | ||
- name: time-naming | ||
- name: unexported-return | ||
- name: indent-error-flow | ||
- name: errorf | ||
- name: empty-block | ||
- name: superfluous-else | ||
- name: unused-parameter | ||
- name: unreachable-code | ||
- name: redefines-builtin-id | ||
issues: | ||
# Revive rules that are disabled by default. | ||
include: | ||
- EXC0012 | ||
- EXC0013 | ||
- EXC0014 | ||
- EXC0015 | ||
# Exclude linting code copied from Helm. | ||
exclude-dirs: | ||
- "src/cmd/tools/helm" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,6 @@ | ||
# Ignore file for false positives from protobuf, see the following for more information: | ||
# https://github.com/anchore/grype/issues/558 | ||
ignore: | ||
# This vulnerability does not affect Zarf as we do not instantiate a rekor client | ||
- vulnerability: GHSA-2h5h-59f5-c5x9 | ||
|
||
# This vulnerability does not affect Zarf as we do not instantiate a rekor client | ||
- vulnerability: GHSA-frqx-jfcm-6jjr | ||
|
||
# From rouille - The Zarf injector does not expose endpoints that use multipart form data | ||
- vulnerability: GHSA-mc8h-8q98-g5hr | ||
|
||
# From semver - This comes through nodemon which is only used for development | ||
- vulnerability: GHSA-c2qf-rxjj-qqgw | ||
|
||
# From k8s.io/apiserver - This is a false positive due to the difference in versioning between the library / binary k8s versioning | ||
- vulnerability: GHSA-82hx-w2r5-c2wq | ||
|
||
# From helm - This behavior was introduced intentionally, and cannot be removed without breaking backwards compatibility (some users may be relying on these values). | ||
- vulnerability: GHSA-jw44-4f3j-q396 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,35 +1,5 @@ | ||
* @defenseunicorns/zarf | ||
* @defenseunicorns/zarf @dgershman | ||
|
||
# Docs & examples | ||
/adr/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
/docs/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
/examples/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
*.md @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
|
||
# Core code | ||
/src/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
/go.* @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
main.go @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
|
||
# Init package | ||
/packages/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
/zarf.yaml @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
|
||
# Docs Website | ||
/docs-website/ @Racer159 @Noxsios @jeff-mccoy @lucasrod16 @AustinAbro321 | ||
|
||
# Privileged pipeline files | ||
/.github/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
/hack/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
/.gitignore @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
/.golangci.yml @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
/.goreleaser.yml @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
/.grype.yaml @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
/Dockerfile @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
/renovate.json @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
/Makefile @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321 | ||
|
||
# Additional privileged files | ||
/CODEOWNERS @jeff-mccoy @austenbryan | ||
/cosign.pub @jeff-mccoy @austenbryan | ||
/LICENSE @jeff-mccoy @austenbryan |
Oops, something went wrong.