artifacthub
/
hub
mirror of https://github.com/artifacthub/hub.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added dependencies policy (#3456) 

Extended SECURITY-INSIGHTS.yml for CLOMonitor score

Signed-off-by: Eddie Knight <knight@linux.com>
This commit is contained in:
Eddie Knight 2023-11-06 07:23:46 -06:00 committed by GitHub
parent c3860fe369
commit c5a04e8e90
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
CONTRIBUTING.md
View File

@ -82,3 +82,17 @@ Date: Thu Feb 2 11:41:15 2018 -0800
Notice how the `Author` and `Signed-off-by` lines match. If they do not match the PR will be rejected by the automated DCO check.
If more than one person contributed to a commit than there can be more than one `Signed-off-by` line where each line is a signoff from a different person who contributed to the commit.
## Dependencies Policy
Dependencies must be evaluated before being introduced to ensure they:
1) are actively maintained
2) are maintained by trustworthy maintainers
These evaluations vary from dependency to dependencies.
Dependencies are also scheduled for removal if that project has been deprecated or if the project is no longer maintained.
CVEs in dependencies will be patched for all supported versions if the CVE is applicable and is assessed as a high or critical severity.

3
SECURITY-INSIGHTS.yml
View File

@ -19,3 +19,6 @@ security-contacts:
value: cncf-artifacthub-maintainers@lists.cncf.io
vulnerability-reporting:
accepts-vulnerability-reports: true
dependencies:
env-dependencies-policy:
policy-url: https://github.com/artifacthub/hub/blob/master/CONTRIBUTING.md#dependencies-policy