diff --git a/.github/security-insights.yml b/.github/security-insights.yml new file mode 100644 index 0000000000..4ed100584c --- /dev/null +++ b/.github/security-insights.yml @@ -0,0 +1,194 @@ +# CUE schema for validation: https://raw.githubusercontent.com/ossf/security-insights/refs/heads/main/spec/schema.cue +# cue vet -d '#SecurityInsights' schema.cue .github/security-insights.yml +--- +header: + schema-version: 2.0.0 + last-updated: 2026-02-20 + last-reviewed: 2026-02-20 + url: https://github.com/radius-project/radius + comment: >- + This file contains all possible information for both project and repository, + though it is not required to include all of this information every time. Nor + is it required to include both a project and repository section if the + project section is intended to be inherited by repositories via + header.project-si-source +project: + name: Radius + homepage: https://radapp.io + roadmap: https://aka.ms/radius-roadmap + steward: + uri: "" + comment: No steward designated + administrators: + - name: Sylvain Niles + affiliation: Microsoft + social: https://github.com/sylvainsf + primary: false + - name: Karishma Chawla + affiliation: Microsoft + social: https://github.com/kachawla + primary: false + - name: Brooke Hamilton + affiliation: Microsoft + social: https://github.com/brooke-hamilton + primary: false + documentation: + quickstart-guide: https://docs.radapp.io/quick-start/ + detailed-guide: https://radapp.io/ + code-of-conduct: https://github.com/radius-project/community/blob/main/CODE-OF-CONDUCT.md + release-process: https://github.com/radius-project/community + support-policy: https://github.com/radius-project/radius/blob/main/SUPPORT.md + repositories: + - name: Radius + url: https://github.com/radius-project/radius + comment: >- + Radius is the main Radius repository. It contains all of Radius code and + documentation. In addition, we have the below repositories + - name: Docs + url: https://github.com/radius-project/docs + comment: This repository contains the Radius documentation source for Radius. + - name: Samples + url: https://github.com/radius-project/samples + comment: >- + This repository contains the source code for quickstarts, reference + apps, and tutorials for Radius. + - name: Recipes + url: https://github.com/radius-project/recipes + comment: >- + This repo contains commonly used Recipe templates for Radius + Environments. + - name: Website + url: https://github.com/radius-project/website + comment: This repository contains the source code for the Radius website. + - name: AWS Bicep Types + url: https://github.com/radius-project/bicep-types-aws + comment: >- + This repository contains the tooling for Bicep support for AWS resource + types. + - name: Radius Resource Types and Recipes Contributions + url: https://github.com/radius-project/resource-types-contrib + comment: >- + This repository contains the Resource Type definitions and Recipes for deploying those Resource Types via Radius. + vulnerability-reporting: + reports-accepted: true + bug-bounty-available: false + contact: + name: Radius Team + email: radiuscoreteam@service.microsoft.com + primary: true + policy: https://github.com/radius-project/radius/blob/main/SECURITY.md +repository: + url: https://github.com/radius-project/radius + status: active + bug-fixes-only: true + accepts-change-request: true + accepts-automated-change-request: true + no-third-party-packages: true + license: + url: >- + https://github.com/radius-project/radius/blob/main/LICENSE + expression: Apache-2.0 + core-team: + - name: Radius Core Team + affiliation: Microsoft + email: radiuscoreteam@service.microsoft.com + primary: true + - name: Sylvain Niles + affiliation: Microsoft + social: https://github.com/sylvainsf + primary: false + - name: Karishma Chawla + affiliation: Microsoft + social: https://github.com/kachawla + primary: false + - name: Brooke Hamilton + affiliation: Microsoft + social: https://github.com/brooke-hamilton + primary: false + documentation: + contributing-guide: https://github.com/radius-project/radius/blob/main/CONTRIBUTING.md + review-policy: >- + https://github.com/radius-project/radius/blob/main/docs/contributing/contributing-code/contributing-code-reviewing/README.md + security-policy: https://github.com/radius-project/radius/blob/main/SECURITY.md + governance: >- + https://github.com/radius-project/community/blob/main/community-membership.md + dependency-management-policy: https://github.com/radius-project/radius/blob/main/THIRD-PARTY-NOTICES.txt + release: + changelog: https://github.com/radius-project/radius/releases + automated-pipeline: false + attestations: + - name: Release 0.54 + predicate-uri: https://github.com/radius-project/radius/actions/runs/20080596572 + location: https://github.com/radius-project/radius/releases/tag/v0.54.0 + comment: Build workflow for Release 0.54 + distribution-points: + - uri: https://github.com/radius-project/radius/releases + comment: Radius Releases + - uri: https://github.com/orgs/radius-project/packages?repo_name=radius + comment: GitHub packages + license: + url: >- + https://github.com/radius-project/radius/blob/main/LICENSE + expression: Apache-2.0 + security: + assessments: + self: + evidence: https://github.com/radius-project/design-notes/tree/main/architecture + comment: >- + https://github.com/radius-project/design-notes/blob/main/architecture/2024-08-controller-component-threat-model.md + + https://github.com/radius-project/design-notes/blob/main/architecture/2024-08-applications-rp-component-threat-model.md + + https://github.com/radius-project/design-notes/blob/main/architecture/2024-08-dashboard-component-threat-model.md + + https://github.com/radius-project/design-notes/blob/main/architecture/2024-11-ucp-component-threat-model.md + third-party: + - comment: No third-party assessment performed + champions: + - name: Radius Team + email: radiuscoreteam@service.microsoft.com + primary: true + tools: + - name: Scorecard + type: SCA + rulesets: + - default + results: {} + integration: + adhoc: false + ci: true + release: false + - name: CodeQL + type: SAST + version: "2" + rulesets: + - default + results: + ci: + name: CodeQL GitHub workflow + predicate-uri: "" + location: >- + https://github.com/radius-project/radius/blob/main/.github/workflows/codeql.yml + comment: GitHub workflow to run CodeQL + integration: + adhoc: false + ci: true + release: false + - name: GoSec + type: SAST + rulesets: + - default + results: {} + integration: + adhoc: false + ci: true + release: false + - name: Dependency Review + type: SCA + rulesets: + - default + results: {} + integration: + adhoc: false + ci: true + release: false diff --git a/SECURITY.md b/SECURITY.md index 1f875843a1..94ef18e58e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -8,7 +8,7 @@ If you believe you have found a security vulnerability in any Radius repository, **Please do not report security vulnerabilities through public GitHub issues.** -Instead, please report them to the [security@radapp.dev](mailto:security@radapp.dev). +Instead, please report them to the [radiuscoreteam@service.microsoft.com](mailto:radiuscoreteam@service.microsoft.com). You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message.