Add security-insights.yml for OSSF Security Insights v2.0.0

.github/security-insights.yml

@@ -0,0 +1,194 @@
+# CUE schema for validation: https://raw.githubusercontent.com/ossf/security-insights/refs/heads/main/spec/schema.cue
+# cue vet -d '#SecurityInsights' schema.cue .github/security-insights.yml
+---
+header:
+  schema-version: 2.0.0
+  last-updated: 2026-02-20
+  last-reviewed: 2026-02-20
+  url: https://github.com/radius-project/radius
+  comment: >-
+    This file contains all possible information for both project and repository,
+    though it is not required to include all of this information every time. Nor
+    is it required to include both a project and repository section if the
+    project section is intended to be inherited by repositories via
+    header.project-si-source
+project:
+  name: Radius
+  homepage: https://radapp.io
+  roadmap: https://aka.ms/radius-roadmap
+  steward:
+    uri: ""
+    comment: No steward designated
+  administrators:
+    - name: Sylvain Niles
+      affiliation: Microsoft
+      social: https://github.com/sylvainsf
+      primary: false
+    - name: Karishma Chawla
+      affiliation: Microsoft
+      social: https://github.com/kachawla
+      primary: false
+    - name: Brooke Hamilton
+      affiliation: Microsoft
+      social: https://github.com/brooke-hamilton
+      primary: false
+  documentation:
+    quickstart-guide: https://docs.radapp.io/quick-start/
+    detailed-guide: https://radapp.io/
+    code-of-conduct: https://github.com/radius-project/community/blob/main/CODE-OF-CONDUCT.md
+    release-process: https://github.com/radius-project/community
+    support-policy: https://github.com/radius-project/radius/blob/main/SUPPORT.md
+  repositories:
+    - name: Radius
+      url: https://github.com/radius-project/radius
+      comment: >-
+        Radius is the main Radius repository. It contains all of Radius code and
+        documentation. In addition, we have the below repositories
+    - name: Docs
+      url: https://github.com/radius-project/docs
+      comment: This repository contains the Radius documentation source for Radius.
+    - name: Samples
+      url: https://github.com/radius-project/samples
+      comment: >-
+        This repository contains the source code for quickstarts, reference
+        apps, and tutorials for Radius.
+    - name: Recipes
+      url: https://github.com/radius-project/recipes
+      comment: >-
+        This repo contains commonly used Recipe templates for Radius
+        Environments.
+    - name: Website
+      url: https://github.com/radius-project/website
+      comment: This repository contains the source code for the Radius website.
+    - name: AWS Bicep Types
+      url: https://github.com/radius-project/bicep-types-aws
+      comment: >-
+        This repository contains the tooling for Bicep support for AWS resource
+        types.
+    - name: Radius Resource Types and Recipes Contributions
+      url: https://github.com/radius-project/resource-types-contrib
+      comment: >-
+        This repository contains the Resource Type definitions and Recipes for deploying those Resource Types via Radius.
+  vulnerability-reporting:
+    reports-accepted: true
+    bug-bounty-available: false
+    contact:
+      name: Radius Team
+      email: radiuscoreteam@service.microsoft.com
+      primary: true
+    policy: https://github.com/radius-project/radius/blob/main/SECURITY.md
+repository:
+  url: https://github.com/radius-project/radius
+  status: active
+  bug-fixes-only: true
+  accepts-change-request: true
+  accepts-automated-change-request: true
+  no-third-party-packages: true
+  license:
+    url: >-
+      https://github.com/radius-project/radius/blob/main/LICENSE
+    expression: Apache-2.0
+  core-team:
+    - name: Radius Core Team
+      affiliation: Microsoft
+      email: radiuscoreteam@service.microsoft.com
+      primary: true
+    - name: Sylvain Niles
+      affiliation: Microsoft
+      social: https://github.com/sylvainsf
+      primary: false
+    - name: Karishma Chawla
+      affiliation: Microsoft
+      social: https://github.com/kachawla
+      primary: false
+    - name: Brooke Hamilton
+      affiliation: Microsoft
+      social: https://github.com/brooke-hamilton
+      primary: false
+  documentation:
+    contributing-guide: https://github.com/radius-project/radius/blob/main/CONTRIBUTING.md
+    review-policy: >-
+      https://github.com/radius-project/radius/blob/main/docs/contributing/contributing-code/contributing-code-reviewing/README.md
+    security-policy: https://github.com/radius-project/radius/blob/main/SECURITY.md
+    governance: >-
+      https://github.com/radius-project/community/blob/main/community-membership.md
+    dependency-management-policy: https://github.com/radius-project/radius/blob/main/THIRD-PARTY-NOTICES.txt
+  release:
+    changelog: https://github.com/radius-project/radius/releases
+    automated-pipeline: false
+    attestations:
+      - name: Release 0.54
+        predicate-uri: https://github.com/radius-project/radius/actions/runs/20080596572
+        location: https://github.com/radius-project/radius/releases/tag/v0.54.0
+        comment: Build workflow for Release 0.54
+    distribution-points:
+      - uri: https://github.com/radius-project/radius/releases
+        comment: Radius Releases
+      - uri: https://github.com/orgs/radius-project/packages?repo_name=radius
+        comment: GitHub packages
+    license:
+      url: >-
+        https://github.com/radius-project/radius/blob/main/LICENSE
+      expression: Apache-2.0
+  security:
+    assessments:
+      self:
+        evidence: https://github.com/radius-project/design-notes/tree/main/architecture
+        comment: >-
+          https://github.com/radius-project/design-notes/blob/main/architecture/2024-08-controller-component-threat-model.md
+
+          https://github.com/radius-project/design-notes/blob/main/architecture/2024-08-applications-rp-component-threat-model.md
+
+          https://github.com/radius-project/design-notes/blob/main/architecture/2024-08-dashboard-component-threat-model.md
+
+          https://github.com/radius-project/design-notes/blob/main/architecture/2024-11-ucp-component-threat-model.md
+      third-party:
+        - comment: No third-party assessment performed
+    champions:
+      - name: Radius Team
+        email: radiuscoreteam@service.microsoft.com
+        primary: true
+    tools:
+      - name: Scorecard
+        type: SCA
+        rulesets:
+          - default
+        results: {}
+        integration:
+          adhoc: false
+          ci: true
+          release: false
+      - name: CodeQL
+        type: SAST
+        version: "2"
+        rulesets:
+          - default
+        results:
+          ci:
+            name: CodeQL GitHub workflow
+            predicate-uri: ""
+            location: >-
+              https://github.com/radius-project/radius/blob/main/.github/workflows/codeql.yml
+            comment: GitHub workflow to run CodeQL
+        integration:
+          adhoc: false
+          ci: true
+          release: false
+      - name: GoSec
+        type: SAST
+        rulesets:
+          - default
+        results: {}
+        integration:
+          adhoc: false
+          ci: true
+          release: false
+      - name: Dependency Review
+        type: SCA
+        rulesets:
+          - default
+        results: {}
+        integration:
+          adhoc: false
+          ci: true
+          release: false

SECURITY.md

@@ -8,7 +8,7 @@ If you believe you have found a security vulnerability in any Radius repository,
 
 **Please do not report security vulnerabilities through public GitHub issues.**
 
-Instead, please report them to the [security@radapp.dev](mailto:security@radapp.dev).
+Instead, please report them to the [radiuscoreteam@service.microsoft.com](mailto:radiuscoreteam@service.microsoft.com).
 
 You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message.