Skip to content

feat(security): enhance supply-chain security with OpenSSF Scorecard and SBOM#74

Merged
pinikomarov merged 1 commit into
mainfrom
security/openssf-scorecard
Jul 14, 2026
Merged

feat(security): enhance supply-chain security with OpenSSF Scorecard and SBOM#74
pinikomarov merged 1 commit into
mainfrom
security/openssf-scorecard

Conversation

@cjeanner

@cjeanner cjeanner commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Add comprehensive supply-chain security controls to improve project security posture and automated dependency monitoring.

Changes:

  • Add SECURITY.md with vulnerability reporting policy and Red Hat PSIRT disclosure process
  • Add OpenSSF Scorecard workflow for automated security scoring published to GitHub Security tab and securityscorecards.dev API
  • Generate SPDX SBOM for Helm charts to satisfy SLSA provenance requirements
  • Add OWNERS file to document project maintainers and reviewers
  • Pin all new GitHub Actions to commit SHAs for supply-chain integrity

The Scorecard workflow runs weekly and on branch protection changes, providing continuous visibility into security best practices. SBOM artifacts are uploaded with 90-day retention and will be attached to future GitHub Releases.

@cjeanner cjeanner self-assigned this Jul 8, 2026
@cjeanner cjeanner force-pushed the security/openssf-scorecard branch from 0921d07 to 2d5aaed Compare July 8, 2026 09:39
@pinikomarov

pinikomarov commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

looks ok to me , answers the issues described in FIND-011,
ok to approve once PR in ready status

…and SBOM

Add comprehensive supply-chain security controls to improve project security
posture and automated dependency monitoring.

Changes:
- Add SECURITY.md with vulnerability reporting policy and Red Hat PSIRT
  disclosure process
- Add OpenSSF Scorecard workflow for automated security scoring published to
  GitHub Security tab and securityscorecards.dev API
- Generate SPDX SBOM for Helm charts to satisfy SLSA provenance requirements
- Add OWNERS file to document project maintainers and reviewers
- Pin all new GitHub Actions to commit SHAs for supply-chain integrity

The Scorecard workflow runs weekly and on branch protection changes, providing
continuous visibility into security best practices. SBOM artifacts are uploaded
with 90-day retention and will be attached to future GitHub Releases.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@cjeanner cjeanner force-pushed the security/openssf-scorecard branch from 2d5aaed to f7c64c2 Compare July 14, 2026 12:00
@cjeanner cjeanner marked this pull request as ready for review July 14, 2026 12:02
@cjeanner cjeanner requested a review from pinikomarov July 14, 2026 12:27
@cjeanner

cjeanner commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator Author

This safety net doesn't work as expected. Dropping the PR, since it's adding useless complexity.

wrong PR ;_;

@cjeanner cjeanner closed this Jul 14, 2026
@cjeanner cjeanner deleted the security/openssf-scorecard branch July 14, 2026 14:50
@cjeanner cjeanner restored the security/openssf-scorecard branch July 14, 2026 14:53
@cjeanner cjeanner reopened this Jul 14, 2026

@pinikomarov pinikomarov left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@pinikomarov pinikomarov merged commit 4956034 into main Jul 14, 2026
6 checks passed
@pinikomarov pinikomarov deleted the security/openssf-scorecard branch July 14, 2026 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants