Skip to content

Add security governance files#3

Merged
pdettori merged 1 commit intomainfrom
orchestrate/security
Mar 13, 2026
Merged

Add security governance files#3
pdettori merged 1 commit intomainfrom
orchestrate/security

Conversation

@pdettori
Copy link
Contributor

@pdettori pdettori commented Mar 13, 2026

Summary

Phase 5 of repo orchestration — security governance for agent-toolkit.

  • .github/CODEOWNERS — Default ownership to @kagenti/maintainers, platform CI to @kagenti/platform
  • SECURITY.md — Vulnerability reporting via GitHub Security Advisories, 48h acknowledgment SLA, documents deployed security controls (Trivy, CodeQL, Dependabot, Scorecard, action pinning)
  • CONTRIBUTING.md — Development setup, PR process, conventional commits, DCO sign-off requirement
  • .gitignore — Hardened with secrets/credentials patterns (.env.*, *.key, *.pem, *kubeconfig*), IDE (.idea/, .vscode/), and OS files (.DS_Store)

Branch protection recommendations

After merging, configure these branch protection rules for main:

  • Require PR reviews (minimum 1 approval)
  • Require status checks: Lint & Test, Dependency Review, Trivy Filesystem Scan, CodeQL Analysis, Verify Action Pinning
  • Disable force push to main
  • Require branches to be up to date before merging
  • Require conversation resolution before merging

Test plan

  • Verify CODEOWNERS assigns reviewers on a test PR
  • Verify SECURITY.md links to correct security advisory page
  • Verify .gitignore excludes .env.local, *.pem, .idea/

🤖 Generated with Claude Code

@pdettori
feat: add security governance (CODEOWNERS, SECURITY.md, CONTRIBUTING.…
d72bcb4 
…md, .gitignore)

Add security governance baseline for agent-toolkit:
- .github/CODEOWNERS with kagenti team ownership
- SECURITY.md with vulnerability reporting via GitHub Security Advisories
- CONTRIBUTING.md with development setup, PR process, DCO sign-off
- .gitignore hardened with secrets, credentials, IDE, and OS patterns

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
@pdettori
Copy link
Contributor Author

pdettori commented Mar 13, 2026

CI failing until python code to scan/lint is present

@pdettori pdettori merged commit d4a93e6 into main Mar 13, 2026
3 of 7 checks passed
@pdettori pdettori deleted the orchestrate/security branch March 13, 2026 18:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pdettori