diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..9478574 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,29 @@ +# CODEOWNERS +# +# Defines code ownership for automatic review requests on pull requests. +# Owners are notified when files in their area are changed. +# +# Syntax: [ ...] +# Patterns follow .gitignore rules. Last matching rule wins. +# +# Reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +# Default: all maintainers review everything +* @kagenti/plugin-adapters-maintainers + +# CI and developer tooling +.github/ @kagenti/plugin-adapters-maintainers +Makefile @kagenti/plugin-adapters-maintainers +pyproject.toml @kagenti/plugin-adapters-maintainers +.pre-commit-config.yaml @kagenti/plugin-adapters-maintainers + +# Core server implementation — highest impact changes +src/ @kagenti/plugin-adapters-maintainers + +# Plugin framework and examples +plugins/ @kagenti/plugin-adapters-maintainers + +# Documentation and governance +*.md @kagenti/plugin-adapters-maintainers +CODEOWNERS @kagenti/plugin-adapters-maintainers +SECURITY.md @kagenti/plugin-adapters-maintainers diff --git a/.gitignore b/.gitignore index 285986c..57a214c 100644 --- a/.gitignore +++ b/.gitignore @@ -135,6 +135,8 @@ celerybeat.pid # Environments .env +.env.* +.env.local .venv env/ venv/ @@ -166,9 +168,18 @@ dmypy.json # Cython debug symbols cython_debug/ -# PyCharm -# JetBrains specific template is maintained in a separate JetBrains.gitignore that can -# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore -# and can be added to the global gitignore or merged into this file. For a more nuclear -# option (not recommended) you can uncomment the following to ignore the entire idea folder. -#.idea/ +# PyCharm / JetBrains +.idea/ + +# VS Code +.vscode/ + +# Credentials and secrets +*.pem +*.key +*.p12 +*.jks +kubeconfig +*kubeconfig* +credentials.* +secrets.* diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..53db650 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,62 @@ +# Security Policy + +## Reporting a Vulnerability + +Please report security vulnerabilities through GitHub Security Advisories — +**do NOT open public issues for security bugs**. + +**[Report a vulnerability →](https://github.com/kagenti/plugins-adapter/security/advisories/new)** + +Include: +- A clear description of the vulnerability +- Steps to reproduce +- Potential impact assessment +- Any suggested mitigations (optional) + +## Response Timeline + +| Stage | Target | +|-------|--------| +| Acknowledgment | Within 48 hours | +| Initial assessment | Within 7 days | +| Status update | Weekly until resolved | +| Credit | In the security advisory (if desired) | + +## Supported Versions + +| Version | Supported | +|---------|-----------| +| `main` | ✅ | + +Older tagged releases receive security fixes on a best-effort basis. + +## Security Controls + +This repository implements the following security measures: + +| Control | Tool | +|---------|------| +| Dependency vulnerability scanning | Trivy (CRITICAL/HIGH on PRs) | +| Dependency updates | Dependabot (weekly, all ecosystems) | +| Python SAST | Bandit (HIGH severity blocks PRs) | +| Code analysis | CodeQL (security-extended queries) | +| Dockerfile lint | Hadolint | +| Secret detection | Pre-commit hooks | +| Supply chain | OpenSSF Scorecard (weekly), SHA-pinned actions | +| License compliance | Dependency Review Action (GPL/AGPL blocked) | + +## Security-Sensitive Areas + +Changes to the following require extra scrutiny: + +- `src/server.py` — gRPC ext-proc server handling all traffic +- `plugins/` — Plugin interface and example implementations +- `.github/workflows/` — CI/CD pipeline +- `Dockerfile` — Container image + +## Disclosure Policy + +We follow coordinated disclosure. Once a fix is available: +1. A security advisory is published on GitHub +2. A new release tag is pushed +3. The advisory is made public (typically 7 days after the fix is released)