Skip to content

Add security governance files#7

Open
pdettori wants to merge 1 commit intoorchestrate/cifrom
orchestrate/security
Open

Add security governance files#7
pdettori wants to merge 1 commit intoorchestrate/cifrom
orchestrate/security

Conversation

@pdettori
Copy link
Contributor

@pdettori pdettori commented Mar 13, 2026

Summary

  • CODEOWNERS — Default ownership to @kagenti/maintainers, CI/platform config to @kagenti/admins
  • SECURITY.md — Vulnerability reporting via GitHub Security Advisories, response timeline, documents deployed security controls (Trivy, CodeQL, Dependabot, Scorecard, action pinning)
  • CONTRIBUTING.md — Development setup, PR process, conventional commit format, DCO sign-off requirement, code style guide
  • Root .gitignore — Secret/credential patterns (.env.*, *.key, *.pem, *kubeconfig*), IDE/OS files, ruff cache

LICENSE (Apache 2.0) already exists — verified, no changes needed.

Depends on #6 (CI) → #5 (tests) → #4 (pre-commit).

Recommended branch protection rules for main

These cannot be applied via PR and should be configured manually:

  • Require PR reviews (minimum 1 approval)
  • Require status checks to pass: lint-and-test, dependency-review, trivy-scan, codeql
  • Disable force push to main
  • Require branches to be up to date before merging
  • Require conversation resolution before merging

Test plan

  • Verify CODEOWNERS assigns correct reviewers on PR
  • Verify SECURITY.md links to correct security advisory URL
  • Verify .gitignore blocks secrets (create .env.test and confirm it's ignored)

🤖 Generated with Claude Code

@pdettori
feat: add security governance (CODEOWNERS, SECURITY.md, CONTRIBUTING.…
d282368 
…md, .gitignore)

Add security governance files:
- .github/CODEOWNERS: default ownership to @kagenti/maintainers,
  CI/platform to @kagenti/admins
- SECURITY.md: vulnerability reporting via GitHub Security Advisories,
  response timeline, and security controls documentation
- CONTRIBUTING.md: dev setup, PR process, commit conventions, DCO sign-off
- .gitignore (root): secret/credential patterns, IDE/OS files, ruff cache

LICENSE (Apache 2.0) already exists — no changes needed.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
@pdettori pdettori mentioned this pull request Mar 13, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pdettori