Security self-assessment of cogeol¶
Source: https://tag-security.cncf.io/community/assessments/guide/self-assessment/
Table of Contents¶
- Metadata
- Overview
- Self-assessment use
- Security functions and features
- Project compliance
- Secure development practices
- Security issue resolution
- Appendix
Metadata¶
| Category | Resource |
|---|---|
| Assessment Stage | Complete |
| Creator | open-nudge |
| Software | https://github.com/open-nudge/cogeol ⧉ |
| Website | https://open-nudge.github.io/cogeol ⧉ |
| Security Provider | No |
| Languages | Python |
| SBOM | https://github.com/open-nudge/cogeol/releases ⧉ |
Security links¶
| Category | Resource |
|---|---|
| Security File | https://github.com/open-nudge/cogeol/blob/main/SECURITY.md ⧉ |
| Security Insights | https://github.com/open-nudge/cogeol/blob/main/SECURITY-INSIGHTS.yml ⧉ |
| Dependencies | https://github.com/open-nudge/cogeol/blob/main/pyproject.toml ⧉ |
| Release Artifacts | https://github.com/open-nudge/cogeol/releases ⧉ |
Overview¶
Align with supported Python versions - automated with endoflife.date
Background¶
Currently, when a given Python reaches its end of life, the project maintainers have to manually update their supported Python versions.
This tool allows to automate this project by connecting to endoflife.date ⧉ and using static code generation change the versions where specified by the user via cog ⧉.
Actors¶
- opennudge ⧉ - organization providing core security features
Actions¶
- All security features are provided by opentemplate ⧉
Goals¶
Automating end-of-life Python version updates in the project, security guarantees provided by opentemplate ⧉
Non-goals¶
- Comprehensive Python version management
- Updating versions automatically, without user specification via code
- Updates for other tools/languages than Python
Self-assessment use¶
This self-assessment was automatically generated by the opentemplate ⧉ template to provide basic security information about the project. It should be extended by adding project-specific security information.
Important
opennudge ⧉ does not intend to provide a security audit of the project or function as an independent assessment or attestation of its security posture.
Security functions and features¶
| Component | Applicability | Description of Importance |
|---|---|---|
| template | Critical | Base GitHub template of the repository provided by opennudge. Used to provide initial security posture (pipelines, pre-commit, practices, hardening etc.) See open-nudge/cogeol ⧉ for more information |
Project compliance¶
Project tries to comply with the following security standards:
- SLSA ⧉ - L3+ if the project is public or coming from a GitHub Enterprise Account with Advanced Security, L2 otherwise
- The project is currently not third-party audited or verified
Secure development practices¶
Deployment pipeline¶
Core of the deployment pipeline is based on the following tools:
- opentemplate ⧉ : see open-nudge/opentemplate ⧉ for more information
Communication channels¶
You can reach out to us by Private Security Reporting ⧉ or by:
- means of communication provided at the account level here ⧉
- opening an issue in the repository (somebody will get back to you)
Ecosystem¶
This project is a part of the Python ecosystem.
Security issue resolution¶
The open-nudge/cogeol ⧉ security policy is maintained in the SECURITY.md ⧉ file.
Responsible disclosure practice¶
The open-nudge/cogeol ⧉ accepts vulnerability reports as outlined in the security policy defined in SECURITY.md ⧉ file.
Incident response¶
As defined in SECURITY.md ⧉, usually response should take up to a few working days, if not please reach out at security@opennudge.com.
Appendix¶
- Project is largely aligned with the Open Source Security Foundation best practices ⧉
- Some false negatives regarding the best practices were spotted (e.g. not using fuzzing), consult
scorecard.ymlfor more information