Security self-assessment of loadfig¶
Source: https://tag-security.cncf.io/community/assessments/guide/self-assessment/
Table of Contents¶
- Metadata
- Overview
- Self-assessment use
- Security functions and features
- Project compliance
- Secure development practices
- Security issue resolution
- Appendix
Metadata¶
| Category | Resource |
|---|---|
| Assessment Stage | Incomplete |
| Creator | open-nudge |
| Software | https://github.com/open-nudge/loadfig ⧉ |
| Website | https://open-nudge.github.io/loadfig ⧉ |
| Security Provider | No |
| Languages | Python |
| SBOM | https://github.com/open-nudge/loadfig/releases ⧉ |
Security links¶
| Category | Resource |
|---|---|
| Security File | https://github.com/open-nudge/loadfig/blob/main/SECURITY.md ⧉ |
| Security Insights | https://github.com/open-nudge/loadfig/blob/main/SECURITY-INSIGHTS.yml ⧉ |
| Dependencies | https://github.com/open-nudge/loadfig/blob/main/pyproject.toml ⧉ |
| Release Artifacts | https://github.com/open-nudge/loadfig/releases ⧉ |
Overview¶
One-liner Python pyproject config loader. Lightweight, and VCS-aware with root auto-discovery.
Background¶
Lightweight library loading settings from pyproject.toml or .<tool_name>.toml. No dependencies, but supports finding the root of the project as defined by VCS like Git, Mercurial, or Bazaar.
Actors¶
- opennudge ⧉ - organization providing core security features
Actions¶
- All security features are provided by opentemplate ⧉
Goals¶
Unifying configuration loading of tools from Python setting files (currently pyproject.toml or, optionally, .<tool_name>.toml).
Non-goals¶
- Loading configuration from other files than
pyproject.tomlor.<tool_name>.toml(e.g. environment variables) - Management of configuration files like
pyproject.tomlor.<tool_name>.toml(e.g. creation, modification, deletion)
Self-assessment use¶
This self-assessment was automatically generated by the opentemplate ⧉ template to provide basic security information about the project. It should be extended by adding project-specific security information.
Important
opennudge ⧉ does not intend to provide a security audit of the project or function as an independent assessment or attestation of its security posture.
Security functions and features¶
| Component | Applicability | Description of Importance |
|---|---|---|
| template | Critical | Base GitHub template of the repository provided by opennudge. Used to provide initial security posture (pipelines, pre-commit, practices, hardening etc.) See open-nudge/loadfig ⧉ for more information |
Project compliance¶
Project tries to comply with the following security standards:
- SLSA ⧉ - L3+ if the project is public or coming from a GitHub Enterprise Account with Advanced Security, L2 otherwise
- The project is currently not third-party audited or verified
Secure development practices¶
Deployment pipeline¶
Core of the deployment pipeline is based on the following tools:
- opentemplate ⧉ : see open-nudge/opentemplate ⧉ for more information
Communication channels¶
You can reach out to us by Private Security Reporting ⧉ or by:
- means of communication provided at the account level here ⧉
- opening an issue in the repository (somebody will get back to you)
Ecosystem¶
This project is a part of the Python ecosystem.
Security issue resolution¶
The open-nudge/loadfig ⧉ security policy is maintained in the SECURITY.md ⧉ file.
Responsible disclosure practice¶
The open-nudge/loadfig ⧉ accepts vulnerability reports as outlined in the security policy defined in SECURITY.md ⧉ file.
Incident response¶
As defined in SECURITY.md ⧉, usually response should take up to a few working days, if not please reach out at security@opennudge.com.
Appendix¶
- Project is aligned to a significant degree with the Open Source Security Foundation best practices ⧉
- Some false negatives regarding the best practices were spotted (e.g. not using fuzzing), consult
scorecard.ymlfor more information