Security self-assessment of opentemplate¶
Source: https://tag-security.cncf.io/community/assessments/guide/self-assessment/
Table of Contents¶
- Metadata
- Overview
- Self-assessment use
- Security functions and features
- Project compliance
- Secure development practices
- Security issue resolution
- Appendix
Metadata¶
| Category | Resource |
|---|---|
| Assessment Stage | Complete |
| Creator | open-nudge |
| Software | https://github.com/open-nudge/opentemplate ⧉ |
| Website | https://open-nudge.github.io/opentemplate ⧉ |
| Security Provider | Yes |
| Languages | Python |
| SBOM | https://github.com/open-nudge/opentemplate/releases ⧉ |
Security links¶
| Category | Resource |
|---|---|
| Security File | https://github.com/open-nudge/opentemplate/blob/main/SECURITY.md ⧉ |
| Security Insights | https://github.com/open-nudge/opentemplate/blob/main/SECURITY-INSIGHTS.yml ⧉ |
| Dependencies | https://github.com/open-nudge/opentemplate/blob/main/pyproject.toml ⧉ |
| Release Artifacts | https://github.com/open-nudge/opentemplate/releases ⧉ |
Overview¶
The simplest to use, yet the most comprehensive Python template
Background¶
This project provides a base for Python projects, which provides developer workflows, security posture and best practices.
Actors¶
- opennudge ⧉ - organization providing core security features
Actions¶
- OSSF Scorecard ⧉
- Security file
- Security Insights Specification ⧉ as defined here ⧉
- Security Self Assessment
- Security Dependencies Policy
- Renovate Bot ⧉ for automated dependency updates
- Software Bills Of Material (SBOMs) ⧉
- Sigstore signing ⧉ as seen here ⧉
- GitHub Actions CI/CD pipelines with minimal permissions
- GitHub Actions CI/CD pipelines hardened via Harden Runner ⧉
- Pre-commit hooks ⧉ for local code quality and security verification
Goals¶
Provide high quality secure project template free of charge.
Non-goals¶
Full automation of security for any type of Python projects (e.g. web projects using cloud services).
Self-assessment use¶
This self-assessment was automatically generated by the opentemplate ⧉ template to provide basic security information about the project. It should be extended by adding project-specific security information.
Important
opennudge ⧉ does not intend to provide a security audit of the project or function as an independent assessment or attestation of its security posture.
Security functions and features¶
| Component | Applicability | Description of Importance |
|---|---|---|
| template | Critical | Base GitHub template of the repository provided by opennudge. Used to provide initial security posture (pipelines, pre-commit, practices, hardening etc.) See open-nudge/opentemplate ⧉ for more information |
Project compliance¶
Project tries to comply with the following security standards:
- SLSA ⧉ - L3+ if the project is public or coming from a GitHub Enterprise Account with Advanced Security, L2 otherwise
- The project is currently not third-party audited or verified
Secure development practices¶
Deployment pipeline¶
Core of the deployment pipeline is based on the following tools:
- opentemplate ⧉ : see open-nudge/opentemplate ⧉ for more information
Communication channels¶
You can reach out to us by Private Security Reporting ⧉ or by:
- means of communication provided at the account level here ⧉
- opening an issue in the repository (somebody will get back to you)
Ecosystem¶
This project is a part of the Python ecosystem.
Security issue resolution¶
The open-nudge/opentemplate ⧉ security policy is maintained in the SECURITY.md ⧉ file.
Responsible disclosure practice¶
The open-nudge/opentemplate ⧉ accepts vulnerability reports as outlined in the security policy defined in SECURITY.md ⧉ file.
Incident response¶
Project maintainers will respond to security incidents privately on a case-by-case basis.
Appendix¶
- Project is largely aligned with the Open Source Security Foundation best practices ⧉
- Some false negatives regarding the best practices were spotted (e.g. not using fuzzing), consult
scorecard.ymlfor more information