Security self-assessment of pratidoc¶
Source: https://tag-security.cncf.io/community/assessments/guide/self-assessment/
Table of Contents¶
- Metadata
- Overview
- Self-assessment use
- Security functions and features
- Project compliance
- Secure development practices
- Security issue resolution
- Appendix
Metadata¶
| Category | Resource |
|---|---|
| Assessment Stage | Incomplete |
| Creator | open-nudge |
| Software | https://github.com/open-nudge/pratidoc ⧉ |
| Website | https://open-nudge.github.io/pratidoc ⧉ |
| Security Provider | No |
| Languages | Python |
| SBOM | https://github.com/open-nudge/pratidoc/releases ⧉ |
Security links¶
| Category | Resource |
|---|---|
| Security File | https://github.com/open-nudge/pratidoc/blob/main/SECURITY.md ⧉ |
| Security Insights | https://github.com/open-nudge/pratidoc/blob/main/SECURITY-INSIGHTS.yml ⧉ |
| Dependencies | https://github.com/open-nudge/pratidoc/blob/main/pyproject.toml ⧉ |
| Release Artifacts | https://github.com/open-nudge/pratidoc/releases ⧉ |
Overview¶
Lint your repository docs - ensure the essentials are always there.
Background¶
pratidoc is a documentation checker which verifies if your project contains best practices documents (e.g. SECURITY.md or README.md)
Actors¶
- opennudge ⧉ - organization providing core security features
Actions¶
- Core security features are provided by opentemplate ⧉
Goals¶
Check the essential set of files is present within the repository.
Non-goals¶
Verifying actual content of the files or their coherence.
Self-assessment use¶
This self-assessment was automatically generated by the opentemplate ⧉ template to provide basic security information about the project. It should be extended by adding project-specific security information.
Important
opennudge ⧉ does not intend to provide a security audit of the project or function as an independent assessment or attestation of its security posture.
Security functions and features¶
| Component | Applicability | Description of Importance |
|---|---|---|
| template | Critical | Base GitHub template of the repository provided by opennudge. Used to provide initial security posture (pipelines, pre-commit, practices, hardening etc.) See open-nudge/pratidoc ⧉ for more information |
Project compliance¶
Project tries to comply with the following security standards:
- SLSA ⧉ - L3+ if the project is public or coming from a GitHub Enterprise Account with Advanced Security, L2 otherwise
- The project is currently not third-party audited or verified
Secure development practices¶
Deployment pipeline¶
Core of the deployment pipeline is based on the following tools:
- opentemplate ⧉ : see open-nudge/opentemplate ⧉ for more information
Communication channels¶
You can reach out to us by Private Security Reporting ⧉ or by:
- means of communication provided at the account level here ⧉
- opening an issue in the repository (somebody will get back to you)
Ecosystem¶
This project is a part of the Python ecosystem.
Security issue resolution¶
The open-nudge/pratidoc ⧉ security policy is maintained in the SECURITY.md ⧉ file.
Responsible disclosure practice¶
The open-nudge/pratidoc ⧉ accepts vulnerability reports as outlined in the security policy defined in SECURITY.md ⧉ file.
Incident response¶
If you discover a security vulnerability within open-nudge/pratidoc ⧉ please report it as outlined in the SECURITY.md file or contact security@opennudge.com.
Appendix¶
- Project is largely aligned with the Open Source Security Foundation best practices ⧉
- Some false negatives regarding the best practices were spotted (e.g. not using fuzzing), consult
scorecard.ymlfor more information