Update SECURITY-INSIGHTS (#229)

aaguiarz · aaguiarz · commit 2eaaeb370067 · 2026-01-13T10:02:31.000-03:00
* "chore: updating SECURITY-INSIGHTS"

* "chore: updating SECURITY-INSIGHTS"

* "chore: updating SECURITY-INSIGHTS"

* "chore: updating SECURITY-INSIGHTS"

* "chore: updating SECURITY-INSIGHTS"

* "chore: updating SECURITY-INSIGHTS"

* "chore: updating SECURITY-INSIGHTS"

* "chore: updating SECURITY-INSIGHTS"
diff --git a/.github/SECURITY-INSIGHTS.yml b/.github/SECURITY-INSIGHTS.yml
@@ -0,0 +1,113 @@
+# Security Insights 2.0 file https://github.com/ossf/security-insights
+# Schema: https://github.com/ossf/security-insights/blob/main/spec/schema.cue
+header:
+  schema-version: 2.0.0
+  last-updated: '2025-07-26'
+  last-reviewed: '2025-07-26'
+  url: https://github.com/openfga/api
+  project-si-source: https://raw.githubusercontent.com/openfga/.github/main/SECURITY-INSIGHTS.yml
+  comment: Protocol Buffers used by OpenFGA.
+
+repository:
+  url: https://github.com/openfga/api
+  status: active
+  bug-fixes-only: false
+  accepts-change-request: true
+  accepts-automated-change-request: true
+  no-third-party-packages: false
+  core-team:
+    - name: Poovamraj Thanganadar Thiagarajan
+      affiliation: Okta
+      email: poovamraj.thanganadarthiagarajan@okta.com
+      social: https://github.com/poovamraj
+      primary: true
+    - name: Adrian Tam
+      affiliation: Okta
+      email: adrian.tam@okta.com
+      social: https://github.com/adriantam
+    - name: Jose Padilla
+      affiliation: Okta
+      email: jose.padilla@okta.com
+      social: https://github.com/jpadilla
+    - name: Joshua Jones
+      affiliation: Okta
+      email: joshua.jones@okta.com
+      social: https://github.com/senojj
+    - name: Justin Cohen
+      affiliation: Okta
+      email: justin.cohen@okta.com
+      social: https://github.com/justincoh
+    - name: Raghd Hamzeh
+      affiliation: Okta
+      email: raghd.hamzeh@okta.com
+      social: https://github.com/rhamzeh
+    - name: Victoria Johns
+      affiliation: Okta
+      email: victoria.johns@okta.com
+      social: https://github.com/vic-dev
+    - name: Will Vedder
+      affiliation: Okta
+      email: will.vedder@okta.com
+      social: https://github.com/willvedd
+    - name: Yamil Asusta
+      affiliation: Okta
+      email: yamil.asusta@okta.com
+      social: https://github.com/elbuo8
+    - name: Zilvinas Vilutis
+      affiliation: Okta
+      email: zilvinas.vilutis@okta.com
+      social: https://github.com/cikasfm
+
+  license:
+    url: https://raw.githubusercontent.com/openfga/api/main/LICENSE
+    expression: Apache-2.0
+
+  documentation:
+    contributing-guide: https://github.com/openfga/.github/blob/main/CONTRIBUTING.md
+    dependency-management-policy: https://github.com/openfga/openfga/blob/main/docs/dependencies-policy.md
+    governance: https://github.com/openfga/.github/blob/main/GOVERNANCE.md
+    review-policy: https://github.com/openfga/.github/blob/main/CONTRIBUTING.md
+    security-policy: https://github.com/openfga/api/security.md
+
+  security:
+    assessments:
+      self:
+        evidence: https://github.com/cncf/tag-security/blob/main/community/assessments/projects/openfga/joint-assessment.md
+        date: '2024-12-19'
+        comment: OpenFGA has completed a CNCF security joint assessment with CNCF TAG Security and Compliance
+
+    champions:
+      - name: Justin Cohen
+        email: justin.cohen@okta.com
+        primary: true
+    tools:
+      - name: Dependabot
+        type: SCA
+        version: latest
+        rulesets:
+          - built-in
+        integration:
+          adhoc: false
+          ci: true
+          release: true
+        comment: Dependabot is enabled for this repo to automatically update dependencies.
+      - name: Snyk
+        type: SCA
+        version: latest
+        rulesets:
+          - built-in
+        integration:
+          adhoc: false
+          ci: true
+          release: true
+        comment: Snyk is enabled for this repo to scan for vulnerabilities.
+      - name: Socket
+        type: other
+        version: latest
+        rulesets:
+          - built-in
+        integration:
+          adhoc: false
+          ci: true
+          release: true
+        comment: Socket is enabled for this repo to scan for supply chain security vulnerabilities.
