From b9a16f1e86f740d1eb57d82a01b34db3edda742f Mon Sep 17 00:00:00 2001 From: Andres Aguiar Date: Wed, 6 Aug 2025 07:23:48 -0300 Subject: [PATCH 1/8] "chore: updating SECURITY-INSIGHTS" --- .github/SECURITY-INSIGHTS.yml | 101 ++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 .github/SECURITY-INSIGHTS.yml diff --git a/.github/SECURITY-INSIGHTS.yml b/.github/SECURITY-INSIGHTS.yml new file mode 100644 index 00000000..1ac04163 --- /dev/null +++ b/.github/SECURITY-INSIGHTS.yml @@ -0,0 +1,101 @@ +header: + schema-version: 2.0.0 + last-updated: '2025-07-26' + last-reviewed: '2025-07-26' + url: https://github.com/openfga/api + project-si-source: https://raw.githubusercontent.com/openfga/.github/main/SECURITY-INSIGHTS.yml + comment: Protocol Buffers used by OpenFGA. + +repository: + url: https://github.com/openfga/api + status: active + bug-fixes-only: false + accepts-change-request: true + accepts-automated-change-request: true + no-third-party-packages: false + core-team: + - name: Poovamraj Thanganadar Thiagarajan + affiliation: Okta + email: poovamraj.thanganadarthiagarajan@okta.com + social: https://github.com/poovamraj + primary: true + - name: Adrian Tam + affiliation: Okta + email: adrian.tam@okta.com + social: https://github.com/adriantam + - name: Jose Padilla + affiliation: Okta + email: jose.padilla@okta.com + social: https://github.com/jpadilla + - name: Joshua Jones + affiliation: Okta + email: joshua.jones@okta.com + social: https://github.com/senojj + - name: Justin Cohen + affiliation: Okta + email: justin.cohen@okta.com + social: https://github.com/justincoh + - name: Raghd Hamzeh + affiliation: Okta + email: raghd.hamzeh@okta.com + social: https://github.com/rhamzeh + - name: Victoria Johns + affiliation: Okta + email: victoria.johns@okta.com + social: https://github.com/vic-dev + - name: Will Vedder + affiliation: Okta + email: will.vedder@okta.com + social: https://github.com/willvedd + - name: Yamil Asusta + affiliation: Okta + email: yamil.asusta@okta.com + social: https://github.com/elbuo8 + - name: Zilvinas Vilutis + affiliation: Okta + email: zilvinas.vilutis@okta.com + social: https://github.com/cikasfm + + license: + url: https://raw.githubusercontent.com/openfga/api/main/LICENSE + expression: Apache-2.0 + + documentation: + contributing-guide: https://github.com/openfga/.github/blob/main/CONTRIBUTING.md + dependency-management-policy: https://github.com/openfga/openfga/blob/main/docs/dependencies-policy.md + governance: https://github.com/openfga/.github/blob/main/GOVERNANCE.md + review-policy: https://github.com/openfga/.github/blob/main/CONTRIBUTING.md + security-policy: https://github.com/openfga/api/SECURITY.md + + security: + assessments: + self: + evidence: https://github.com/cncf/tag-security/blob/main/community/assessments/projects/openfga/joint-assessment.md + date: '2024-12-19' + comment: OpenFGA has completed a CNCF security join assessment with CNCF TAG-Security + + champions: + - name: Justin Cohen + email: justin.cohen@okta.com + primary: true + tools: + - name: Dependabot + type: SCA + version: latest + rulesets: + - built-in + integration: + adhoc: false + ci: true + release: true + comment: Dependabot is enabled for this repo to automatically update dependencies. + - name: Snyk + type: SCA + version: latest + rulesets: + - built-in + integration: + adhoc: false + ci: true + release: true + comment: Snyk is enabled for this repo to scan for vulnerabilities. From ba5373cb615d12c8ac0d44906bfadaf66b6fbc92 Mon Sep 17 00:00:00 2001 From: Andres Aguiar Date: Wed, 6 Aug 2025 08:12:36 -0300 Subject: [PATCH 2/8] "chore: updating SECURITY-INSIGHTS" --- .github/SECURITY-INSIGHTS.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/SECURITY-INSIGHTS.yml b/.github/SECURITY-INSIGHTS.yml index 1ac04163..13114749 100644 --- a/.github/SECURITY-INSIGHTS.yml +++ b/.github/SECURITY-INSIGHTS.yml @@ -99,3 +99,13 @@ repository: ci: true release: true comment: Snyk is enabled for this repo to scan for vulnerabilities. + - name: Socket + type: other + version: latest + rulesets: + - built-in + integration: + adhoc: false + ci: true + release: true + comment: Socket is enabled for this repo to scan for supply chain security vulnerabilities. From 475b0c319713e77480fcfc9fce1f65c4a1f12224 Mon Sep 17 00:00:00 2001 From: Andres Aguiar Date: Wed, 6 Aug 2025 08:18:04 -0300 Subject: [PATCH 3/8] "chore: updating SECURITY-INSIGHTS" --- .github/SECURITY-INSIGHTS.yml | 82 +++++++++++++++++------------------ 1 file changed, 41 insertions(+), 41 deletions(-) diff --git a/.github/SECURITY-INSIGHTS.yml b/.github/SECURITY-INSIGHTS.yml index 13114749..3c8a6839 100644 --- a/.github/SECURITY-INSIGHTS.yml +++ b/.github/SECURITY-INSIGHTS.yml @@ -14,47 +14,47 @@ repository: accepts-automated-change-request: true no-third-party-packages: false core-team: - - name: Poovamraj Thanganadar Thiagarajan - affiliation: Okta - email: poovamraj.thanganadarthiagarajan@okta.com - social: https://github.com/poovamraj - primary: true - - name: Adrian Tam - affiliation: Okta - email: adrian.tam@okta.com - social: https://github.com/adriantam - - name: Jose Padilla - affiliation: Okta - email: jose.padilla@okta.com - social: https://github.com/jpadilla - - name: Joshua Jones - affiliation: Okta - email: joshua.jones@okta.com - social: https://github.com/senojj - - name: Justin Cohen - affiliation: Okta - email: justin.cohen@okta.com - social: https://github.com/justincoh - - name: Raghd Hamzeh - affiliation: Okta - email: raghd.hamzeh@okta.com - social: https://github.com/rhamzeh - - name: Victoria Johns - affiliation: Okta - email: victoria.johns@okta.com - social: https://github.com/vic-dev - - name: Will Vedder - affiliation: Okta - email: will.vedder@okta.com - social: https://github.com/willvedd - - name: Yamil Asusta - affiliation: Okta - email: yamil.asusta@okta.com - social: https://github.com/elbuo8 - - name: Zilvinas Vilutis - affiliation: Okta - email: zilvinas.vilutis@okta.com - social: https://github.com/cikasfm + - name: Poovamraj Thanganadar Thiagarajan + affiliation: Okta + email: poovamraj.thanganadarthiagarajan@okta.com + social: https://github.com/poovamraj + primary: true + - name: Adrian Tam + affiliation: Okta + email: adrian.tam@okta.com + social: https://github.com/adriantam + - name: Jose Padilla + affiliation: Okta + email: jose.padilla@okta.com + social: https://github.com/jpadilla + - name: Joshua Jones + affiliation: Okta + email: joshua.jones@okta.com + social: https://github.com/senojj + - name: Justin Cohen + affiliation: Okta + email: justin.cohen@okta.com + social: https://github.com/justincoh + - name: Raghd Hamzeh + affiliation: Okta + email: raghd.hamzeh@okta.com + social: https://github.com/rhamzeh + - name: Victoria Johns + affiliation: Okta + email: victoria.johns@okta.com + social: https://github.com/vic-dev + - name: Will Vedder + affiliation: Okta + email: will.vedder@okta.com + social: https://github.com/willvedd + - name: Yamil Asusta + affiliation: Okta + email: yamil.asusta@okta.com + social: https://github.com/elbuo8 + - name: Zilvinas Vilutis + affiliation: Okta + email: zilvinas.vilutis@okta.com + social: https://github.com/cikasfm license: url: https://raw.githubusercontent.com/openfga/api/main/LICENSE From 21b7440979a6dcef4b8357d108003105b4d8bd95 Mon Sep 17 00:00:00 2001 From: Andres Aguiar Date: Wed, 6 Aug 2025 08:22:01 -0300 Subject: [PATCH 4/8] "chore: updating SECURITY-INSIGHTS" --- .github/SECURITY-INSIGHTS.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/SECURITY-INSIGHTS.yml b/.github/SECURITY-INSIGHTS.yml index 3c8a6839..d29642fa 100644 --- a/.github/SECURITY-INSIGHTS.yml +++ b/.github/SECURITY-INSIGHTS.yml @@ -1,3 +1,5 @@ +# Security Insights 2.0 file https://github.com/ossf/security-insights +# Specification: https://github.com/ossf/security-insights/tree/main/spec header: schema-version: 2.0.0 last-updated: '2025-07-26' From 2d97fc19ad1389197d9ce0730d51aff725190a3d Mon Sep 17 00:00:00 2001 From: Andres Aguiar Date: Wed, 6 Aug 2025 08:31:20 -0300 Subject: [PATCH 5/8] "chore: updating SECURITY-INSIGHTS" --- .github/SECURITY-INSIGHTS.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/SECURITY-INSIGHTS.yml b/.github/SECURITY-INSIGHTS.yml index d29642fa..8af34c9b 100644 --- a/.github/SECURITY-INSIGHTS.yml +++ b/.github/SECURITY-INSIGHTS.yml @@ -74,7 +74,7 @@ repository: self: evidence: https://github.com/cncf/tag-security/blob/main/community/assessments/projects/openfga/joint-assessment.md date: '2024-12-19' - comment: OpenFGA has completed a CNCF security join assessment with CNCF TAG-Security + comment: OpenFGA has completed a CNCF security joint assessment with CNCF TAG-Security champions: - name: Justin Cohen From 293aae18a3f3057484eda27e597516fb09064165 Mon Sep 17 00:00:00 2001 From: Andres Aguiar Date: Wed, 6 Aug 2025 08:33:48 -0300 Subject: [PATCH 6/8] "chore: updating SECURITY-INSIGHTS" --- .github/SECURITY-INSIGHTS.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/SECURITY-INSIGHTS.yml b/.github/SECURITY-INSIGHTS.yml index 8af34c9b..c4840fc3 100644 --- a/.github/SECURITY-INSIGHTS.yml +++ b/.github/SECURITY-INSIGHTS.yml @@ -74,7 +74,7 @@ repository: self: evidence: https://github.com/cncf/tag-security/blob/main/community/assessments/projects/openfga/joint-assessment.md date: '2024-12-19' - comment: OpenFGA has completed a CNCF security joint assessment with CNCF TAG-Security + comment: OpenFGA has completed a CNCF security joint assessment with CNCF TAG Security and Compliance champions: - name: Justin Cohen From e8d9240099912ad4f6545136a194b0b0c07d8d22 Mon Sep 17 00:00:00 2001 From: Andres Aguiar Date: Wed, 6 Aug 2025 08:36:31 -0300 Subject: [PATCH 7/8] "chore: updating SECURITY-INSIGHTS" --- .github/SECURITY-INSIGHTS.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/SECURITY-INSIGHTS.yml b/.github/SECURITY-INSIGHTS.yml index c4840fc3..1f54d014 100644 --- a/.github/SECURITY-INSIGHTS.yml +++ b/.github/SECURITY-INSIGHTS.yml @@ -1,5 +1,5 @@ -# Security Insights 2.0 file https://github.com/ossf/security-insights -# Specification: https://github.com/ossf/security-insights/tree/main/spec +# Security Insights 2.0 file https://github.com/ossf/security-insights +# Schema: https://github.com/ossf/security-insights/blob/main/spec/schema.cue header: schema-version: 2.0.0 last-updated: '2025-07-26' From 96b28a2f55314374a5c348cb0132d5dcbc048c1d Mon Sep 17 00:00:00 2001 From: Andres Aguiar Date: Wed, 6 Aug 2025 10:48:06 -0300 Subject: [PATCH 8/8] "chore: updating SECURITY-INSIGHTS" --- .github/SECURITY-INSIGHTS.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/SECURITY-INSIGHTS.yml b/.github/SECURITY-INSIGHTS.yml index 1f54d014..a4de232e 100644 --- a/.github/SECURITY-INSIGHTS.yml +++ b/.github/SECURITY-INSIGHTS.yml @@ -67,7 +67,7 @@ repository: dependency-management-policy: https://github.com/openfga/openfga/blob/main/docs/dependencies-policy.md governance: https://github.com/openfga/.github/blob/main/GOVERNANCE.md review-policy: https://github.com/openfga/.github/blob/main/CONTRIBUTING.md - security-policy: https://github.com/openfga/api/SECURITY.md + security-policy: https://github.com/openfga/api/security.md security: assessments: