From 3825d824728b32f45f22f8ebb38c4d79ffff88bd Mon Sep 17 00:00:00 2001 From: Paolo Dettori Date: Wed, 11 Mar 2026 21:50:00 -0400 Subject: [PATCH] feat: add security governance (CODEOWNERS, SECURITY.md, .gitignore hardening) Add repository governance files for security posture: - CODEOWNERS: default ownership for maintainers, platform, and agents teams - SECURITY.md: vulnerability reporting policy with GitHub Security Advisories - .gitignore: harden with secrets, credentials, kubeconfig, IDE, and ruff cache patterns CONTRIBUTING.md and LICENSE (Apache 2.0) already exist and are adequate. Assisted-By: Claude (Anthropic AI) Signed-off-by: Paolo Dettori --- .gitignore | 16 +++++++++++++++- CODEOWNERS | 16 ++++++++++++++++ SECURITY.md | 38 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 CODEOWNERS create mode 100644 SECURITY.md diff --git a/.gitignore b/.gitignore index ab9b3955..d568d80f 100644 --- a/.gitignore +++ b/.gitignore @@ -203,4 +203,18 @@ cython_debug/ mise.local.toml # Supervisor output -/output \ No newline at end of file +/output + +# Secrets and credentials +*.key +*.p12 +*.jks +credentials.* +secrets.* +*kubeconfig* + +# IDE +.vscode/ + +# Ruff cache +.ruff_cache/ \ No newline at end of file diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 00000000..52d438d3 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,16 @@ +# Default owners for everything +* @kagenti/maintainers + +# CI and platform tooling +.github/ @kagenti/platform +Makefile @kagenti/platform + +# A2A agents +a2a/ @kagenti/agents + +# MCP tools +mcp/ @kagenti/agents + +# Documentation +docs/ @kagenti/maintainers +*.md @kagenti/maintainers diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..ff718d98 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,38 @@ +# Security Policy + +## Reporting a Vulnerability + +We take security vulnerabilities seriously. If you discover a security issue, +please report it responsibly. + +### How to Report + +1. **Do NOT create public GitHub issues** for security vulnerabilities +2. **Email**: Report vulnerabilities privately via GitHub Security Advisories + - Go to the [Security tab](../../security/advisories/new) and create a new advisory +3. **Include**: A clear description of the vulnerability, steps to reproduce, + and potential impact + +### What to Expect + +- We will acknowledge receipt within 48 hours +- We aim to provide an initial assessment within 7 days +- We will keep you informed of our progress +- We will credit you in the security advisory (if desired) + +## Supported Versions + +| Version | Supported | +|---------|--------------------| +| main | :white_check_mark: | + +## Security Measures + +This project implements several security controls: + +- **CI/CD Security**: All workflows use explicit least-privilege permissions +- **Dependency Scanning**: Automated vulnerability scanning via Trivy and Dependabot +- **Secret Detection**: Pre-commit hooks with Gitleaks for secret scanning +- **Code Analysis**: CodeQL for static analysis +- **Container Security**: Hadolint for Dockerfile best practices +- **Supply Chain**: OpenSSF Scorecard monitoring and SHA-pinned GitHub Actions