httptap/security-insights.yml at main · ozeranskii/httptap · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
# OpenSSF Security Insights
# https://security-insights.openssf.org/schema.html
#
# Points at GOVERNANCE.md, SECURITY.md, ROADMAP.md, and
# docs/security/assurance-case.md rather than duplicating content.

header:
  schema-version: 2.0.0
  last-updated: '2026-04-13'
  last-reviewed: '2026-04-13'
  url: https://raw.githubusercontent.com/ozeranskii/httptap/main/security-insights.yml

project:
  name: httptap
  homepage: https://docs.httptap.dev
  roadmap: https://github.com/ozeranskii/httptap/blob/main/ROADMAP.md
  administrators:
    - name: Sergei Ozeranskii
      affiliation: Independent
      social: https://github.com/ozeranskii
      primary: true
  documentation:
    detailed-guide: https://docs.httptap.dev
    code-of-conduct: https://github.com/ozeranskii/httptap/blob/main/CODE_OF_CONDUCT.md
    release-process: https://docs.httptap.dev/development/release/
    signature-verification: https://docs.httptap.dev/security/assurance-case/#supply-chain-assurance
  repositories:
    - name: httptap
      url: https://github.com/ozeranskii/httptap
      comment: |
        Primary repository. Source, tests, documentation, release
        workflow, and supply-chain artefacts (SBOM, SLSA provenance,
        VEX) all originate here.
  vulnerability-reporting:
    reports-accepted: true
    bug-bounty-available: false
    policy: https://github.com/ozeranskii/httptap/blob/main/SECURITY.md
    contact:
      - name: Sergei Ozeranskii
        affiliation: Independent
        social: https://github.com/ozeranskii
        primary: true
    comment: |
      Report privately via GitHub Security Advisories:
      https://github.com/ozeranskii/httptap/security/advisories/new
      Public GitHub issues are discouraged for suspected vulnerabilities.

repository:
  url: https://github.com/ozeranskii/httptap
  status: active
  bug-fixes-only: false
  accepts-change-request: true
  accepts-automated-change-request: true
  no-third-party-packages: false
  core-team:
    - name: Sergei Ozeranskii
      affiliation: Independent
      social: https://github.com/ozeranskii
      primary: true
  documentation:
    contributing-guide: https://github.com/ozeranskii/httptap/blob/main/CONTRIBUTING.md
    governance: https://github.com/ozeranskii/httptap/blob/main/GOVERNANCE.md
    security-policy: https://github.com/ozeranskii/httptap/blob/main/SECURITY.md
    dependency-management-policy: https://github.com/ozeranskii/httptap/blob/main/ROADMAP.md
  license:
    url: https://github.com/ozeranskii/httptap/blob/main/LICENSE
    expression: Apache-2.0
  release:
    changelog: https://github.com/ozeranskii/httptap/blob/main/CHANGELOG.md
    automated-pipeline: true
    attestations:
      - name: SLSA Build Provenance
        predicate-uri: https://slsa.dev/provenance/v1
        location: https://github.com/ozeranskii/httptap/attestations
        comment: |
          Every wheel and sdist is signed with Sigstore (keyless OIDC)
          via actions/attest-build-provenance. Verification:
          `gh attestation verify dist/httptap-*.whl --repo ozeranskii/httptap`.
      - name: Release SBOM (CycloneDX)
        predicate-uri: https://cyclonedx.org/specification/overview/
        location: https://github.com/ozeranskii/httptap/releases/latest
        comment: |
          CycloneDX JSON SBOM generated by anchore/sbom-action (Syft)
          and attached to every GitHub Release as
          httptap-X.Y.Z.cdx.json.
      - name: Release SBOM (SPDX)
        predicate-uri: https://spdx.dev/specifications/
        location: https://github.com/ozeranskii/httptap/releases/latest
        comment: |
          SPDX JSON SBOM generated by the same pipeline and attached as
          httptap-X.Y.Z.spdx.json.
      - name: OpenVEX
        predicate-uri: https://openvex.dev/ns/v0.2.0
        location: https://github.com/ozeranskii/httptap/blob/main/.vex/httptap.openvex.json
        comment: |
          Source-of-truth VEX document maintained in-tree; a versioned
          copy (httptap-X.Y.Z.openvex.json) is attached to every
          GitHub Release so downstream scanners can suppress
          unreachable dependency CVEs.
    distribution-points:
      - uri: https://pypi.org/project/httptap/
        comment: |
          Primary distribution via PyPI (OIDC Trusted Publishing, no
          long-lived tokens). Attestations visible on the PyPI project
          page per PEP 740.
      - uri: https://github.com/ozeranskii/httptap/releases
        comment: |
          GitHub Releases carry the same wheel/sdist plus the full
          supply-chain artefact set (SBOM, VEX, SLSA provenance).
    license:
      url: https://github.com/ozeranskii/httptap/blob/main/LICENSE
      expression: Apache-2.0
  security:
    tools:
      - name: CodeQL
        type: SAST
        rulesets:
          - security-and-quality
        integration:
          ci: true
        comment: |
          Runs on every push and pull request plus a weekly scheduled
          scan. Configuration in .github/codeql/config.yml.
      - name: zizmor
        type: SAST
        integration:
          ci: true
        comment: |
          Audits every GitHub Actions workflow in `persona: pedantic`
          mode on every push and pull request.
      - name: Dependabot
        type: SCA
        integration:
          ci: true
        comment: |
          Weekly version and security updates for both the PyPI (uv
          group) and GitHub Actions ecosystems.
      - name: OpenSSF Scorecard
        type: SCA
        integration:
          ci: true
        comment: |
          Runs weekly and on push to main; SARIF results published to
          GitHub code scanning.
    assessments:
      self:
        evidence: https://docs.httptap.dev/security/assurance-case/
        date: '2026-04-12'
        comment: |
          Assurance case — threat model (STRIDE), trust boundaries,
          applied secure-design principles, countered CWE Top 25
          weaknesses, and residual risks.
    champions:
      - name: Sergei Ozeranskii
        primary: true
  dependencies:
    third-party-packages: true
    dependencies-lists:
      - https://github.com/ozeranskii/httptap/blob/main/pyproject.toml
      - https://github.com/ozeranskii/httptap/blob/main/uv.lock
    dependencies-lifecycle:
      policy-url: https://github.com/ozeranskii/httptap/blob/main/ROADMAP.md
      comment: |
        Direct dependencies declared in pyproject.toml with loose
        version specifiers; uv.lock pins exact versions with hashes
        for reproducible installs. Updates arrive as Dependabot pull
        requests and go through normal review and CI gates.
    env-dependencies-policy:
      policy-url: https://github.com/ozeranskii/httptap/blob/main/CONTRIBUTING.md
      comment: |-
        Runtime is Python >= 3.10 managed by uv; all build-time tools
        are pinned in pyproject.toml under [dependency-groups].