Merge pull request #347 from stacklok/mds

Luke Hinds · web-flow · commit 9dfa80c5a7b9 · 2024-12-14T20:29:32.000Z
Add Project MD files
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -0,0 +1,74 @@
+# Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at <code-of-conduct@stacklok.com>. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,53 @@
+
+# Contributing to codegate
+First off, thank you for taking the time to contribute to codegate! :+1: :tada: codegate is released under the Apache 2.0 license. If you would like to contribute something or want to hack on the code, this document should help you get started. You can find some hints for starting development in codegate's  [README](https://github.com/stacklok/codegate/blob/main/README.md).
+
+## Table of contents 
+- [Code of Conduct](#code-of-conduct)
+- [Reporting Security Vulnerabilities](#reporting-security-vulnerabilities)
+- [How to Contribute](#how-to-contribute)
+  - [Using GitHub Issues](#using-github-issues)
+  - [Not sure how to start contributing...](#not-sure-how-to-start-contributing)
+  - [Pull Request Process](#pull-request-process)
+  - [Contributing to docs](#contributing-to-docs)
+  - [Commit Message Guidelines](#commit-message-guidelines)
+
+## Code of Conduct
+This project adheres to the [Contributor Covenant](https://github.com/stacklok/codegate/blob/main/CODE_OF_CONDUCT.md) code of conduct. By participating, you are expected to uphold this code. Please report unacceptable behavior to code-of-conduct@stacklok.dev.
+
+## Reporting Security Vulnerabilities
+
+If you think you have found a security vulnerability in codegate please DO NOT disclose it publicly until we’ve had a chance to fix it. Please don’t report security vulnerabilities using GitHub issues; instead, please follow this [process](https://github.com/stacklok/codegate/blob/main/SECURITY.md)
+
+## How to Contribute
+
+### Using GitHub Issues
+We use GitHub issues to track bugs and enhancements. If you have a general usage question, please ask in [CodeGate's discussion forum](https://discord.com/invite/RkzVuTp3WK). 
+
+If you are reporting a bug, please help to speed up problem diagnosis by providing as much information as possible. Ideally, that would include a small sample project that reproduces the problem.
+
+### Not sure how to start contributing...
+PRs to resolve existing issues are greatly appreciated and issues labeled as ["good first issue"](https://github.com/stacklok/codegate/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22) are a great place to start!
+
+### Pull Request Process
+* Create an issue outlining the fix or feature.
+* Fork the codegate repository to your own GitHub account and clone it locally.
+* Hack on your changes.
+* Correctly format your commit messages, see [Commit Message Guidelines](#Commit-Message-Guidelines) below.
+* Open a PR by ensuring the title and its description reflect the content of the PR.
+* Ensure that CI passes, if it fails, fix the failures.
+* Every pull request requires a review from the core CodeGate team before merging.
+* Once approved, all of your commits will be squashed into a single commit with your PR title.
+
+### Contributing to docs
+Follow [this guide](https://github.com/stacklok/codegate/blob/main/docs/README.md) for instructions on building, running, and previewing codegate's documentation.
+
+### Commit Message Guidelines
+We follow the commit formatting recommendations found on [Chris Beams' How to Write a Git Commit Message article](https://chris.beams.io/posts/git-commit/):
+
+1. Separate subject from body with a blank line
+1. Limit the subject line to 50 characters
+1. Capitalize the subject line
+1. Do not end the subject line with a period
+1. Use the imperative mood in the subject line
+1. Use the body to explain what and why vs. how
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,97 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+The CodeGate community take security seriously! We appreciate your efforts to disclose your findings responsibly and will make every effort to acknowledge your contributions.
+
+## Reporting a vulnerability
+
+To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/stacklok/codegate/security/advisories/new) tab.
+
+If you are unable to access GitHub you can also email us at security@stacklok.com. 
+
+Include steps to reproduce the vulnerability, the vulnerable versions, and any additional files to reproduce the vulnerability.
+
+If you are only comfortable sharing under GPG, please start by sending an email requesting a public PGP key to use for encryption.
+
+### Contacting the CodeGate Security Team
+
+Contact the team by sending email to security@stacklok.com.
+
+## Disclosures
+
+### Private Disclosure Processes
+
+The CodeGate community asks that all suspected vulnerabilities be handled in accordance with [Responsible Disclosure model](https://en.wikipedia.org/wiki/Responsible_disclosure).
+
+### Public Disclosure Processes
+
+If anyone knows of a publicly disclosed security vulnerability please IMMEDIATELY email security@stacklok.com to inform us about the vulnerability so that we may start the patch, release, and communication process.
+
+If a reporter contacts the us to express intent to make an issue public before a fix is available, we will request if the issue can be handled via a private disclosure process. If the reporter denies the request, we will move swiftly with the fix and release process.
+
+## Patch, Release, and Public Communication
+
+For each vulnerability, the CodeGate security team will coordinate to create the fix and release, and notify the rest of the community.
+
+All of the timelines below are suggestions and assume a Private Disclosure.
+
+- The security team drives the schedule using their best judgment based on severity, development time, and release work.
+- If the security team is dealing with a Public Disclosure all timelines become ASAP.
+- If the fix relies on another upstream project's disclosure timeline, that will adjust the process as well.
+- We will work with the upstream project to fit their timeline and best protect CodeGate users.
+- The Security team will give advance notice to the Private Distributors list before the fix is released.
+
+### Fix Team Organization
+
+These steps should be completed within the first 24 hours of Disclosure.
+
+- The  security team will work quickly to identify relevant engineers from the affected projects and packages and being those engineers into the [security advisory](https://docs.github.com/en/code-security/security-advisories/) thread.
+- These selected developers become the "Fix Team" (the fix team is often drawn from the projects MAINTAINERS)
+
+### Fix Development Process
+
+These steps should be completed within the 1-7 days of Disclosure.
+
+- Create a new [security advisory](https://docs.github.com/en/code-security/security-advisories/) in affected repository by visiting `https://github.com/stacklok/codegate/security/advisories/new`
+- As many details as possible should be entered such as versions affected, CVE (if available yet). As more information is discovered, edit and update the advisory accordingly.
+- Use the CVSS calculator to score a severity level.
+![CVSS Calculator](/images/calc.png)
+- Add collaborators from codeowners team only (outside members can only be added after approval from the  security team)
+- The reporter may be added to the issue to assist with review, but **only reporters who have contacted the security team using a private channel**.
+- Select 'Request CVE'
+![Request CVE](/docs/static/img/cve.png)
+- The security team / Fix Team create a private temporary fork
+![Security Fork](/docs/static/img/fork.png)
+- The Fix team performs all work in a 'security advisory' within its temporary fork
+- CI can be checked locally using the [act](https://github.com/nektos/act) project
+- All communication happens within the security advisory, it is *not* discussed in slack channels or non private issues.
+- The Fix Team will notify the security team that work on the fix branch is completed, this can be done by tagging names in the advisory
+- The Fix team and the security team will agree on fix release day
+- The recommended release time is 4pm UTC on a non-Friday weekday. This means the announcement will be seen morning Pacific, early evening Europe, and late evening Asia. 
+
+If the CVSS score is under ~4.0
+([a low severity score](https://www.first.org/cvss/specification-document#i5)) or the assessed risk is low the Fix Team can decide to slow the release process down in the face of holidays, developer bandwidth, etc.
+
+Note: CVSS is convenient but imperfect. Ultimately, the security team has discretion on classifying the severity of a vulnerability.
+
+The severity of the bug and related handling decisions must be discussed on in the security advisory, never in public repos.
+
+### Fix Disclosure Process
+
+With the Fix Development underway, the security team needs to come up with an overall communication plan for the wider community. This Disclosure process should begin after the Fix Team has developed a Fix or mitigation so that a realistic timeline can be communicated to users.
+
+**Fix Release Day** (Completed within 1-21 days of Disclosure)
+
+- The Fix Team will approve the related pull requests in the private temporary branch of the security advisory
+- The security team will merge the security advisory / temporary fork and its commits into the main branch of the affected repository
+![Security Advisory](docs/images/publish.png)
+- The security team will ensure all the binaries are built, signed, publicly available, and functional.
+- The security team will announce the new releases, the CVE number, severity, and impact, and the location of the binaries to get wide distribution and user action. As much as possible this announcement should be actionable, and include any mitigating steps users can take prior to upgrading to a fixed version. An announcement template is available below. The announcement will be sent to the the following channels:
+- A link to fix will be posted to the [Stackloks Discord Server](https://t.co/3sCyFqDNWA) in the CodeGate channels.
+
+## Retrospective
+
+These steps should be completed 1-3 days after the Release Date. The retrospective process [should be blameless](https://landing.google.com/sre/book/chapters/postmortem-culture.html).
+
+- The security team will send a retrospective of the process to the [Stackloks Discord Server](https://t.co/3sCyFqDNWA) including details on everyone involved, the timeline of the process, links to relevant PRs that introduced the issue, if relevant, and any critiques of the response and release process.
