Merge branch 'main' into migrate-cron

.github/dependabot.yml

@@ -41,3 +41,12 @@ updates:
   rebase-strategy: disabled
   commit-message:
       prefix: ":seedling:"
+  # currently needed to get PRs which actually update multiple directories in a single PR
+  # https://github.com/dependabot/dependabot-core/issues/2178#issuecomment-2109164992
+  groups:
+    golang:
+      patterns:
+        - "golang"
+    distroless:
+      patterns:
+        - "distroless/base"

Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978 AS base
+FROM golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 AS base
 WORKDIR /src
 ENV CGO_ENABLED=0
 COPY go.* ./

SECURITY.md

@@ -1,11 +1,60 @@
-# Reporting Security Issues
+# OpenSSF Scorecard Security Policy
 
-To report a security issue, please email
-[[email protected]](mailto:[email protected])
-with a description of the issue, the steps you took to create the issue,
-affected versions, and, if known, mitigations for the issue.
+This document outlines security procedures and general policies for the
+OpenSSF Scorecard project.
 
-Our vulnerability management team will respond within 3 working days of your
-email. If the issue is confirmed as a vulnerability, we will open a
-Security Advisory and acknowledge your contributions as part of it. This project
-follows a 90 day disclosure timeline.
+This policy adheres to the [vulnerability management guidance](https://www.linuxfoundation.org/security)
+for Linux Foundation projects.
+
+- [Disclosing a security issue](#disclosing-a-security-issue)
+- [Vulnerability management](#vulnerability-management)
+- [Suggesting changes](#suggesting-changes)
+
+## Disclosing a security issue
+
+The OpenSSF Scorecard maintainers take all security issues in the project
+seriously. Thank you for improving the security of OpenSSF Scorecard. We
+appreciate your dedication to responsible disclosure and will make every effort
+to acknowledge your contributions.
+
+OpenSSF Scorecard leverages GitHub's private vulnerability reporting.
+
+To learn more about this feature and how to submit a vulnerability report,
+review [GitHub's documentation on private reporting](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability).
+
+Here are some helpful details to include in your report:
+
+- a detailed description of the issue
+- the steps required to reproduce the issue
+- versions of the project that may be affected by the issue
+- if known, any mitigations for the issue
+
+A maintainer will acknowledge the report within three (3) business days, and
+will send a more detailed response within an additional three (3) business days
+indicating the next steps in handling your report.
+
+If you've been unable to successfully draft a vulnerability report via GitHub
+or have not received a response during the alloted response window, please
+reach out via the [OpenSSF security contact email](mailto:[email protected]).
+
+After the initial reply to your report, the maintainers will endeavor to keep
+you informed of the progress towards a fix and full announcement, and may ask
+for additional information or guidance.
+
+## Vulnerability management
+
+When the maintainers receive a disclosure report, they will assign it to a
+primary handler.
+
+This person will coordinate the fix and release process, which involves the
+following steps:
+
+- confirming the issue
+- determining affected versions of the project
+- auditing code to find any potential similar problems
+- preparing fixes for all releases under maintenance
+
+## Suggesting changes
+
+If you have suggestions on how this process could be improved please submit an
+issue or pull request.

attestor/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978 AS base
+FROM golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 AS base
 WORKDIR /src/scorecard
 COPY . ./
 

clients/githubrepo/roundtripper/tokens/server/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978 AS base
+FROM golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 AS base
 WORKDIR /src
 ENV CGO_ENABLED=0
 COPY go.* ./