argo-cd

1
header:
2
  schema-version: 1.0.0
3
  expiration-date: '2024-10-31T00:00:00.000Z' # One year from initial release.
4
  last-updated: '2023-10-27'
5
  last-reviewed: '2023-10-27'
6
  commit-hash: b71277c6beb949d0199d647a582bc25822b88838
7
  project-url: https://github.com/argoproj/argo-cd
8
  project-release: v2.9.0-rc3
9
  changelog: https://github.com/argoproj/argo-cd/releases
10
  license: https://github.com/argoproj/argo-cd/blob/master/LICENSE
11
project-lifecycle:
12
  status: active
13
  roadmap: https://github.com/orgs/argoproj/projects/25
14
  bug-fixes-only: false
15
  core-maintainers:
16
    - https://github.com/argoproj/argoproj/blob/master/MAINTAINERS.md
17
  release-cycle: https://argo-cd.readthedocs.io/en/stable/developer-guide/release-process-and-cadence/
18
  release-process: https://argo-cd.readthedocs.io/en/stable/developer-guide/release-process-and-cadence/#release-process
19
contribution-policy:
20
  accepts-pull-requests: true
21
  accepts-automated-pull-requests: true
22
  automated-tools-list:
23
    - automated-tool: dependabot
24
      action: allowed
25
      path:
26
        - /
27
    - automated-tool: snyk-report
28
      action: allowed
29
      path:
30
        - docs/snyk
31
      comment: |
32
        This tool runs Snyk and generates a report of vulnerabilities in the project's dependencies. The report is 
33
        placed in the project's documentation. The workflow is defined here:
34
        https://github.com/argoproj/argo-cd/blob/master/.github/workflows/update-snyk.yaml
35
  contributing-policy: https://argo-cd.readthedocs.io/en/stable/developer-guide/code-contributions/
36
  code-of-conduct: https://github.com/cncf/foundation/blob/master/code-of-conduct.md
37
documentation:
38
  - https://argo-cd.readthedocs.io/
39
distribution-points:
40
  - https://github.com/argoproj/argo-cd/releases
41
  - https://quay.io/repository/argoproj/argocd
42
security-artifacts:
43
  threat-model:
44
    threat-model-created: true
45
    evidence-url:
46
      - https://github.com/argoproj/argoproj/blob/master/docs/argo_threat_model.pdf
47
      - https://github.com/argoproj/argoproj/blob/master/docs/end_user_threat_model.pdf
48
  self-assessment:
49
    self-assessment-created: false
50
    comment: |
51
      An extensive self-assessment was performed for CNCF graduation. Because the self-assessment process was evolving
52
      at the time, no standardized document has been published.
53
security-testing:
54
  - tool-type: sca
55
    tool-name: Dependabot
56
    tool-version: "2"
57
    tool-url: https://github.com/dependabot
58
    integration:
59
      ad-hoc: false
60
      ci: false
61
      before-release: false
62
    tool-rulesets:
63
      - https://github.com/argoproj/argo-cd/blob/master/.github/dependabot.yml
64
  - tool-type: sca
65
    tool-name: Snyk
66
    tool-version: latest
67
    tool-url: https://snyk.io/
68
    integration:
69
      ad-hoc: true
70
      ci: true
71
      before-release: false
72
  - tool-type: sast
73
    tool-name: CodeQL
74
    tool-version: latest
75
    tool-url: https://codeql.github.com/
76
    integration:
77
      ad-hoc: false
78
      ci: true
79
      before-release: false
80
    comment: |
81
      We use the default configuration with the latest version.
82
security-assessments:
83
  - auditor-name: Trail of Bits
84
    auditor-url: https://trailofbits.com
85
    auditor-report: https://github.com/argoproj/argoproj/blob/master/docs/argo_security_final_report.pdf
86
    report-year: 2021
87
  - auditor-name: Ada Logics
88
    auditor-url: https://adalogics.com
89
    auditor-report: https://github.com/argoproj/argoproj/blob/master/docs/argo_security_audit_2022.pdf
90
    report-year: 2022
91
  - auditor-name: Ada Logics
92
    auditor-url: https://adalogics.com
93
    auditor-report: https://github.com/argoproj/argoproj/blob/master/docs/audit_fuzzer_adalogics_2022.pdf
94
    report-year: 2022
95
    comment: |
96
      Part of the audit was performed by Ada Logics, focussed on fuzzing.
97
  - auditor-name: Chainguard
98
    auditor-url: https://chainguard.dev
99
    auditor-report: https://github.com/argoproj/argoproj/blob/master/docs/software_supply_chain_slsa_assessment_chainguard_2023.pdf
100
    report-year: 2023
101
    comment: |
102
      Confirmed the project's release process as achieving SLSA (v0.1) level 3.
103
security-contacts:
104
  - type: email
105
    value: cncf-argo-security@lists.cncf.io
106
    primary: true
107
vulnerability-reporting:
108
  accepts-vulnerability-reports: true
109
  email-contact: cncf-argo-security@lists.cncf.io
110
  security-policy: https://github.com/argoproj/argo-cd/security/policy
111
  bug-bounty-available: true
112
  bug-bounty-url: https://hackerone.com/ibb/policy_scopes
113
  out-scope:
114
    - vulnerable and outdated components # See https://github.com/argoproj/argo-cd/blob/master/SECURITY.md#a-word-about-security-scanners
115
    - security logging and monitoring failures
116
dependencies:
117
  third-party-packages: true
118
  dependencies-lists:
119
    - https://github.com/argoproj/argo-cd/blob/master/go.mod
120
    - https://github.com/argoproj/argo-cd/blob/master/Dockerfile
121
    - https://github.com/argoproj/argo-cd/blob/master/ui/package.json
122
  sbom:
123
    - sbom-file: https://github.com/argoproj/argo-cd/releases # Every release's assets include SBOMs.
124
      sbom-format: SPDX
125
  dependencies-lifecycle:
126
    policy-url: https://argo-cd.readthedocs.io/en/stable/developer-guide/release-process-and-cadence/#dependencies-lifecycle-policy
127
  env-dependencies-policy:
128
    policy-url: https://argo-cd.readthedocs.io/en/stable/developer-guide/release-process-and-cadence/#dependencies-lifecycle-policy
129