From 56fb45f665c1e7f0b7167d4e4dd42220b9e9be8a Mon Sep 17 00:00:00 2001 From: Gabriele Bartolini Date: Wed, 25 Feb 2026 19:43:25 +1100 Subject: [PATCH 1/3] chore: add basic `SECURITY-INSIGHTS.YAML` file Shares the main project SI file. Relates #10057 Signed-off-by: Gabriele Bartolini --- SECURITY-INSIGHTS.yml | 94 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 SECURITY-INSIGHTS.yml diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml new file mode 100644 index 00000000..a45fd685 --- /dev/null +++ b/SECURITY-INSIGHTS.yml @@ -0,0 +1,94 @@ +header: + schema-version: 2.2.0 + last-updated: '2026-02-25' + last-reviewed: '2026-02-25' + url: https://raw.githubusercontent.com/cloudnative-pg/postgres-containers/main/SECURITY-INSIGHTS.yml + project-si-source: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/main/SECURITY-INSIGHTS.yml + +repository: + homepage: https://github.com/cloudnative-pg/postgres-containers + status: active + accepts-change-request: true + accepts-automated-change-request: true + no-third-party-packages: false + core-team: + - name: Gabriele Bartolini + email: gabriele.bartolini@enterprisedb.com + primary: true + - name: Francesco Canovai + email: francesco.canovai@enterprisedb.com + primary: false + - name: Jonathan Gonzalez V. + email: jonathan.gonzalez@enterprisedb.com + primary: false + - name: Marco Nenciarini + email: marco.nenciarini@enterprisedb.com + primary: false + - name: Niccolò Fei + email: niccolo.fei@enterprisedb.com + primary: false + documentation: + contributing-guide: https://github.com/cloudnative-pg/cloudnative-pg/blob/main/CONTRIBUTING.md + review-policy: https://github.com/cloudnative-pg/cloudnative-pg/tree/main/contribute#about-our-development-workflow + security-policy: https://github.com/cloudnative-pg/cloudnative-pg/security/policy + governance: https://github.com/cloudnative-pg/governance/blob/main/GOVERNANCE.md + license: + url: https://www.apache.org/licenses/LICENSE-2.0 + expression: Apache-2.0 + + release: + automated-pipeline: true + distribution-points: + - uri: https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql + comment: GitHub packages for Postgres container images + + security: + tools: + - name: Dependabot + type: SCA + integration: + adhoc: true + ci: true + release: no + - name: Renovate + type: SCA + integration: + adhoc: true + ci: true + release: no + - name: Snyk + type: SAST + comment: | + Performs both Static Code Analysis (Snyk Code) and Vulnerability + Scanning (Snyk Open Source). + integration: + adhoc: true + ci: true + release: true + - name: Cosign + type: automated-tooling + comment: Used to cryptographically sign container images (operator and operand). + integration: + adhoc: true + ci: true + release: true + - name: GitHub Code Scanning + type: SAST + comment: Ingests SARIF results from Snyk for integrated GitHub security alerts. + integration: + adhoc: true + ci: true + release: true + - name: Trivy + type: automated-tooling + comment: | + Scans container images and file systems for vulnerabilities and + misconfigurations. + integration: + adhoc: true + ci: true + release: true + + assessments: + self: + comment: Refer to the main project. From 4381faa7476f0f149274d1c112dc0fd6ebb49a55 Mon Sep 17 00:00:00 2001 From: Gabriele Bartolini Date: Wed, 25 Feb 2026 22:41:32 +1100 Subject: [PATCH 2/3] chore: removed documentation links as they are inherited from the project Signed-off-by: Gabriele Bartolini --- SECURITY-INSIGHTS.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml index a45fd685..7970c60a 100644 --- a/SECURITY-INSIGHTS.yml +++ b/SECURITY-INSIGHTS.yml @@ -3,6 +3,7 @@ header: last-updated: '2026-02-25' last-reviewed: '2026-02-25' url: https://raw.githubusercontent.com/cloudnative-pg/postgres-containers/main/SECURITY-INSIGHTS.yml + # reference the main SECURITY-INSIGHTS file from CNPG repo project-si-source: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/main/SECURITY-INSIGHTS.yml repository: @@ -27,11 +28,6 @@ repository: - name: Niccolò Fei email: niccolo.fei@enterprisedb.com primary: false - documentation: - contributing-guide: https://github.com/cloudnative-pg/cloudnative-pg/blob/main/CONTRIBUTING.md - review-policy: https://github.com/cloudnative-pg/cloudnative-pg/tree/main/contribute#about-our-development-workflow - security-policy: https://github.com/cloudnative-pg/cloudnative-pg/security/policy - governance: https://github.com/cloudnative-pg/governance/blob/main/GOVERNANCE.md license: url: https://www.apache.org/licenses/LICENSE-2.0 expression: Apache-2.0 From e1cc76fe4a5a17f76e1cba8a16591704fdf4673b Mon Sep 17 00:00:00 2001 From: Marco Nenciarini Date: Wed, 25 Feb 2026 14:19:27 +0100 Subject: [PATCH 3/3] chore: review Signed-off-by: Marco Nenciarini --- SECURITY-INSIGHTS.yml | 53 +++++++++++++++++++++++++++++-------------- 1 file changed, 36 insertions(+), 17 deletions(-) diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml index 7970c60a..0b23ffbd 100644 --- a/SECURITY-INSIGHTS.yml +++ b/SECURITY-INSIGHTS.yml @@ -7,7 +7,7 @@ header: project-si-source: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/main/SECURITY-INSIGHTS.yml repository: - homepage: https://github.com/cloudnative-pg/postgres-containers + url: https://github.com/cloudnative-pg/postgres-containers status: active accepts-change-request: true accepts-automated-change-request: true @@ -35,53 +35,72 @@ repository: release: automated-pipeline: true distribution-points: - - uri: https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql + - uri: https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql comment: GitHub packages for Postgres container images security: tools: + - name: Dockle + type: container + rulesets: ["default"] + results: {} + comment: Lints container images for security best practices. + integration: + adhoc: false + ci: true + release: false - name: Dependabot type: SCA + rulesets: ["default"] + results: {} integration: adhoc: true - ci: true - release: no + ci: false + release: false - name: Renovate type: SCA + rulesets: ["default"] + results: {} integration: adhoc: true ci: true - release: no + release: false - name: Snyk - type: SAST - comment: | - Performs both Static Code Analysis (Snyk Code) and Vulnerability - Scanning (Snyk Open Source). + type: container + rulesets: ["default"] + results: {} + comment: Scans container images for known vulnerabilities. integration: - adhoc: true + adhoc: false ci: true release: true - name: Cosign - type: automated-tooling - comment: Used to cryptographically sign container images (operator and operand). + type: container + rulesets: ["default"] + results: {} + comment: Used to cryptographically sign container images. integration: - adhoc: true + adhoc: false ci: true release: true - name: GitHub Code Scanning type: SAST - comment: Ingests SARIF results from Snyk for integrated GitHub security alerts. + rulesets: ["default"] + results: {} + comment: Ingests SARIF results from Snyk and Trivy for integrated GitHub security alerts. integration: - adhoc: true + adhoc: false ci: true release: true - name: Trivy - type: automated-tooling + type: container + rulesets: ["default"] + results: {} comment: | Scans container images and file systems for vulnerabilities and misconfigurations. integration: - adhoc: true + adhoc: false ci: true release: true