From 4e8e6fed86c12871caf9165cdb524c635a6f0875 Mon Sep 17 00:00:00 2001 From: Vinaya Damle Date: Tue, 17 Feb 2026 12:10:33 -0800 Subject: [PATCH 1/2] Add security-insights.yml for OSSF Security Insights v2.0.0 Co-authored-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> Signed-off-by: vinayada1 <28875764+vinayada1@users.noreply.github.com> --- .github/security-insights.yml | 191 ++++++++++++++++++++++++++++++++++ SECURITY.md | 2 +- 2 files changed, 192 insertions(+), 1 deletion(-) create mode 100644 .github/security-insights.yml diff --git a/.github/security-insights.yml b/.github/security-insights.yml new file mode 100644 index 00000000000..d173f7823f6 --- /dev/null +++ b/.github/security-insights.yml @@ -0,0 +1,191 @@ +header: + schema-version: 2.0.0 + last-updated: '2026-02-20' + last-reviewed: '2026-02-20' + url: https://github.com/radius-project/radius + comment: >- + This file contains all possible information for both project and repository, + though it is not required to include all of this information every time. Nor + is it required to include both a project and repository section if the + project section is intended to be inherited by repositories via + header.project-si-source +project: + name: Radius + homepage: https://radapp.io + roadmap: https://aka.ms/radius-roadmap + steward: + uri: '' + comment: No steward designated + administrators: + - name: Sylvain Niles + affiliation: Microsoft + social: https://github.com/sylvainsf + primary: false + - name: Karishma Chawla + affiliation: Microsoft + social: https://github.com/kachawla + primary: false + - name: Brooke Hamilton + affiliation: Microsoft + social: https://github.com/brooke-hamilton + primary: false + documentation: + quickstart-guide: https://docs.radapp.io/quick-start/ + detailed-guide: https://radapp.io/ + code-of-conduct: https://github.com/radius-project/community/blob/main/CODE-OF-CONDUCT.md + release-process: https://github.com/radius-project/community + support-policy: https://github.com/radius-project/radius/blob/main/SUPPORT.md + repositories: + - name: Radius + url: https://github.com/radius-project/radius + comment: >- + Radius is the main Radius repository. It contains all of Radius code and + documentation. In addition, we have the below repositories + - name: Docs + url: https://github.com/radius-project/docs + comment: This repository contains the Radius documentation source for Radius. + - name: Samples + url: https://github.com/radius-project/samples + comment: >- + This repository contains the source code for quickstarts, reference + apps, and tutorials for Radius. + - name: Recipes + url: https://github.com/radius-project/recipes + comment: >- + This repo contains commonly used Recipe templates for Radius + Environments. + - name: Website + url: https://github.com/radius-project/website + comment: This repository contains the source code for the Radius website. + - name: AWS Bicep Types + url: https://github.com/radius-project/bicep-types-aws + comment: >- + This repository contains the tooling for Bicep support for AWS resource + types. + - name: Radius Resource Types and Recipes Contributions + url: https://github.com/radius-project/resource-types-contrib + comment: >- + This repository contains the Resource Type definitions and Recipes for deploying those Resource Types via Radius. + vulnerability-reporting: + reports-accepted: true + bug-bounty-available: false + contact: + name: Radius Team + email: radiuscoreteam@service.microsoft.com + primary: true + policy: https://github.com/radius-project/radius/blob/main/SECURITY.md +repository: + url: https://github.com/radius-project/radius + status: active + bug-fixes-only: true + accepts-change-request: true + accepts-automated-change-request: true + no-third-party-packages: true + license: + url: >- + https://github.com/radius-project/radius/blob/main/LICENSE + expression: Apache-2.0 + core-team: + - name: Radius Core Team + affiliation: Microsoft + email: radiuscoreteam@service.microsoft.com + primary: true + - name: Sylvain Niles + affiliation: Microsoft + social: https://github.com/sylvainsf + primary: false + - name: Karishma Chawla + affiliation: Microsoft + social: https://github.com/kachawla + primary: false + - name: Brooke Hamilton + affiliation: Microsoft + social: https://github.com/brooke-hamilton + primary: false + documentation: + contributing-guide: https://github.com/radius-project/radius/blob/main/CONTRIBUTING.md + review-policy: >- + https://github.com/radius-project/radius/blob/main/docs/contributing/contributing-code/contributing-code-reviewing/README.md + security-policy: https://github.com/radius-project/radius/blob/main/SECURITY.md + governance: >- + https://github.com/radius-project/community/blob/main/community-membership.md + dependency-management-policy: https://github.com/radius-project/radius/blob/main/THIRD-PARTY-NOTICES.txt + release: + changelog: https://github.com/radius-project/radius/releases + automated-pipeline: false + attestations: + - name: Release 0.54 + predicate-uri: https://github.com/radius-project/radius/actions/runs/20080596572 + location: https://github.com/radius-project/radius/releases/tag/v0.54.0 + comment: Build workflow for Release 0.54 + distribution-points: + - uri: https://github.com/radius-project/radius/releases + comment: Radius Releases + - uri: https://github.com/orgs/radius-project/packages?repo_name=radius + comment: GitHub packages + license: + url: >- + https://github.com/radius-project/radius/blob/main/LICENSE + expression: Apache-2.0 + security: + assessments: + self: + evidence: https://github.com/radius-project/design-notes/tree/main/architecture + comment: >- + https://github.com/radius-project/design-notes/blob/main/architecture/2024-08-controller-component-threat-model.md + + https://github.com/radius-project/design-notes/blob/main/architecture/2024-08-applications-rp-component-threat-model.md + + https://github.com/radius-project/design-notes/blob/main/architecture/2024-08-dashboard-component-threat-model.md + + https://github.com/radius-project/design-notes/blob/main/architecture/2024-11-ucp-component-threat-model.md + third-party: + - comment: No third-party assessment performed + champions: + - name: Radius Team + email: radiuscoreteam@service.microsoft.com + primary: true + tools: + - name: Scorecard + type: SCA + rulesets: + - default + results: {} + integration: + adhoc: false + ci: true + release: false + - name: CodeQL + type: SAST + version: '2' + rulesets: + - default + results: + ci: + name: CodeQL GitHub workflow + predicate-uri: '' + location: >- + https://github.com/radius-project/radius/blob/main/.github/workflows/codeql.yml + comment: GitHub workflow to run CodeQL + integration: + adhoc: false + ci: true + release: false + - name: GoSec + type: SAST + rulesets: + - default + results: {} + integration: + adhoc: false + ci: true + release: false + - name: Dependency Review + type: SCA + rulesets: + - default + results: {} + integration: + adhoc: false + ci: true + release: false diff --git a/SECURITY.md b/SECURITY.md index 1f875843a15..94ef18e58e2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -8,7 +8,7 @@ If you believe you have found a security vulnerability in any Radius repository, **Please do not report security vulnerabilities through public GitHub issues.** -Instead, please report them to the [security@radapp.dev](mailto:security@radapp.dev). +Instead, please report them to the [radiuscoreteam@service.microsoft.com](mailto:radiuscoreteam@service.microsoft.com). You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. From 2b6cb02346336068483206f96a43c7db17629792 Mon Sep 17 00:00:00 2001 From: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> Date: Wed, 18 Mar 2026 20:31:15 -0700 Subject: [PATCH 2/2] chore: update security insights configuration and clean up formatting (#11449) # Description Validated with CUE and cleaned up based on the results. ## Type of change - This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional). ## Contributor checklist Please verify that the PR meets the following requirements, where applicable: - An overview of proposed schema changes is included in a linked GitHub issue. - [ ] Yes - [x] Not applicable - A design document PR is created in the [design-notes repository](https://github.com/radius-project/design-notes/), if new APIs are being introduced. - [ ] Yes - [x] Not applicable - The design document has been reviewed and approved by Radius maintainers/approvers. - [ ] Yes - [x] Not applicable - A PR for the [samples repository](https://github.com/radius-project/samples) is created, if existing samples are affected by the changes in this PR. - [ ] Yes - [x] Not applicable - A PR for the [documentation repository](https://github.com/radius-project/docs) is created, if the changes in this PR affect the documentation or any user facing updates are made. - [ ] Yes - [x] Not applicable - A PR for the [recipes repository](https://github.com/radius-project/recipes) is created, if existing recipes are affected by the changes in this PR. - [ ] Yes - [x] Not applicable Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> --- .github/security-insights.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/security-insights.yml b/.github/security-insights.yml index d173f7823f6..4ed100584c5 100644 --- a/.github/security-insights.yml +++ b/.github/security-insights.yml @@ -1,7 +1,10 @@ +# CUE schema for validation: https://raw.githubusercontent.com/ossf/security-insights/refs/heads/main/spec/schema.cue +# cue vet -d '#SecurityInsights' schema.cue .github/security-insights.yml +--- header: schema-version: 2.0.0 - last-updated: '2026-02-20' - last-reviewed: '2026-02-20' + last-updated: 2026-02-20 + last-reviewed: 2026-02-20 url: https://github.com/radius-project/radius comment: >- This file contains all possible information for both project and repository, @@ -14,7 +17,7 @@ project: homepage: https://radapp.io roadmap: https://aka.ms/radius-roadmap steward: - uri: '' + uri: "" comment: No steward designated administrators: - name: Sylvain Niles @@ -157,13 +160,13 @@ repository: release: false - name: CodeQL type: SAST - version: '2' + version: "2" rulesets: - default results: ci: name: CodeQL GitHub workflow - predicate-uri: '' + predicate-uri: "" location: >- https://github.com/radius-project/radius/blob/main/.github/workflows/codeql.yml comment: GitHub workflow to run CodeQL