chore: add SECURITY.md, FUNDING.yml, issue templates, dependabot, codeql, scorecard, dependency-review

Author: markuslf

.github/FUNDING.yml

@@ -1,3 +1 @@
-# These are supported funding model platforms
-
 github: 'linuxfabrik'

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,52 @@
+name: 'Bug report'
+description: 'Submit a bug report for LFOps'
+labels:
+  - 'bug'
+body:
+  - type: 'checkboxes'
+    id: 'before-posting'
+    attributes:
+      label: 'Before submitting:'
+      options:
+        - label: 'I have searched existing issues to make sure this is not a duplicate.'
+          required: true
+        - label: 'I am using the latest release.'
+          required: true
+        - label: 'I agree to follow the [Code of Conduct](https://github.com/Linuxfabrik/lfops/blob/main/CODE_OF_CONDUCT.md).'
+          required: true
+
+  - type: 'textarea'
+    id: 'bug-description'
+    attributes:
+      label: 'Bug description'
+      description: 'Provide a clear and concise description of the bug.'
+    validations:
+      required: true
+
+  - type: 'textarea'
+    id: 'steps'
+    attributes:
+      label: 'Steps to reproduce'
+      description: 'List the steps needed to reproduce the issue.'
+    validations:
+      required: true
+
+  - type: 'textarea'
+    id: 'expected'
+    attributes:
+      label: 'Expected behavior'
+      description: 'What did you expect to happen?'
+
+  - type: 'textarea'
+    id: 'environment'
+    attributes:
+      label: 'Environment'
+      description: 'Operating system, software version, and any other relevant details.'
+    validations:
+      required: true
+
+  - type: 'textarea'
+    id: 'additional'
+    attributes:
+      label: 'Additional context'
+      description: 'Any other information, logs, or screenshots.'

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,24 @@
+name: 'Feature request'
+description: 'Suggest a new feature or improvement for LFOps'
+labels:
+  - 'enhancement'
+body:
+  - type: 'textarea'
+    id: 'solution'
+    attributes:
+      label: 'Describe the solution you would like'
+      description: 'A clear and concise description of what you want to happen.'
+    validations:
+      required: true
+
+  - type: 'textarea'
+    id: 'alternatives'
+    attributes:
+      label: 'Alternatives considered'
+      description: 'Have you considered any alternative solutions or workarounds?'
+
+  - type: 'textarea'
+    id: 'context'
+    attributes:
+      label: 'Additional context'
+      description: 'Any other context or screenshots about the feature request.'

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'daily'

.github/workflows/codeql.yml

@@ -0,0 +1,51 @@
+name: 'CodeQL'
+
+on:
+  push:
+    branches:
+      - 'main'
+  pull_request:
+    branches:
+      - 'main'
+  schedule:
+    - cron: '0 0 * * 1'
+
+permissions:
+  contents: 'read'
+
+jobs:
+  analyze:
+    name: 'Analyze'
+    runs-on: 'ubuntu-latest'
+    permissions:
+      actions: 'read'
+      contents: 'read'
+      security-events: 'write'
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - 'python'
+
+    steps:
+      - name: 'Harden Runner'
+        uses: 'step-security/harden-runner@v2'
+        with:
+          egress-policy: 'audit'
+
+      - name: 'Checkout repository'
+        uses: 'actions/checkout@v4'
+
+      - name: 'Initialize CodeQL'
+        uses: 'github/codeql-action/init@v3'
+        with:
+          languages: '${{ matrix.language }}'
+
+      - name: 'Autobuild'
+        uses: 'github/codeql-action/autobuild@v3'
+
+      - name: 'Perform CodeQL Analysis'
+        uses: 'github/codeql-action/analyze@v3'
+        with:
+          category: '/language:${{ matrix.language }}'

.github/workflows/dependency-review.yml

@@ -0,0 +1,22 @@
+name: 'Dependency Review'
+
+on:
+  pull_request: {}
+
+permissions:
+  contents: 'read'
+
+jobs:
+  dependency-review:
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: 'Harden Runner'
+        uses: 'step-security/harden-runner@v2'
+        with:
+          egress-policy: 'audit'
+
+      - name: 'Checkout repository'
+        uses: 'actions/checkout@v4'
+
+      - name: 'Dependency Review'
+        uses: 'actions/dependency-review-action@v4'

.github/workflows/scorecard.yml

@@ -0,0 +1,49 @@
+name: 'Scorecard supply-chain security'
+
+on:
+  branch_protection_rule: {}
+  schedule:
+    - cron: '22 14 * * 4'
+  push:
+    branches:
+      - 'main'
+
+permissions: 'read-all'
+
+jobs:
+  analysis:
+    name: 'Scorecard analysis'
+    runs-on: 'ubuntu-latest'
+    permissions:
+      security-events: 'write'
+      id-token: 'write'
+
+    steps:
+      - name: 'Harden Runner'
+        uses: 'step-security/harden-runner@v2'
+        with:
+          egress-policy: 'audit'
+
+      - name: 'Checkout code'
+        uses: 'actions/checkout@v4'
+        with:
+          persist-credentials: false
+
+      - name: 'Run analysis'
+        uses: 'ossf/scorecard-action@v2'
+        with:
+          results_file: 'results.sarif'
+          results_format: 'sarif'
+          publish_results: true
+
+      - name: 'Upload artifact'
+        uses: 'actions/upload-artifact@v4'
+        with:
+          name: 'SARIF file'
+          path: 'results.sarif'
+          retention-days: 5
+
+      - name: 'Upload to code-scanning'
+        uses: 'github/codeql-action/upload-sarif@v3'
+        with:
+          sarif_file: 'results.sarif'

SECURITY.md

@@ -0,0 +1,101 @@
+# Security Policy
+
+## Supported Versions
+
+The latest version is currently supported and receives security updates.
+
+
+## Reporting a Vulnerability
+
+We're extremely grateful for security researchers and users that report
+vulnerabilities to us. All reports are thoroughly investigated by our team.
+
+Vulnerabilities are reported privately via GitHub's
+[Security Advisories](https://docs.github.com/en/code-security/security-advisories)
+feature. Please use the following link to submit your vulnerability:
+[Report a vulnerability](https://github.com/Linuxfabrik/lfops/security/advisories/new)
+
+Please see
+[Privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability)
+for more information on how to submit a vulnerability using GitHub's interface.
+
+
+### When Should I Report a Vulnerability?
+
+* You think you discovered a potential security vulnerability
+* You are unsure how a vulnerability affects your system
+* You think you discovered a vulnerability in another project that this project depends on
+  - For projects with their own vulnerability reporting and disclosure process, please report it directly there
+
+### When Should I NOT Report a Vulnerability?
+
+* You need help tuning your System for security
+* You need help applying security related updates
+* Your issue is not security related
+
+
+### Vulnerability Response
+
+Each report is acknowledged and analyzed within 30 days.
+
+Any vulnerability information stays within this project and will not be disseminated to other projects
+unless it is necessary to get the issue fixed.
+
+As the security issue moves from triage, to identified fix, to release planning
+we will keep the reporter updated.
+
+
+## Security Release & Disclosure Process
+
+Security vulnerabilities should be handled quickly and sometimes privately. The
+primary goal of this process is to reduce the total time users are vulnerable
+to publicly known exploits.
+
+
+### Private Disclosure
+
+We ask that all suspected vulnerabilities be privately and responsibly
+disclosed via the [private disclosure process](#reporting-a-vulnerability)
+outlined above.
+
+Fixes may be developed and tested by our team in a
+[temporary private fork](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)
+that are private from the general public if deemed necessary.
+
+
+### Public Disclosure
+
+Vulnerabilities are disclosed publicly as GitHub [Security
+Advisories](https://github.com/Linuxfabrik/lfops/security/advisories).
+
+A public disclosure date is negotiated by our team
+and the bug submitter. We prefer to fully disclose the bug as soon as possible
+once a user mitigation is available. It is reasonable to delay disclosure when
+the bug or the fix is not yet fully understood, the solution is not
+well-tested, or for vendor coordination. The timeframe for disclosure is from
+immediate (especially if it's already publicly known) to several weeks. For a
+vulnerability with a straightforward mitigation, we expect report date to
+disclosure date to be on the order of 30 days.
+
+If you know of a publicly disclosed security vulnerability please IMMEDIATELY
+[report the vulnerability](#reporting-a-vulnerability) to inform the team about the vulnerability so they may start the
+patch, release, and communication process.
+
+If possible the team will ask the person making the public report if
+the issue can be handled via a private disclosure process. If the reporter
+denies the request, the team will move swiftly with the fix and
+release process. In extreme cases you can ask GitHub to delete the issue but
+this generally isn't necessary and is unlikely to make a public disclosure less
+damaging.
+
+### Security Releases
+
+Once a fix is available it will be released and announced via the project on
+GitHub.
+Security releases will announced and clearly marked as a security release and
+include information on which vulnerabilities were fixed. As much as possible
+this announcement should be actionable, and include any mitigating steps users
+can take prior to upgrading to a fixed version.
+
+Fixes will be applied in new releases and all fixed vulnerabilities will be noted in
+the [CHANGELOG](./CHANGELOG.md).