From 7c59ea7281713264db7c3fff02eb0e3811904d18 Mon Sep 17 00:00:00 2001 From: Vinaya Damle Date: Tue, 17 Feb 2026 12:10:33 -0800 Subject: [PATCH 1/3] Add security-insights.yml for OSSF Security Insights v2.0.0 --- .github/security-insights.yml | 259 ++++++++++++++++++++++++++++++++++ 1 file changed, 259 insertions(+) create mode 100644 .github/security-insights.yml diff --git a/.github/security-insights.yml b/.github/security-insights.yml new file mode 100644 index 0000000000..2ad9d3a619 --- /dev/null +++ b/.github/security-insights.yml @@ -0,0 +1,259 @@ +header: + schema-version: 2.0.0 + last-updated: '2026-02-20' + last-reviewed: '2026-02-20' + url: https://github.com/radius-project/radius + comment: >- + This file contains all possible information for both project and repository, + though it is not required to include all of this information every time. Nor + is it required to include both a project and repository section if the + project section is intended to be inherited by repositories via + header.project-si-source +project: + name: Radius + homepage: https://radapp.io + funding: '' + roadmap: https://aka.ms/radius-roadmap + steward: + uri: '' + comment: '' + administrators: + - name: Sylvain Niles + affiliation: Microsoft + email: '' + social: https://github.com/sylvainsf + primary: false + - name: Karishma Chawla + affiliation: Microsoft + email: '' + social: https://github.com/kachawla + primary: false + - name: Brooke Hamilton + affiliation: Microsoft + email: '' + social: https://github.com/brooke-hamilton + primary: false + documentation: + quickstart-guide: https://docs.radapp.io/quick-start/ + detailed-guide: https://radapp.io/ + code-of-conduct: https://github.com/radius-project/community/blob/main/CODE-OF-CONDUCT.md + release-process: https://github.com/radius-project/community + support-policy: https://github.com/radius-project/radius/blob/main/SUPPORT.md + signature-verification: '' + repositories: + - name: Radius + url: https://github.com/radius-project/radius + comment: >- + Radius is the main Radius repository. It contains all of Radius code and + documentation. In addition, we have the below repositories + - name: Docs + url: https://github.com/radius-project/docs + comment: This repository contains the Radius documentation source for Radius. + - name: Samples + url: https://github.com/radius-project/samples + comment: >- + This repository contains the source code for quickstarts, reference + apps, and tutorials for Radius. + - name: Recipes + url: https://github.com/radius-project/recipes + comment: >- + This repo contains commonly used Recipe templates for Radius + Environments. + - name: Website + url: https://github.com/radius-project/website + comment: This repository contains the source code for the Radius website. + - name: AWS Bicep Types + url: https://github.com/radius-project/bicep-types-aws + comment: >- + This repository contains the tooling for Bicep support for AWS resource + types. + vulnerability-reporting: + reports-accepted: true + bug-bounty-available: false + bug-bounty-program: '' + contact: + name: Radius Team + email: security@radapp.dev + primary: true + security-policy: https://github.com/radius-project/radius/blob/main/SECURITY.md + in-scope: + - '' + out-of-scope: + - '' + pgp-key: '' + comment: '' +repository: + url: https://github.com/radius-project/radius + status: active + bug-fixes-only: true + accepts-change-request: true + accepts-automated-change-request: true + no-third-party-packages: true + core-team: + - name: Sylvain Niles + affiliation: Microsoft + email: '' + social: https://github.com/sylvainsf + primary: false + - name: Karishma Chawla + affiliation: Microsoft + email: '' + social: https://github.com/kachawla + primary: false + - name: Brooke Hamilton + affiliation: Microsoft + email: '' + social: https://github.com/brooke-hamilton + primary: false + documentation: + contributing-guide: https://github.com/radius-project/radius/blob/main/CONTRIBUTING.md + review-policy: >- + https://github.com/radius-project/radius/blob/7e12716cdb2396ce9e1db73583d6bae23eb42d77/docs/contributing/contributing-code/contributing-code-reviewing/README.md + security-policy: https://github.com/radius-project/radius/blob/main/SECURITY.md + governance: >- + https://github.com/radius-project/community/blob/main/community-membership.md + dependency-management-policy: https://github.com/radius-project/radius/blob/main/THIRD-PARTY-NOTICES.txt + release: + changelog: https://github.com/radius-project/radius/releases + automated-pipeline: false + attestations: + - name: Release 0.54 + predicate-uri: https://github.com/radius-project/radius/actions/runs/20080596572 + location: https://github.com/radius-project/radius/releases/tag/v0.54.0 + comment: Build workflow for Release 0.54 + distribution-points: + - uri: https://github.com/radius-project/radius/releases + comment: Radius Releases + - uri: https://github.com/orgs/radius-project/packages?repo_name=radius + comment: GitHub packages + license: + url: >- + https://github.com/radius-project/radius/blob/7e12716cdb2396ce9e1db73583d6bae23eb42d77/LICENSE + expression: Apache-2.0 + security: + assessments: + self: + evidence: https://github.com/radius-project/design-notes/tree/main/architecture + date: '' + comment: >- + https://github.com/radius-project/design-notes/blob/main/architecture/2024-08-controller-component-threat-model.md + + https://github.com/radius-project/design-notes/blob/main/architecture/2024-08-applications-rp-component-threat-model.md + + https://github.com/radius-project/design-notes/blob/main/architecture/2024-08-dashboard-component-threat-model.md + + https://github.com/radius-project/design-notes/blob/main/architecture/2024-11-ucp-component-threat-model.md + third-party: + - evidence: '' + date: '' + comment: '' + champions: + - name: Radius Team + email: security@radapp.dev + primary: true + tools: + - name: Scorecard + type: Supply Chain Security + version: '' + rulesets: + - default + results: + adhoc: + name: '' + predicate-uri: '' + location: '' + comment: '' + ci: + name: '' + predicate-uri: '' + location: '' + comment: '' + release: + name: '' + predicate-uri: '' + location: '' + comment: '' + integration: + adhoc: false + ci: true + release: false + comment: '' + - name: CodeQL + type: SAST + version: '2' + rulesets: + - default + results: + adhoc: + name: '' + predicate-uri: '' + location: '' + comment: '' + ci: + name: CodeQL GitHub workflow + predicate-uri: '' + location: >- + https://github.com/radius-project/radius/blob/7e12716cdb2396ce9e1db73583d6bae23eb42d77/.github/workflows/codeql.md?plain=1#L3 + comment: GitHub workflow to run CodeQL + release: + name: '' + predicate-uri: '' + location: '' + comment: '' + integration: + adhoc: false + ci: true + release: false + comment: '' + - name: GoSec + type: SAST + version: '' + rulesets: + - default + results: + adhoc: + name: '' + predicate-uri: '' + location: '' + comment: '' + ci: + name: '' + predicate-uri: '' + location: '' + comment: '' + release: + name: '' + predicate-uri: '' + location: '' + comment: '' + integration: + adhoc: false + ci: true + release: false + comment: '' + - name: Dependency Review + type: '' + version: '' + rulesets: + - default + results: + adhoc: + name: '' + predicate-uri: '' + location: '' + comment: '' + ci: + name: '' + predicate-uri: '' + location: '' + comment: '' + release: + name: '' + predicate-uri: '' + location: '' + comment: '' + integration: + adhoc: false + ci: true + release: false + comment: '' From 0509614d1cdc6000cc75ff6e3f067beb9fc19643 Mon Sep 17 00:00:00 2001 From: vinayada1 <28875764+vinayada1@users.noreply.github.com> Date: Fri, 20 Feb 2026 13:10:14 -0800 Subject: [PATCH 2/3] Update .github/security-insights.yml Co-authored-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> Signed-off-by: vinayada1 <28875764+vinayada1@users.noreply.github.com> --- .github/security-insights.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/security-insights.yml b/.github/security-insights.yml index 2ad9d3a619..3b29403b8f 100644 --- a/.github/security-insights.yml +++ b/.github/security-insights.yml @@ -108,7 +108,7 @@ repository: documentation: contributing-guide: https://github.com/radius-project/radius/blob/main/CONTRIBUTING.md review-policy: >- - https://github.com/radius-project/radius/blob/7e12716cdb2396ce9e1db73583d6bae23eb42d77/docs/contributing/contributing-code/contributing-code-reviewing/README.md + https://github.com/radius-project/radius/blob/main/docs/contributing/contributing-code/contributing-code-reviewing/README.md security-policy: https://github.com/radius-project/radius/blob/main/SECURITY.md governance: >- https://github.com/radius-project/community/blob/main/community-membership.md From 620684878b4f91fef1491f484e6de45f4e5209c4 Mon Sep 17 00:00:00 2001 From: vinayada1 <28875764+vinayada1@users.noreply.github.com> Date: Fri, 20 Feb 2026 13:11:18 -0800 Subject: [PATCH 3/3] Update .github/security-insights.yml Co-authored-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> Signed-off-by: vinayada1 <28875764+vinayada1@users.noreply.github.com> --- .github/security-insights.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/security-insights.yml b/.github/security-insights.yml index 3b29403b8f..298d89b617 100644 --- a/.github/security-insights.yml +++ b/.github/security-insights.yml @@ -193,7 +193,7 @@ repository: name: CodeQL GitHub workflow predicate-uri: '' location: >- - https://github.com/radius-project/radius/blob/7e12716cdb2396ce9e1db73583d6bae23eb42d77/.github/workflows/codeql.md?plain=1#L3 + https://github.com/radius-project/radius/blob/main/.github/workflows/codeql.yml comment: GitHub workflow to run CodeQL release: name: ''