ossf · eddie-knight · Dec 30, 2024 · Dec 30, 2024 · Dec 30, 2024 · Dec 30, 2024
diff --git a/.github/ISSUE_TEMPLATES/siep.yml → .github/ISSUE_TEMPLATE/siep.yml b/.github/ISSUE_TEMPLATES/siep.yml → .github/ISSUE_TEMPLATE/siep.yml
diff --git a/.github/security-insights.yml b/.github/security-insights.yml
@@ -0,0 +1,50 @@
+header:
+  schema-version: 1.0.0
+  last-updated: '2021-09-01'
+  last-reviewed: '2022-09-01'
+  url: https://github.com/ossf/security-insights-spec
+  comment: This file contains the security information for the Security Insights project.
+
+project:
+  name: Security Insights
+  administrators:
+    - name: Christopher Robinson
+      affiliation: Linux Foundation
+      primary: true
+  repositories:
+    - name: Security Insights
+      url: https://github.com/ossf/security-insights-spec
+      comment: |
+        Security Insights is the core repo for the Security Insights project.
+  vulnerability-reporting:
+    reports-accepted: true
+    bug-bounty-available: false
+
+repository:
+  status: active
+  url: https://github.com/ossf/security-insights-spec
+  accepts-change-request: true
+  accepts-automated-change-request: false
+  no-third-party-packages: true
+  core-team:
+    - name:        Eddie Knight
+      affiliation: Sonatype
+      primary:     true
+  license:
+    url: https://github.com/ossf/security-insights-spec/blob/main/LICENSE
+    expression: MIT AND Community Specification License 1.0
+  security:
+    assessments:
+      self:
+        evidence: https://github.com/ossf/security-insights-spec/blob/main/docs/threat-model
+        comment: |
+          A light-weight threat model was completed when the project was first started,
+          and it remains accurate to-date.
+  documentation:
+    contributing-guide: https://github.com/ossf/security-insights-spec/blob/main/.github/CONTRIBUTING.md
+    governance: https://github.com/ossf/security-insights-spec/blob/main/docs/GOVERNANCE.md
+  release:
+    automated-pipeleine: false
+    distribution-points:
+      - uri:  https://github.com/ossf/security-insights-spec/releases
+        comment: GitHub Release Page
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
diff --git a/README.md b/README.md
@@ -6,8 +6,25 @@ This specification provides a mechanism for projects to report information about
 
 The data tracked within this specification is intended to fill the gaps between simplified solutions such as `SECURITY.md` and comprehensive automatable solutions such as SBOMs. In that gap lay elements that must be self-reported by projects to allow end-users to make informed security decisions.
 
+## Usage
+
+Projects should include a `security-insights.yml` file in the root of their repository, or in the appropriate source forge directory such as `.github/` or `.gitlab/`. Users should assume the contents of that file will be updated any time the relevant information changes.
+
+To ensure you are adhering to an official version of the specification, please refer to the `specification.md` in the [latest release](https://github.com/ossf/security-insights/releases/latest), which is a versioned compilation of all details.
+
+This repository often remains unchanged from the latest release, but may diverge as incremental development takes place in preparation for an upcoming release. Any differences between the latest release and the main branch should only be considered previews of the next release.
+
 As the adoption of Security Insights grows, so does the opportunity to automatically ingest it. For example, the Linux Foundation's [CLOMonitor](https://clomonitor.io/) parses a project's Security Insights file to determine whether projects have reported on select security factors prioritized by the foundation.
 
-All information regarding the maintenance, security, and consumption of the Security Insights Specification can be found in this repo within the latest version of the [official specification file](/specification.md).
+## Maintenance
+
+The specification maintenance occurs in the following places:
+
+- `specification/`: Contains markdown details for all specification values
+- `schema.cue`: Contains the CUE schema that can be used to validate files against the specification
+- `template-full.yml`: Contains a template that includes all possible fields
+- `template-minimal.yml`: Contains a template that includes only the required fields
+
+Discussion and feedback should take place in [GitHub Issues](https://github.com/ossf/security-insights/issues). 
 
-Please use GitHub issues to discuss the maintenance of this specification, and review the [Contributor Guidelines](./CONTRIBUTING.md) for more information.
+Because this specification recieves light maintenance and infrequent updates, beginning in 2025 we ask that you follow the [Security Insights Enhancement Proposal](./docs/GOVERNANCE.md#security-insights-enhancement-proposals) process to explore potential changes to the specification.
diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml
diff --git a/SECURITY.md b/SECURITY.md
diff --git a/GOVERNANCE.md → docs/GOVERNANCE.md b/GOVERNANCE.md → docs/GOVERNANCE.md
diff --git a/MAINTAINERS.md → docs/MAINTAINERS.md b/MAINTAINERS.md → docs/MAINTAINERS.md
diff --git a/schema.cue b/schema.cue
@@ -16,9 +16,9 @@ import (
 }
 
 #Attestation: {
-  name:            string
-  location:        #URL
-  "predicate-uri": string
+  name:             string
+  location:         #URL
+  "predicate-uri":  string
   comment?:         string
 }
 

diff --git a/specification-details/aliases.md → specification/aliases.md b/specification-details/aliases.md → specification/aliases.md
@@ -1,4 +1,4 @@
-# Aliases
+# Aliases _(v2.0.0)_
 
 The following aliases are used throughout the schema for consistency.
 

diff --git a/specification-details/header.md → specification/header.md b/specification-details/header.md → specification/header.md
@@ -1,4 +1,4 @@
-# `header`
+# `header` _(v2.0.0)_
 
 The `header` object captures high-level metadata about the schema.
 

diff --git a/specification-details/project.md → specification/project.md b/specification-details/project.md → specification/project.md
@@ -1,4 +1,4 @@
-# `project`
+# `project` _(v2.0.0)_
 
 The `project` object describes the overall project, including basic info, documentation links, repositories, vulnerability reporting, and security details.
 

diff --git a/specification-details/repository.md → specification/repository.md b/specification-details/repository.md → specification/repository.md
@@ -1,4 +1,4 @@
-# `repository`
+# `repository` _(v2.0.0)_
 
 The `repository` object specifies repository-related configurations, including status, policies, team members, documentation, license, releases, and security posture.
 

diff --git a/template-full.yml b/template-full.yml
@@ -1,5 +1,5 @@
 header:
-  schema-version: 1.0.0
+  schema-version: 2.0.0
   last-updated: '2021-09-01'
   last-reviewed: '2022-09-01'
   url: https://foo.bar/foo/bar

diff --git a/template-minimum.yml b/template-minimum.yml
@@ -1,5 +1,5 @@
 header:
-  schema-version: 1.0.0
+  schema-version: 2.0.0
   last-updated: '2021-09-01'
   last-reviewed: '2022-09-01'
   url: https://foo.bar/kubernetes/kubernetes