Merge pull request #765 from sassoftware/security-policy

Security Policy MD created based on template

Author: ceelias

.github/workflows/build-artifact/ARTIFACT_INVENTORY.template

@@ -5,64 +5,63 @@ The following tables provide information about the container images and Helm cha
 * pre-pull container images
 * deploy into an air-gapped Kubernetes cluster
 
-**Note:** For more information about deploying in an air-gapped environment, refer to 
+**Note:** For more information about deploying in an air-gapped environment, refer to
 [Configure SAS Viya Monitoring for Kubernetes for an Air-Gapped Environment](https://documentation.sas.com/?cdcId=obsrvcdc&cdcVersion=v_003&docsetId=obsrvdply&docsetTarget=n0auhd4hutsf7xn169hfvriysz4e.htm#n0grd8g2pkfglin12bzm3g1oik2p).
 
 ## Table 1. Container Images
 
 This table provides the fully qualified container-image names for the components of SAS Viya Monitoring for Kubernetes.
-These names use the following format: 
+These names use the following format:
 registry/repository/image_name:version
 
 | Subsystem| Component | Fully Qualified Container-Image Name (registry/repository/image_name:version)|
 |----|----|----|
-| Logging | Fluent Bit | __FB_FULL_IMAGE__ |
-| Logging | Elasticsearch Exporter | __ES_EXPORTER_FULL_IMAGE__ |
+| Logging | [Fluent Bit](https://github.com/fluent/fluent-bit) | __FB_FULL_IMAGE__ |
+| Logging | [Elasticsearch Exporter](https://github.com/prometheus-community/elasticsearch_exporter) | __ES_EXPORTER_FULL_IMAGE__ |
 | Logging | initContainer (Fluent Bit, OpenSearch) | __OS_SYSCTL_FULL_IMAGE__ |
-| Logging | OpenSearch | __OS_FULL_IMAGE__ |
-| Logging | OpenSearch Dashboards| __OSD_FULL_IMAGE__ |
-| Metrics | Alertmanager | __ALERTMANAGER_FULL_IMAGE__ |
-| Metrics | Grafana | __GRAFANA_FULL_IMAGE__ |
-| Metrics | Admission Webhook | __ADMWEBHOOK_FULL_IMAGE__ |
-| Metrics | Kube State Metrics | __KSM_FULL_IMAGE__ |
-| Metrics | Node Exporter | __NODEXPORT_FULL_IMAGE__ |
-| Metrics | Prometheus | __PROMETHEUS_FULL_IMAGE__ |
-| Metrics | Prometheus Operator | __PROMOP_FULL_IMAGE__ |
-| Metrics | Configuration Reloader (Alertmanager, Prometheus) | __CONFIGRELOAD_FULL_IMAGE__ |
-| Metrics | Prometheus Pushgateway | __PUSHGATEWAY_FULL_IMAGE__ |
-| Metrics | Auto-load Sidecars (Grafana) | __GRAFANA_SIDECAR_FULL_IMAGE__ |
+| Logging | [OpenSearch](https://github.com/opensearch-project/OpenSearch) | __OS_FULL_IMAGE__ |
+| Logging | [OpenSearch Dashboards](https://github.com/opensearch-project/OpenSearch-Dashboards) | __OSD_FULL_IMAGE__ |
+| Metrics | [Alertmanager](https://github.com/prometheus/alertmanager) | __ALERTMANAGER_FULL_IMAGE__ |
+| Metrics | [Grafana](https://github.com/grafana/grafana) | __GRAFANA_FULL_IMAGE__ |
+| Metrics | [Admission Webhook](https://github.com/kubernetes/ingress-nginx) | __ADMWEBHOOK_FULL_IMAGE__ |
+| Metrics | [Kube State Metrics](https://github.com/kubernetes/kube-state-metrics) | __KSM_FULL_IMAGE__ |
+| Metrics | [Node Exporter](https://github.com/prometheus/node_exporter) | __NODEXPORT_FULL_IMAGE__ |
+| Metrics | [Prometheus](https://github.com/prometheus/prometheus) | __PROMETHEUS_FULL_IMAGE__ |
+| Metrics | [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator) | __PROMOP_FULL_IMAGE__ |
+| Metrics | [Configuration Reloader](https://github.com/jimmidyson/configmap-reload) | __CONFIGRELOAD_FULL_IMAGE__ |
+| Metrics | [Prometheus Pushgateway](https://github.com/prometheus/pushgateway) | __PUSHGATEWAY_FULL_IMAGE__ |
+| Metrics | [Auto-load Sidecars](https://github.com/kiwigrid/k8s-sidecar) | __GRAFANA_SIDECAR_FULL_IMAGE__ |
 | Metrics | OpenShift OAUTH Proxy (Grafana, OpenShift only) | __OPENSHIFT_OAUTHPROXY_FULL_IMAGE__ |
-| Metrics | Tempo | __TEMPO_FULL_IMAGE__ |
+| Metrics | [Tempo](https://github.com/grafana/tempo) | __TEMPO_FULL_IMAGE__ |
 
 ## Table 2. Helm Chart Repositories
 This table identifies the Helm repositories that contain the Helm charts used by SAS Viya Monitoring for Kubernetes.
 These repositories must be made available to Helm in your environment. Use the `helm repo add` command.
 
 | Subsystem | Component | Helm Repository | Helm Repository URL |
 |--|--|--|--|
-| Logging | Fluent Bit | fluent | https://fluent.github.io/helm-charts |
-| Logging | OpenSearch and OpenSearch Dashboards | opensearch | https://opensearch-project.github.io/helm-charts |
-| Metrics | Grafana | grafana | https://grafana.github.io/helm-charts |
-| Both | Several (including Prometheus, Kube Prometheus Stack, Prometheus Pushgateway and Elasticsearch Exporter) | prometheus-community | https://prometheus-community.github.io/helm-charts |
+| Logging | [Fluent Bit](https://github.com/fluent/helm-charts) | fluent | https://fluent.github.io/helm-charts |
+| Logging | [OpenSearch and OpenSearch Dashboards](https://github.com/opensearch-project/helm-charts) | opensearch | https://opensearch-project.github.io/helm-charts |
+| Metrics | [Grafana](https://github.com/grafana/helm-charts) | grafana | https://grafana.github.io/helm-charts |
+| Both | [Prometheus Community](https://github.com/prometheus-community/helm-charts) | prometheus-community | https://prometheus-community.github.io/helm-charts |
 
 ## Table 3. Helm Chart Information
 This table identifies the Helm charts used by SAS Viya Monitoring for Kubernetes.
 
 | Subsystem | Component | Helm Chart Repository | Helm Chart Name |Helm Chart Version | Helm Archive File Name|
 |--|--|--|--|--|--|
-| Logging | Elasticsearch Exporter| __ESEXPORTER_HELM_CHART_REPO__ | __ESEXPORTER_HELM_CHART_NAME__ | __ESEXPORTER_HELM_CHART_VERSION__ | __ESEXPORTER_HELM_CHART_ARCHIVE__ |
-| Logging | Fluent Bit| __FLUENTBIT_HELM_CHART_REPO__ | __FLUENTBIT_HELM_CHART_NAME__ | __FLUENTBIT_HELM_CHART_VERSION__ | __FLUENTBIT_HELM_CHART_ARCHIVE__ |
-| Logging | OpenSearch| __OPENSEARCH_HELM_CHART_REPO__ | __OPENSEARCH_HELM_CHART_NAME__ | __OPENSEARCH_HELM_CHART_VERSION__ | __OPENSEARCH_HELM_CHART_ARCHIVE__ |
-| Logging | OpenSearch Dashboard| __OSD_HELM_CHART_REPO__ | __OSD_HELM_CHART_NAME__ | __OSD_HELM_CHART_VERSION__ | __OSD_HELM_CHART_ARCHIVE__ |
-| Metrics | Grafana (on OpenShift)| __OPENSHIFT_GRAFANA_CHART_REPO__ | __OPENSHIFT_GRAFANA_CHART_NAME__ | __OPENSHIFT_GRAFANA_CHART_VERSION__ | __OPENSHIFT_GRAFANA_CHART_ARCHIVE__ |
-| Metrics | Kube Prometheus Stack| __KUBE_PROM_STACK_CHART_REPO__ | __KUBE_PROM_STACK_CHART_NAME__ | __KUBE_PROM_STACK_CHART_VERSION__ | __KUBE_PROM_STACK_CHART_ARCHIVE__ |
-| Metrics | Prometheus Pushgateway| __PUSHGATEWAY_CHART_REPO__ | __PUSHGATEWAY_CHART_NAME__ | __PUSHGATEWAY_CHART_VERSION__ | __PUSHGATEWAY_CHART_ARCHIVE__ |
-| Metrics | Tempo | __TEMPO_CHART_REPO__ | __TEMPO_CHART_NAME__ | __TEMPO_CHART_VERSION__ | __TEMPO_CHART_ARCHIVE__ |
+| Logging | [Elasticsearch Exporter](https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-elasticsearch-exporter)| __ESEXPORTER_HELM_CHART_REPO__ | __ESEXPORTER_HELM_CHART_NAME__ | __ESEXPORTER_HELM_CHART_VERSION__ | __ESEXPORTER_HELM_CHART_ARCHIVE__ |
+| Logging | [Fluent Bit](https://github.com/fluent/helm-charts/tree/main/charts/fluent-bit)| __FLUENTBIT_HELM_CHART_REPO__ | __FLUENTBIT_HELM_CHART_NAME__ | __FLUENTBIT_HELM_CHART_VERSION__ | __FLUENTBIT_HELM_CHART_ARCHIVE__ |
+| Logging | [OpenSearch](https://github.com/opensearch-project/helm-charts/tree/main/charts/opensearch)| __OPENSEARCH_HELM_CHART_REPO__ | __OPENSEARCH_HELM_CHART_NAME__ | __OPENSEARCH_HELM_CHART_VERSION__ | __OPENSEARCH_HELM_CHART_ARCHIVE__ |
+| Logging | [OpenSearch Dashboards](https://github.com/opensearch-project/helm-charts/tree/main/charts/opensearch-dashboards)| __OSD_HELM_CHART_REPO__ | __OSD_HELM_CHART_NAME__ | __OSD_HELM_CHART_VERSION__ | __OSD_HELM_CHART_ARCHIVE__ |
+| Metrics | [Grafana (on OpenShift)](https://github.com/grafana/helm-charts/tree/main/charts/grafana)| __OPENSHIFT_GRAFANA_CHART_REPO__ | __OPENSHIFT_GRAFANA_CHART_NAME__ | __OPENSHIFT_GRAFANA_CHART_VERSION__ | __OPENSHIFT_GRAFANA_CHART_ARCHIVE__ |
+| Metrics | [Kube Prometheus Stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack)| __KUBE_PROM_STACK_CHART_REPO__ | __KUBE_PROM_STACK_CHART_NAME__ | __KUBE_PROM_STACK_CHART_VERSION__ | __KUBE_PROM_STACK_CHART_ARCHIVE__ |
+| Metrics | [Prometheus Pushgateway](https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-pushgateway)| __PUSHGATEWAY_CHART_REPO__ | __PUSHGATEWAY_CHART_NAME__ | __PUSHGATEWAY_CHART_VERSION__ | __PUSHGATEWAY_CHART_ARCHIVE__ |
+| Metrics | [Tempo](https://github.com/grafana/helm-charts/tree/main/charts/tempo)| __TEMPO_CHART_REPO__ | __TEMPO_CHART_NAME__ | __TEMPO_CHART_VERSION__ | __TEMPO_CHART_ARCHIVE__ |
 
 ## Table 4. Miscellaneous Component Version Information
 This table provides version information for some miscellaneous components deployed by SAS Viya Monitoring for Kubernetes.
 
 | Component | Version | Project Repository | Notes |
 |--|--|--|--|
 | OpenSearch Datasource Plugin (Grafana) | __GRAFANA_DATASOURCE_PLUGIN_VERSION__ | https://github.com/grafana/opensearch-datasource/releases |Allows Grafana to surface log messages stored in OpenSearch |
-

SECURITY.md

@@ -0,0 +1,55 @@
+# SAS® Viya® Monitoring for Kubernetes Security Policy
+
+The project maintainers and community contributors take security issues seriously. We appreciate efforts to disclose potential issues responsibly and will acknowledge viable contributions. To aid in the investigation of reported vulnerabilities, please follow the [reporting guidelines](#reporting-guidelines) outlined below.
+
+## Scope of Security Reports
+
+### In Scope
+The following components are directly maintained by this project and should be reported through our security reporting process:
+
+* Custom deployment scripts and automation code
+* Project-specific configuration files and templates
+* Custom Kubernetes manifests and Helm charts
+* Project documentation and guidance
+* Any other artifacts created and maintained specifically by the SAS Viya Monitoring for Kubernetes project
+
+### Out of Scope
+This project deploys and configures various third-party open-source monitoring tools. For a complete inventory of third-party components used by this project, please refer to [ARTIFACT_INVENTORY.md](ARTIFACT_INVENTORY.md).
+
+Vulnerabilities in these underlying components should be reported to their respective projects. For example:
+
+* Grafana - Report via [Grafana Security](https://github.com/grafana/grafana/security)
+* Prometheus - Report via [Prometheus Security](https://github.com/prometheus/prometheus/security)
+* OpenSearch - Report via [OpenSearch Security](https://github.com/opensearch-project/OpenSearch/security)
+
+Vulnerabilities identified through container image scanning should be reported directly to the project that maintains the container image. For example, if a scan of the OpenSearch container image reveals vulnerabilities, these should be reported to the OpenSearch project, not to SAS Viya Monitoring for Kubernetes.
+
+If you're unsure whether a vulnerability belongs to our project's code or an underlying component, please submit the report through our process and we will help direct it to the appropriate team.
+
+## Reporting Guidelines
+
+To report a suspected security issue that is in scope for this project, use GitHub's private vulnerability reporting:
+
+1. Click the `Security` tab
+2. Click the `Report a vulnerability` button
+
+Please provide the following information with your security report:
+
+* Your name and affiliation (if applicable)
+* Version/build-date of the SAS Viya Monitoring for Kubernetes project
+* Detailed description of the security issue
+* Steps to reproduce the issue
+* Impact of the vulnerability
+* Any known public information about this vulnerability (e.g., related CVE, security advisory)
+* Whether the vulnerability exists in the latest version
+* Suggested fixes or mitigations (if any)
+
+## Recognition
+
+Contributors who responsibly disclose security vulnerabilities will be acknowledged in our release notes (unless they prefer to remain anonymous).
+
+## Additional Information
+
+For general questions about the project's security, please open a regular GitHub issue. Do not include sensitive security-related details in public issues.
+
+Note: This security policy may be updated from time to time. Please refer to the latest version in the repository.