diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index f9ba8cf6..7e42497d 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,9 +1,27 @@ -# Microsoft Open Source Code of Conduct +## Code of Conduct -This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). +- Do not store private or sensitive data in GitHub. This includes passwords, keys, personal data, private configuration data. If you think you pushed anything private to GitHub, consider it compromised and notify your manager. +- Repositories should be public unless there is a compelling reason to keep it private. Starting with a public repo and making the source code open from the beginning is much easier than starting as a closed source project are then attempting to open source it when it's "ready". If you're unsure, ask your manager. +- The Government of Canada position on Open Source is to open source code by default when possible: -Resources: +> - [Open First Whitepaper](https://github.com/canada-ca/Open_First_Whitepaper/blob/master/en/4_Open_Source_Software_Contribution.md) +> - [Guide for Publishing Open Source Code](https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/open-source-software/guide-for-publishing-open-source-code.html) -- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) -- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) -- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns +- Projects that are no longer maintained should be [Archived](https://docs.github.com/en/free-pro-team@latest/github/creating-cloning-and-archiving-repositories/archiving-repositories) instead of deleted. +- Do not commit code directly to the main branch. The recommended practice is to create a feature branch and a pull request when your code is ready to be merged. +- Repositories should be given a useful name that describes the project. For example, terraform-module-eks-cluster is more appropriate than eks. +- Repository names should be all lowercase and use a hyphen instead of an underscore. + +## Code de conduite + +- Ne stockez pas de données privées ou sensibles dans GitHub. Cela inclut les mots de passe, les clés, les données personnelles, les données de configuration privées. Si vous pensez avoir poussé quelque chose de privé vers GitHub, considérez-le comme compromis et informez-en votre gestionnaire. +- Les référentiels doivent être publics, à moins qu’il n’y ait une raison impérieuse de les garder privés. Il est beaucoup plus facile de commencer avec un référentiel public et de rendre le code « source open » dès le début que de commencer par un projet « open source » qui tente ensuite de l’ouvrir lorsqu’il est « prêt ». Si vous n’êtes pas certain, demandez à votre gestionnaire. +- La position du gouvernement du Canada à l’égard de « open source » est d’ouvrir le code source par défaut lorsque cela est possible : + +> - [Logiciels libres - Contribution](https://github.com/canada-ca/Open_First_Whitepaper/blob/master/fr/4_Logiciel_libre_Contribution.md) +> - [Guide pour la publication du code source libre](https://www.canada.ca/fr/gouvernement/systeme/gouvernement-numerique/innovations-gouvernementales-numeriques/logiciels-libres/guide-pour-la-publication-du-code-source-libre.html) + +- Les projets qui ne sont plus maintenus doivent être archivés [Archivage](https://docs.github.com/fr/repositories/archiving-a-github-repository/archiving-repositories) au lieu d’être supprimés. +- Ne pas faire un « commit » de code directement dans la branche principale. Il est recommandé de créer une branche de fonctionnalité et une demande de tirage lorsque votre code est prêt à être fusionné. +- Les référentiels doivent recevoir un nom utile qui décrit le projet. Par exemple, « terraform-module-eks-cluster » est plus approprié que « eks ». +- Les noms des référentiels doivent être tous en minuscules et utiliser un trait d’union au lieu d’un trait de soulignement « underscore ». \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 61a241fb..ae5b3a0c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,53 +1,24 @@ -# Contributing Reference Implementation +## Contributing -This project welcomes contributions and suggestions. Most contributions require you to -agree to a Contributor License Agreement (CLA) declaring that you have the right to, -and actually do, grant us the rights to use your contribution. For details, visit -https://cla.microsoft.com. +This project welcomes contributions and suggestions via GitHub’s issue/bug submission. +Note: If there are any questions related but do not involve a code bug or issue you can email SSC Cloud Security Compliance: [cloudsecuritycompliance-conformiteinfonuagiquesecurise@ssc-spc.gc.ca](mailto:cloudsecuritycompliance-conformiteinfonuagiquesecurise@ssc-spc.gc.ca). -When you submit a pull request, a CLA-bot will automatically determine whether you need -to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the -instructions provided by the bot. You will only need to do this once across all repositories using our CLA. +Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com/. +Commits are not accepted to the main branch. You may do a Pull Request (PR) from a forked repository. You will not be able to push a branch directly. We also have two SSC reviewers required to review all PRs. -This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). -For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) -or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. +When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. -## Getting Started +This project has adopted the Microsoft Open-Source Code of Conduct. For more information, refer to the Code of Conduct Frequently Asked Questions (FAQs) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. -* You are free to work on automation templates on any platform using any editor, but you may find it quickest to get started using [VSCode](https://code.visualstudio.com/Download) with the [Bicep extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep), and [PowerShell extension] (https://docs.microsoft.com/en-us/powershell/scripting/dev-cross-plat/vscode/using-vscode?view=powershell-7.2) +## Contribuer -* Fork this repository +Ce projet accueille les contributions et les suggestions via la soumission de problème / bogue de GitHub. +Remarque : S’il y a des questions liées mais n’impliquent pas de bogue ou de problème de code, vous pouvez envoyer un courriel à Conformité à la sécurité infonuagique de SPC : [cloudsecuritycompliance-conformiteinfonuagiquesecurise@ssc-spc.gc.ca](mailto:cloudsecuritycompliance-conformiteinfonuagiquesecurise@ssc-spc.gc.ca). -* Clone the forked repository to your local development environment +La plupart des contributions exigent que vous acceptiez une entente de licence de contributeur « Contributor License Agreement (CLA) » déclarant que vous avez le droit de nous accorder les droits d’utiliser votre contribution, et que vous le faites réellement. Pour plus de détails, visitez https://cla.opensource.microsoft.com/. -## Deployment to your environment +Les « commits » ne sont pas acceptés à la branche principale. Vous pouvez effectuer une demande de tirage « pull request (PR) » à partir d’un référentiel fourché. Vous ne pourrez pas pousser une branche directement. Nous avons également deux examinateurs de SPC tenus d’examiner tous les PR. -Please refer to the following how to [setup](https://github.com/ssc-spc-ccoe-cei/azure-guardrails-solution-accelerator/blob/main/docs/setup.md) and [how it works](https://github.com/ssc-spc-ccoe-cei/azure-guardrails-solution-accelerator/blob/main/docs/controls.md) +Lorsque vous soumettez une PR, un robot « bot » CLA déterminera automatiquement si vous devez fournir un CLA et décorer la PR de manière appropriée (par exemple, vérification de l’état, commentaire). Il suffit de suivre les instructions fournies par le « bot ». Vous n’aurez besoin de le faire qu’une seule fois dans tous les référentiels en utilisant notre CLA. -## Pull Requests - -* Ensure that a user story or an issue has been created to track the feature enhancement or bug that is being fixed. - -* In the PR description, make sure you've included "Fixes #{issue_number}" e.g. "Fixes #242" so that Azure DevOps or GitHub knows to link it to an issue. - -* To avoid multiple contributors working on the same issue, please add a comment to the issue to let us know you plan to work on it. - -* If a significant amount of design is required, please include a proposal in the issue and wait for approval before working on code. If there's anything you're not sure about, please feel free to discuss this in the issue. We'd much rather all be on the same page at the start, so that there's less chance that drastic changes will be needed when your pull request is reviewed. - -## Feature Suggestions - -* Ensure you have included a "What?" - what your feature entails, being as specific as possible, and giving use cases where possible. - -* Ensure you have included a "Why?" - what the benefit of including this feature will be. - -## Bug Reports - -* Be as specific as possible such as steps to reproduce the issue, and any example files or snippets of code needed to reproduce it. - - -## CLA - -This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. - -This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. \ No newline at end of file +Ce projet a adopté le Code de conduite « open-source » de Microsoft. Pour plus d’informations, consultez la foire aux questions sur le code de conduite ou contactez [opencode@microsoft.com](mailto:opencode@microsoft.com) pour toute question ou commentaire supplémentaire. \ No newline at end of file diff --git a/LICENSE b/LICENSE index 9e841e7a..1dfa8904 100644 --- a/LICENSE +++ b/LICENSE @@ -19,3 +19,31 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE + + + The MIT License has been modified based on Shared Services Canada (SSC) Cloud Security Compliance (CSC) development. + + Copyright (c) 2024 Government of Canada + + The MIT License + + Copyright © 2024 + + Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + _______________________________________________________________________________________________________________________________________ + + La licence MIT a été modifiée en fonction du développement de Conformité à la sécurité infonuagique (CSI) de Services partagés Canada (SPC). + + Droits d’auteur 2024 Gouvernement du Canada + + La licence MIT + + Droits d’auteur © 2024 + + L’autorisation est accordée par les présentes, à titre gratuit, à toute personne obtenant une copie de ce logiciel et des fichiers de documentation associés (le « Logiciel »), d’utiliser le Logiciel sans restriction, y compris, mais sans s’y limiter, les droits d’utiliser, de copier, de modifier, de fusionner, de publier, de distribuer, de concéder en sous licence et/ou de vendre des copies du Logiciel, et de permettre aux personnes à qui le Logiciel est fourni de le faire, sous réserve des conditions suivantes : + L’avis de droit d’auteur ci-dessus et cet avis d’autorisation doivent être inclus dans toutes les copies ou portions substantielles du Logiciel. + + LE LOGICIEL EST FOURNI « TEL QUEL », SANS GARANTIE D’AUCUNE SORTE, EXPRESSE OU IMPLICITE, Y COMPRIS, MAIS SANS S’Y LIMITER, AUX GARANTIES DE QUALITÉ MARCHANDE, D’ADÉQUATION À UN USAGE PARTICULIER ET D’ABSENCE DE CONTREFAÇON. EN AUCUN CAS, LES AUTEURS OU LES DÉTENTEURS DES DROITS D’AUTEUR NE POURRONT ÊTRE TENUS RESPONSABLES DE TOUTE RÉCLAMATION, DE TOUT DOMMAGE OU DE TOUTE AUTRE RESPONSABILITÉ, QUE CE SOIT DANS LE CADRE D’UNE ACTION CONTRACTUELLE, DÉLICTUELLE OU AUTRE, DÉCOULANT DU LOGICIEL OU DE L’UTILISATION OU D’AUTRES TRANSACTIONS DU LOGICIEL. \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md index f7b89984..c3e6f45b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,41 +1,38 @@ -## Security - -Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). - -If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)), please report it to us as described below. - ## Reporting Security Issues - -**Please do not report security vulnerabilities through public GitHub issues.** - -Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://msrc.microsoft.com/create-report). - -If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://www.microsoft.com/en-us/msrc/pgp-key-msrc). - -You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). +To report a security issue, email [cloudsecuritycompliance-conformiteinfonuagiquesecurise@ssc-spc.gc.ca](mailto:cloudsecuritycompliance-conformiteinfonuagiquesecurise@ssc-spc.gc.ca) and include the word "SECURITY" in the subject line. Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: - * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) - * Full paths of source file(s) related to the manifestation of the issue - * The location of the affected source code (tag/branch/commit or direct URL) - * Any special configuration required to reproduce the issue - * Step-by-step instructions to reproduce the issue - * Proof-of-concept or exploit code (if possible) - * Impact of the issue, including how an attacker might exploit the issue +- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) +- Full paths of source file(s) related to the manifestation of the issue +- The location of the affected source code [tag/branch/commit or direct Uniform Resource Locator (URL)] +- Any special configuration required to reproduce the issue +- Step-by-step instructions to reproduce the issue +- Proof-of-concept or exploit code (if possible) +- Impact of the issue, including how an attacker might exploit the issue + +This information will help us triage your issue more quickly. -This information will help us triage your report more quickly. +The Shared Services Canada (SSC) Cloud Security Compliance (CSC) team will send a response indicating the next steps in handling your issue. After the initial reply to your issue, the SSC CSC team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. +________________________________________ +## Signalement des problèmes de sécurité +Pour signaler un problème de sécurité, envoyez un courriel à [cloudsecuritycompliance-conformiteinfonuagiquesecurise@ssc-spc.gc.ca](mailto:cloudsecuritycompliance-conformiteinfonuagiquesecurise@ssc-spc.gc.ca) et ajoutez le mot « SÉCURITÉ » à la ligne d’objet. -If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://microsoft.com/msrc/bounty) page for more details about our active programs. +Veuillez inclure les informations demandées ci-dessous (dans la mesure où vous pouvez les fournir) pour nous aider à mieux comprendre la nature et l’étendue du problème possible : -## Preferred Languages +- Type de problème (par exemple, débordement de la mémoire tampon, injection SQL, script intersite, etc.) +- Chemins d’accès complets au(x) fichier(s) source(s) associé(s) à la manifestation du problème +- L’emplacement du code source concerné [étiquette/branche/commit ou Localisateur de ressources uniforme (URL) directe] +- Toute configuration spéciale requise pour reproduire le problème +- Instructions étape par étape pour reproduire le problème +- Preuve de concept ou code d’exploitation (si possible) +- Impact du problème, y compris la façon dont un attaquant pourrait exploiter le problème -We prefer all communications to be in English. +Ces informations nous aideront à trier votre problème plus rapidement. -## Policy +L’équipe du Conformité à la sécurité infonuagique (CSI) de Services partagés Canada (SPC) enverra une réponse indiquant les prochaines étapes de la gestion de votre problème. Après la réponse initiale à votre problème, l’équipe CSI de SPC vous tiendra au courant des progrès vers une solution et l’annonce complète, et peut demander des informations ou des conseils supplémentaires. -Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd). \ No newline at end of file diff --git a/SUPPORT.md b/SUPPORT.md index 12fbd833..e4a99062 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -1,41 +1,29 @@ -## Security -Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). +The Shared Services Canada (SSC) Cloud Security Compliance (CSC) team is the first point of contact to provide support for the Compliance as Code (CaC) solution. +Cloud Security Compliance (CSC) Incident Management Support -If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)), please report it to us as described below. +- Leads engagement with client. +- Reviews alerts and incidents raised by way of CSC mailbox notifications +- Reviews Compliance as Code reports and processes them accordingly. +- Single point of contact via CSC mailbox, which is monitored daily. -## Reporting Security Issues -**Please do not report security vulnerabilities through public GitHub issues.** +CSC Support Business Hours: (Monday – Friday 8:00 AM – 5:00 PM EST) +Email: [cloudsecuritycompliance-conformiteinfonuagiquesecurise@ssc-spc.gc.ca](mailto:cloudsecuritycompliance-conformiteinfonuagiquesecurise@ssc-spc.gc.ca) -Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://msrc.microsoft.com/create-report). +________________________________________________________________________________________________________ -If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://www.microsoft.com/en-us/msrc/pgp-key-msrc). +L’équipe Conformité à la sécurité infonuagique (CSI) de Services partagés Canada (SPC) est le premier point de contact pour fournir du soutien pour la solution Conformité en tant que code (CC). +Support de la gestion des incidents Conformité à la sécurité infonuagique (CSI) -You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). +- Dirige l’intégration avec le client. +- Examine les alertes et les incidents signalés au moyen des notifications de la boîte aux lettres de CSI. +- Examine les rapports de Conformité en tant que code et les traitent en conséquence. +- Point de contact unique via la boîte aux lettres de CSI, qui est surveillée quotidiennement. -Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: - - * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) - * Full paths of source file(s) related to the manifestation of the issue - * The location of the affected source code (tag/branch/commit or direct URL) - * Any special configuration required to reproduce the issue - * Step-by-step instructions to reproduce the issue - * Proof-of-concept or exploit code (if possible) - * Impact of the issue, including how an attacker might exploit the issue - -This information will help us triage your report more quickly. - -If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://microsoft.com/msrc/bounty) page for more details about our active programs. - -## Preferred Languages - -We prefer all communications to be in English. - -## Policy - -Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd). +Heures d’ouverture du support de CSI : (Lundi – Vendredi 8:00 AM – 5:00 PM HNE) +Courriel : [cloudsecuritycompliance-conformiteinfonuagiquesecurise@ssc-spc.gc.ca](mailto:cloudsecuritycompliance-conformiteinfonuagiquesecurise@ssc-spc.gc.ca) \ No newline at end of file