diff --git a/.github/PULL_REQUEST_TEMPLATE/mcp-submission.md b/.github/PULL_REQUEST_TEMPLATE.md similarity index 83% rename from .github/PULL_REQUEST_TEMPLATE/mcp-submission.md rename to .github/PULL_REQUEST_TEMPLATE.md index 13f97dbc..20b22f97 100644 --- a/.github/PULL_REQUEST_TEMPLATE/mcp-submission.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -25,4 +25,5 @@ assignees: "" - [ ] This server meets the basic requirements listed above - [ ] I understand this will undergo automated and manual review. -- [ ] I have tested the MCP Server in Docker Desktop +- [ ] I have tested the MCP Server using `task validate -- --name SERVER_NAME` +- [ ] I have built the MCP Server using `task build -- --tools SERVER_NAME` diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 00000000..1b2e15d5 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,36 @@ +# Security Policy + +The maintainers of Docker MCP Registry take security seriously. If you discover +a security issue, please bring it to their attention right away! + +## Reporting a Vulnerability + +Please **DO NOT** file a public issue, instead send your report privately +to [security@docker.com](mailto:security@docker.com). + +Reporter(s) can expect a response within 72 hours, acknowledging the issue was +received. + +## Review Process + +After receiving the report, an initial triage and technical analysis is +performed to confirm the report and determine its scope. We may request +additional information in this stage of the process. + +Once a reviewer has confirmed the relevance of the report, a draft security +advisory will be created on GitHub. The draft advisory will be used to discuss +the issue with maintainers, the reporter(s), and where applicable, other +affected parties under embargo. + +If the vulnerability is accepted, a timeline for developing a patch, public +disclosure, and patch release will be determined. If there is an embargo period +on public disclosure before the patch release, the reporter(s) are expected to +participate in the discussion of the timeline and abide by agreed upon dates +for public disclosure. + +## Accreditation + +Security reports are greatly appreciated and we will publicly thank you, +although we will keep your name confidential if you request it. We also like to +send gifts - if you're into swag, make sure to let us know. We do not currently +offer a paid security bounty program at this time. diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1a03f5ad..c785011c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -8,19 +8,19 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 # Needed for diffing - + - name: Install Go uses: actions/setup-go@v5 with: cache-dependency-path: go.sum go-version-file: go.mod - + - name: Install Task uses: arduino/setup-task@v2 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - + - name: Get changed servers shell: bash run: | @@ -34,10 +34,11 @@ jobs: while IFS= read -r file; do dir=$(dirname "$file") name=$(basename "$dir") + task validate -- --name $name task build -- --tools --pull-community $name echo "--------------------------------" task catalog -- $name echo "--------------------------------" cat catalogs/$name/catalog.yaml echo "--------------------------------" - done < changed-servers.txt \ No newline at end of file + done < changed-servers.txt