header:
  schema-version: 2.0.0
  last-updated: '2026-01-15'
  last-reviewed: '2026-01-15'
  url: https://github.com/gemaraproj/gemara
  project-si-source: https://raw.githubusercontent.com/gemaraproj/.github/refs/heads/main/.github/security-insights.yml

repository:
  url: https://github.com/gemaraproj/gemara
  status: active
  accepts-change-request: true
  accepts-automated-change-request: true
  core-team:
    - name: Eddie Knight
      affiliation: Sonatype
      email: knight@linux.com
      primary: false
    - name: Jenn Power
      affiliation: Red Hat
      email: barnabei.jennifer@gmail.com
      primary: true
    - name: Jason Meridth
      affiliation: GitHub
      email: jmeridth@gmail.com
      primary: false
    - name: Travis Truman
      affiliation: Independent
      email: trumant@gmail.com
      primary: false
    - name: Alex Speasmaker
      affiliation: USAA
      email: alex.speasmaker@gmail.com
      primary: false
  documentation:
    contributing-guide: https://github.com/gemaraproj/gemara/blob/main/CONTRIBUTING.md
  license:
    url: https://github.com/gemaraproj/gemara?tab=Apache-2.0-1-ov-file#readme
    expression: Apache-2.0
  security:
    assessments:
      self:
        comment: |
          Self assessment has not yet been completed.
    tools:
      - name: Dependabot
        type: SCA
        version: "2"
        rulesets:
          - built-in
        results:
          adhoc:
            name: Scheduled SCA Scan Results
            predicate-uri: https://docs.github.com/en/graphql/reference/objects#repositoryvulnerabilityalert
            location: https://github.com/gemaraproj/gemara/security/dependabot
            comment: |
              The results of the scheduled SCA scan are available in the Dependabot tab of the Security Insights page.
        integration:
          adhoc: true
          ci: false
          release: false
      - name: CodeQL
        type: SAST
        version: "2.y.z"
        rulesets:
          - go
          - actions
        results:
          adhoc:
            name: Scheduled SAST Results
            predicate-uri: https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/schemas/sarif-schema-2.1.0.json
            location: https://github.com/gemaraproj/gemara/security/code-scanning
            comment: |
              The results of the scheduled SAST scan are available in the Code Scanning tab of the Security Insights page and as an artifact on the scheduled job.
          ci:
            name: CI SAST Results
            predicate-uri: https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/schemas/sarif-schema-2.1.0.json
            location: https://github.com/gemaraproj/gemara/security/code-scanning
            comment: |
              The results of the CI SAST scan are available in the Code Scanning tab of the Security Insights page.
        integration:
          adhoc: true
          ci: true
          release: false