Re: Question about action required from SIG-Security for OPA graduation
toggle quoted message Show quoted text
All we mention in the graduation criteria is "Have completed an independent and third party security audit with results published of similar scope and quality as the following example (including critical vulnerabilities addressed): https://github.com/envoyproxy/envoy#security-audit and all critical vulnerabilities need to be addressed before graduation"
Which OPA has: https://github.com/open-policy-agent/opa#security-audit (they ALSO did an updated security audit for Gatekeeper which I don't see published yet, maybe Torin can follow up where this is). What isn't addressed is how recent that security audit should be, right now that seems to be at TOC discretion like other things, we could try to codify that you need to have a recent security audit within 2 years.
On Tue, Jul 21, 2020 at 11:53 PM Quinton Hoole <quinton@...> wrote:
Chris Aniszczyk (@cra) | +1-512-961-6719