Re: [cncf-sig-security] Vulnerability scanning for CNCF projects
toggle quoted message Show quoted text
Love this. As part of the assessments SIG-Security performs, we've begun highlighting the importance of secure development practices. The last few assessments we've begun pushing more for this, as well as responsible disclosure instructions and general security mindedness for project sustainment. This fits in alignment with those efforts. We currently have the assessment process undergoing some updates (held currently for kubecon) and this make it a great time to potentially include this. I personally would like to see license dependencies and dependency trees to help push forward in the area of SBOM.
I think we should be clear however in what our thresholds and terms are in this area, offhand i can think of the following potentials:
* Listing of vulns in deliverable artifacts
* Listing licensing dependencies
* vulnerability threshold and prioritizing resolution in prior to artifact delivery
* vulnerability threshold and prioritizing resolution post artifact delivery
Definitely worth a conversation and follow-ups. Do you have anything in mind that are must haves off the above or anything I missed or misunderstood?
On Wed, Nov 18, 2020 at 11:41 AM Liz Rice <liz@...> wrote: