Re: [cncf-sig-security] Vulnerability scanning for CNCF projects
toggle quoted message Show quoted text
" Should we have something in place for requiring projects to have a process to fix vulnerability issues (at least the serious ones)?"
We have a graduation requirement around CII badging which requires a security disclosure process so it's there but not codified formally, we could do that, I think the important thing is that projects also publish advisories in a standard way (like via the github security API)
We should treat the LF tool suite as another option for projects to take advantage of, already many projects are using Snyk, FOSSA, Whitesource etc that is listed here: https://github.com/cncf/servicedesk#tools
You can kind of get an SBOM (depending you define sbom ;p) for some of our projects already: https://app.fossa.com/attribution/c189c5b9-fe2c-45f2-ba40-c34c36bab868
I think offering projects more choice is always better as the landscape changes often in tooling.
On Wed, Nov 18, 2020 at 10:54 AM Emily Fox <themoxiefoxatwork@...> wrote:
Chris Aniszczyk (@cra)