Re: [cncf-sig-security] Vulnerability scanning for CNCF projects
Eli Nesterov <eli.nesterov@...>
toggle quoted messageShow quoted text
Liz, this is great! Having vulnerability scanning is a good thing, but looking into the results might be too many false positives (as you pointed out) and noise. In my experience, reviewing such a massive amount of data for project owners might take way too much time.
I actually like the idea of the security scorecard https://github.com/ossf/scorecard which covers lots of security best practices and provides lots of actionable feedback along with advice on how to improve using different tools.
On Wed, Nov 18, 2020 at 8:41 AM Liz Rice <liz@...> wrote: