Re: Vulnerability scanning for CNCF projects
toggle quoted message Show quoted text
If this group is interested, my team would love to present the capabilities and limitations alike of the LFX security tool project. We are working on items like creating a SBOM policy management, adding support for scanning build systems and container images next. Secrets management and static analysis are longer term roadmap items.
Top challenges we need to solve collectively relatively quickly:
1. The tool provides capability to turn on/off dev dependencies, need the group to identify if we need to do that and which dev dependencies in particular. Project maintainers are probably the best equipped to determine this list.
2. A project is usually spread over multiple orgs and repo combinations. Some repos don't have a manifest file, which LFX needs in order to scan. A best practice would be to ensure there is consistent manifest creation.
Shubhra KarCTO and GM of Products and IT
On Wed, Nov 18, 2020 at 8:41 AM Liz Rice <liz@...> wrote: