Re: security & CNCF projects


alexis richardson
 

Yes, please.

To your general point -- I have a view that if Snyk (or similar) offers a free scanning service to CNCF projects, then the community should benefit.  These are completely standard scanning tools used by many.  I am sure external attackers already have this info.  Don't hold it back, there is NO benefit.







On Tue, Feb 16, 2021 at 4:15 PM Chris Aniszczyk <caniszczyk@...> wrote:
That depends on your viewpoint, the maintainers ideally should make that call per project based on whatever security process they have in place for the project. You can have a view that maintainers should know first before external attackers? Also a lot of thes security tools can have false positives and so on that may not reflect reality, so it's a bit of a nuanced topic.

If your project wants access to these security tools or others, feel free to file a SD ticket! https://github.com/cncf/servicedesk#tools - in this case Alexis, I'll have someone on my team reach out and get flux squared away. However, most of these are already free for open source projects so you can readily just adopt them yourselves.

On Tue, Feb 16, 2021 at 9:33 AM Alexis Richardson <alexis@...> wrote:
I see.  Well, I'm not.

This info should be open to all, without any barriers whatsoever 


On Tue, 16 Feb 2021, 15:29 Matt Jarvis, <matt@...> wrote:
I think what Chris means is that if you are already scanning with Snyk, then you won't see anything different in the LFX feed. 

On Tue, 16 Feb 2021 at 14:42, alexis richardson <alexis@...> wrote:
Thanks Chris

It would be great if this data was readily accessible.   I don't think packing into GH actions provides that, however useful it may be for other purposes


On Tue, 16 Feb 2021, 14:13 Chris Aniszczyk, <caniszczyk@...> wrote:
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all

Has anyone looked at this? 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

Can we have something more open & useful please?

a




--
Chris Aniszczyk (@cra)



--
Chris Aniszczyk (@cra)

Join cncf-toc@lists.cncf.io to automatically receive all group messages.