Re: security & CNCF projects

Liz Rice

I have an idea that there were concerns about making the data publicly available because of false positives, and the worry that if projects appear (incorrectly) to be unsafe that will impede adoption. Do we have progress on reducing those FPs e.g. being able to flag parts of a project as not relevant to scan? (I hope Kubernetes doesn't really have 261 high-severity vulnerabilities, as it currently appears). 

Can we also more clearly flag that this is a work in progress? 


On Tue, Feb 16, 2021 at 6:23 PM Shubhra Kar <skar@...> wrote:
Essentially we want them to create LFIDs to grant access.


On Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:

Thanks Stephen.


We have granted access to given access to stefan@....


We are unable to find accounts for hidde@... and michael@... .






From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

As I understand it, holds the aggregate maintainers for CNCF project.


-- Stephen


On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:

I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).


Do you maintain a file or better for us to just scan the repos and find the contributors ?

Kind Regards,


Shubhra Kar

CTO and GM of Products and IT

tweet: @shubhrakar



On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:

thanks, how do I share these with the flux maintainers and community


On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:

Hi Alexis,


You should have access to the security reports of the flux project. Please let me know if you have any questions.






From: St Leger, Jim <>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <
caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <
Subject: RE: [cncf-toc] security & CNCF projects

+ Pranab and Vasu (product/eng leads on LFX I believe.)




From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects


I'll follow up Alexis on the ticket but it's just white labeled 


If you are already using, say Snyk via github action ( you won't see anything new (which is available for open source projects).


On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:

Hi all


Has anyone looked at this? 


How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.


Can we have something more open & useful please?







Chris Aniszczyk (@cra)

Join to automatically receive all group messages.