+1

This is a great initiative that also sends a message that security is part of the core functionality. Few suggestions: If we can ensure CNCF projects follow Container Image authoring best practices,

I'd be happy to join and help here. HUGE DISCLAIMER. I work at Snyk, which is the service powering the scans. I'm also a maintainer of Conftest as part of the Open Policy Agent project and know a

Liz, this is great! Having vulnerability scanning is a good thing, but looking into the results might be too many false positives (as you pointed out) and noise. In my experience, reviewing such a

This is awesome ! Well done folks ...

Buildpacks has been approved to move to incubation. (https://lists.cncf.io/g/cncf-toc/message/5385) +1 Binding 9/11 Justin Cormack: https://lists.cncf.io/g/cncf-toc/message/5392 Sheng Liang:

Thanks to everyone who worked so hard on this. Congratulations on shipping it, it will be very helpful. Justin

The CNCF Security SIG did an excellent job putting together a white paper around cloud native security:

Let's put it as a discussion item for the next meeting and consider rolling it out in 2021 +Amye Scavarda Perrin -- Chris Aniszczyk (@cra)

" Should we have something in place for requiring projects to have a process to fix vulnerability issues (at least the serious ones)?" We have a graduation requirement around CII badging which

Liz, Love this. As part of the assessments SIG-Security performs, we've begun highlighting the importance of secure development practices. The last few assessments we've begun pushing more for

Hi TOC and SIG Security folks On Friday I got a nice preview from Shubhra Kar and his team at the LF about some tools they are building to provide insights and stats for LF (and therefore CNCF)

Thanks Chris. We could also require it for TOC members & SIG chairs too

Thanks! Liz I have added this as a requirement per the project proposal process: https://github.com/cncf/toc/pull/570 We can discuss at the next TOC meeting to vote/finalize the changes, but I think

Hi, Just completed it (takes ~20 min) and definitely can recommend it to all who maintain projects on open source! 🤗 It's actionable and insightful, +1 to make it mandatory. BTW, direct training

+1 NB

+1 -- Romaric Philogène CEO & Co-founder | Qovery Backed by Techstars Check out our Demo Day Phone : +33 601 226 575 Email : romaric@... Address : 128 rue la Boétie, 75008 Paris - France

+1 binding

I’d like to see all project maintainers taking this at all maturity levels Probably getting carried away here, but it would be nice if we could automate this, a bit like CLA bots: automatically

+1 NB