I've realised that one reason the results look so damning for the projects is that they are the sum of vulnerabilities found over a period of time (and an arbitrary period of time at that). For

I understand this is Beta I believe all of the CNCF community should have equal access.

Alexis, the tool is freely available just like a variety of other security tools that CNCF projects use, from LFX Security (white labeled Snyk), Snyk, FOSSA, CodeQL, WhiteSource etc, lots of great

I strongly disagree Chris, this is a great resource that all should be aware of. Now that we don’t have FPs, can we just publish the data? Please do not assume that end users will not run their own

+1 to what Liz said here, this should be opt-in for project maintainers like any tool Can we please just leave this as a per project decision as any other tool as we decided last time this came up,

The scan data from Snyk right now is fairly clean as they curate and weed out false positives proactively. In the tool, we do have flags on the bugs to dismiss it (in case it's still a false

I have an idea that there were concerns about making the data publicly available because of false positives, and the worry that if projects appear (incorrectly) to be unsafe that will impede adoption.

Idea: It would be cool if all CNCF projects had the same metadata for representing "maintainers". If that was standardized, some tool could ingest and compare against LFIDs. -- Stephen

Essentially we want them to create LFIDs to grant access. Shubhra

Thanks Stephen. We have granted access to given access to stefan@.... We are unable to find accounts forhidde@... and michael@... . Regards, Vasu From:Stephen Augustus

Hi Alexis, You should have access to the security reports of the flux project. Please let me know if you have any questions.

As I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project. For flux, specifically: https://github.com/fluxcd/flux/blob/master/MAINTAINERS -- Stephen

I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs). Do you maintain a maintainers.md file or better for us to just scan the

thanks, how do I share these with the flux maintainers and community

Yes, please. To your general point -- I have a view that if Snyk (or similar) offers a free scanning service to CNCF projects, then the community should benefit. These are completely standard

Jim, We are looking into, let me get back to you with an update. Regards, Vasu --- Sr. Director, Head Of Engineering Cell: 1.408.420.0404 Slack:@Vasu From:St Leger, Jim

That depends on your viewpoint, the maintainers ideally should make that call per project based on whatever security process they have in place for the project. You can have a view that maintainers

I see. Well, I'm not. This info should be open to all, without any barriers whatsoever

I think what Chris means is that if you are already scanning with Snyk, then you won't see anything different in the LFX feed.

Apologies - will miss TOC liaison discussion today. No electricity or water in my area. No/limited cellular. Hoping this message catches a signal before tomorrow’s call. -Lee