The CNCF Security TAG put together an excellent resource: https://github.com/cncf/tag-security/tree/master/supply-chain-security https://www.cncf.io/blog/2021/05/14/evaluating-your-supply-chain-securi

I hope everyone had an amazing KubeCon + CloudNativeCon! Due to the recent re-licensing of a couple popular permissive projects to AGPL, the CNCF has posted guidance for projects that may be affected:

Please don't send spam to this list again or you will be banned from CNCF messaging systems. You can take advantage of CNCF marketing/online programs here: https://github.com/cncf/foundation/blob/mast

FYI ---------- Forwarded message --------- From: Emily Fox <themoxiefoxatwork@...> Date: Fri, Apr 9, 2021 at 11:20 AM Subject: [cncf-sig-security] Supply Chain Security Paper Open for public com

Hey all, thanks for the candid email here, I know that it can be a challenge as we don't timebox due diligence periods and that sometimes it can be hard to give and take feedback, especially as projec

Alexis, the tool is freely available just like a variety of other security tools that CNCF projects use, from LFX Security (white labeled Snyk), Snyk, FOSSA, CodeQL, WhiteSource etc, lots of great opt

+1 to what Liz said here, this should be opt-in for project maintainers like any tool Can we please just leave this as a per project decision as any other tool as we decided last time this came up, th

That depends on your viewpoint, the maintainers ideally should make that call per project based on whatever security process they have in place for the project. You can have a view that maintainers sh

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see

It's https://github.com/docker/distribution They will pick a new org name and so on.

It wasn't in the sandbox, they went straight for incubation: https://github.com/datawire/ambassador I know it can be confusing as they were originally considered a sandbox contribution but decided to

I don't think we have to fully pause everything but it's up to the TOC here, if the TOC is saying "choose another name than IC4EP or something else that wouldn't confuse end users" before we accept th

The problem is the company rebranded to Ambassador also here: https://www.getambassador.io, so the project needs to be renamed to deal with the obvious trademark conflict here. The CNCF is open to wha

Just a reminder about upcoming TOC elections for the GB and end user seats! Feel free to petition your GB and end user member representatives! ---------- Forwarded message --------- From: Amye Scavard

Hey TOC and the wider community, some of our projects have taken advantage of fuzzing (through oss-fuzz and other tools), also we recently funded some fuzzing/audit work for fluentbit to see the impac

Hey all, hope everyone is having a great 2021! At the end of last year, we posted the CNCF annual report covering what we accomplished in 2020: https://www.cncf.io/blog/2020/12/29/2020-cncf-annual-rep

Hey all, we are doing our traditional TOC panel at KubeCon today: https://kccncna20.sched.com/event/f6Z1 Feel free to join us at the tail end of kubecon and if you have any questions, please let us kn

Thanks, this is a discussion point for the TOC but I think the reality will be a roll out in 2021 at some level. Also thank you Arun for pushing me to get this done in time for kubecon :) Please conti

The CNCF Security SIG did an excellent job putting together a white paper around cloud native security: https://github.com/cncf/sig-security/blob/master/security-whitepaper/cloud-native-security-white

Let's put it as a discussion item for the next meeting and consider rolling it out in 2021 +Amye Scavarda Perrin