[cncf-sig-security] Vulnerability scanning for CNCF projects

Eli Nesterov <eli.nesterov@...>

Liz, this is great! Having vulnerability scanning is a good thing, but looking into the results might be too many false positives (as you pointed out) and noise. In my experience, reviewing such a massive amount of data for project owners might take way too much time.
I actually like the idea of the security scorecard https://github.com/ossf/scorecard which covers lots of security best practices and provides lots of actionable feedback along with advice on how to improve using different tools. 


On Wed, Nov 18, 2020 at 8:41 AM Liz Rice <liz@...> wrote:
Hi TOC and SIG Security folks 

On Friday I got a nice preview from Shubhra Kar and his team at the LF about some tools they are building to provide insights and stats for LF (and therefore CNCF) projects. One that's of particular interest is an integration of scanning security issues.

We require graduated projects to have security reviews, and SIG Security are offering additional assessments, but we don't really have any standards around whether project artifacts shipping with vulnerabilities. Should we have something in place for requiring projects to have a process to fix vulnerability issues (at least the serious ones)? 

This tooling is off to a great start. The current numbers for a lot of our projects look really quite bad, but this may be to do with scanning all the repos related to a project's org. I'd imagine there are also some false positives from things like dependencies only used in test that don't affect the security of the executables that end users run - we may want to look at just reporting vulnerabilities from a project's deployable artifacts. 

As well as vulnerability scanning this is showing license dependencies, which could be very useful.

For discussion, how we want to use this kind of info, and whether we want to formalize requirements on projects (e.g. at graduation or incubation levels).  

Copying Shubra in case he would like to comment further. .

Enjoy KubeCon!