security & CNCF projects
Not on the TOC, so hope it's ok to comment.I have the same concerns as Liz, quite often metrics are gathered without all factors considered.Take kubernetes for example, huge code base, huge user base and so many eyes looking to find vulnerabilities, compounded even more by a financial incentive with the bug bounty system. I monitor the hackone queue as a PSC member, and they come in thick and fast everyday (pleased to say most of them are invalids).This naturally results in a high vulnerability count, but it's not as simple as a high count equals bad project, if just means more have been discovered, not necessarily produced.I am also sceptical of using code scanners to assess the security posture of a project, great tools to use, but they do get it wrong and unless the false positives are constantly pruned out, they will make a project look much worse than it is. I can say this even after maintaining an OSS scanner project that hits around 100k downloads a week [0]On Wed, Feb 17, 2021 at 10:05 AM Liz Rice <liz@...> wrote:
I've realised that one reason the results look so damning for the projects is that they are the sum of vulnerabilities found over a period of time (and an arbitrary period of time at that). For example, here's the front page result for Kubernetes, which makes it look incredibly bad:It's pretty hard to tell, but I think this is telling me that the latest release of Kubernetes has 9 high sev vulns, not 261These pretty graphs are pointless if they don't convey useful information. IMO, the most useful result for an end user is whether the current release has vulnerabilities. What maintainers need to see is what vulnerabilities exist in the currently-supported set of releases, plus the main branch. Neither of these are currently easy to access, as presented.LizOn Tue, Feb 16, 2021 at 7:38 PM Alexis Richardson <alexis@...> wrote:I understand this is BetaI believe all of the CNCF community should have equal access.On Tue, 16 Feb 2021 at 19:25, Chris Aniszczyk <caniszczyk@...> wrote:Alexis, the tool is freely available just like a variety of other security tools that CNCF projects use, from LFX Security (white labeled Snyk), Snyk, FOSSA, CodeQL, WhiteSource etc, lots of great options out there that we all support and encourage projects to check out. This tool is simply white labeled Snyk so it's nothing necessarily new and properly labeled here: https://github.com/cncf/servicedesk#tools - projects use what is best for them always. We will have it setup for Flux soon for you to experiment with both inside and outside of GitHub.To Liz's point, like any security tool, there's a ton of false positives to deal with and should be handled on a per project / maintainer basis. Almost by default, every project looks terrible based on the default scan. This is why things like GitHub's codescan tooling is built in by default to only show information to maintainers: first https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning
The LFX Security work is still in "beta" and a work in progress so keep that in mind.On Tue, Feb 16, 2021 at 1:10 PM Alexis Richardson <alexis@...> wrote:I strongly disagree Chris, this is a great resource that all should be aware of.Now that we don’t have FPs, can we just publish the data? Please do not assume that end users will not run their own scans tooOn Tue, 16 Feb 2021 at 18:49, Chris Aniszczyk <caniszczyk@...> wrote:+1 to what Liz said here, this should be opt-in for project maintainers like any toolCan we please just leave this as a per project decision as any other tool as we decided last time this came up, the TOC list is the wrong place for this discussionThanks!On Tue, Feb 16, 2021 at 12:47 PM Shubhra Kar <skar@...> wrote:The scan data from Snyk right now is fairly clean as they curate and weed out false positives proactively. In the tool, we do have flags on the bugs to dismiss it (in case it's still a false positive).We can definitely put a big Beta tag on the service. We are adding code secrets scanning from another vendor partnership in the next couple of months. We are planning to provide a "regex" filter to maintainers to eliminate FPs globally as well.ShubhraOn Tue, Feb 16, 2021, 10:36 AM Liz Rice <liz@...> wrote:I have an idea that there were concerns about making the data publicly available because of false positives, and the worry that if projects appear (incorrectly) to be unsafe that will impede adoption. Do we have progress on reducing those FPs e.g. being able to flag parts of a project as not relevant to scan? (I hope Kubernetes doesn't really have 261 high-severity vulnerabilities, as it currently appears).Can we also more clearly flag that this is a work in progress?Thanks,LizOn Tue, Feb 16, 2021 at 6:23 PM Shubhra Kar <skar@...> wrote:Essentially we want them to create LFIDs to grant access.ShubhraOn Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:Thanks Stephen.
We have granted access to given access to stefan@....
We are unable to find accounts for hidde@... and michael@... .
Regards,
Vasu
From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projectsAs I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.
For flux, specifically: https://github.com/fluxcd/flux/blob/master/MAINTAINERS
-- Stephen
On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:
I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).
Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?
Kind Regards,
Shubhra Kar
CTO and GM of Products and IT
tweet: @shubhrakar
On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:
thanks, how do I share these with the flux maintainers and community
On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:
Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
--Chris Aniszczyk (@cra)--Chris Aniszczyk (@cra)
I've realised that one reason the results look so damning for the projects is that they are the sum of vulnerabilities found over a period of time (and an arbitrary period of time at that). For example, here's the front page result for Kubernetes, which makes it look incredibly bad:It's pretty hard to tell, but I think this is telling me that the latest release of Kubernetes has 9 high sev vulns, not 261These pretty graphs are pointless if they don't convey useful information. IMO, the most useful result for an end user is whether the current release has vulnerabilities. What maintainers need to see is what vulnerabilities exist in the currently-supported set of releases, plus the main branch. Neither of these are currently easy to access, as presented.LizOn Tue, Feb 16, 2021 at 7:38 PM Alexis Richardson <alexis@...> wrote:I understand this is BetaI believe all of the CNCF community should have equal access.On Tue, 16 Feb 2021 at 19:25, Chris Aniszczyk <caniszczyk@...> wrote:Alexis, the tool is freely available just like a variety of other security tools that CNCF projects use, from LFX Security (white labeled Snyk), Snyk, FOSSA, CodeQL, WhiteSource etc, lots of great options out there that we all support and encourage projects to check out. This tool is simply white labeled Snyk so it's nothing necessarily new and properly labeled here: https://github.com/cncf/servicedesk#tools - projects use what is best for them always. We will have it setup for Flux soon for you to experiment with both inside and outside of GitHub.To Liz's point, like any security tool, there's a ton of false positives to deal with and should be handled on a per project / maintainer basis. Almost by default, every project looks terrible based on the default scan. This is why things like GitHub's codescan tooling is built in by default to only show information to maintainers: first https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning
The LFX Security work is still in "beta" and a work in progress so keep that in mind.On Tue, Feb 16, 2021 at 1:10 PM Alexis Richardson <alexis@...> wrote:I strongly disagree Chris, this is a great resource that all should be aware of.Now that we don’t have FPs, can we just publish the data? Please do not assume that end users will not run their own scans tooOn Tue, 16 Feb 2021 at 18:49, Chris Aniszczyk <caniszczyk@...> wrote:+1 to what Liz said here, this should be opt-in for project maintainers like any toolCan we please just leave this as a per project decision as any other tool as we decided last time this came up, the TOC list is the wrong place for this discussionThanks!On Tue, Feb 16, 2021 at 12:47 PM Shubhra Kar <skar@...> wrote:The scan data from Snyk right now is fairly clean as they curate and weed out false positives proactively. In the tool, we do have flags on the bugs to dismiss it (in case it's still a false positive).We can definitely put a big Beta tag on the service. We are adding code secrets scanning from another vendor partnership in the next couple of months. We are planning to provide a "regex" filter to maintainers to eliminate FPs globally as well.ShubhraOn Tue, Feb 16, 2021, 10:36 AM Liz Rice <liz@...> wrote:I have an idea that there were concerns about making the data publicly available because of false positives, and the worry that if projects appear (incorrectly) to be unsafe that will impede adoption. Do we have progress on reducing those FPs e.g. being able to flag parts of a project as not relevant to scan? (I hope Kubernetes doesn't really have 261 high-severity vulnerabilities, as it currently appears).Can we also more clearly flag that this is a work in progress?Thanks,LizOn Tue, Feb 16, 2021 at 6:23 PM Shubhra Kar <skar@...> wrote:Essentially we want them to create LFIDs to grant access.ShubhraOn Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:Thanks Stephen.
We have granted access to given access to stefan@....
We are unable to find accounts for hidde@... and michael@... .
Regards,
Vasu
From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projectsAs I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.
For flux, specifically: https://github.com/fluxcd/flux/blob/master/MAINTAINERS
-- Stephen
On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:
I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).
Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?
Kind Regards,
Shubhra Kar
CTO and GM of Products and IT
tweet: @shubhrakar
On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:
thanks, how do I share these with the flux maintainers and community
On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:
Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
--Chris Aniszczyk (@cra)--Chris Aniszczyk (@cra)
I've realised that one reason the results look so damning for the projects is that they are the sum of vulnerabilities found over a period of time (and an arbitrary period of time at that). For example, here's the front page result for Kubernetes, which makes it look incredibly bad:It's pretty hard to tell, but I think this is telling me that the latest release of Kubernetes has 9 high sev vulns, not 261These pretty graphs are pointless if they don't convey useful information. IMO, the most useful result for an end user is whether the current release has vulnerabilities. What maintainers need to see is what vulnerabilities exist in the currently-supported set of releases, plus the main branch. Neither of these are currently easy to access, as presented.LizOn Tue, Feb 16, 2021 at 7:38 PM Alexis Richardson <alexis@...> wrote:I understand this is BetaI believe all of the CNCF community should have equal access.On Tue, 16 Feb 2021 at 19:25, Chris Aniszczyk <caniszczyk@...> wrote:Alexis, the tool is freely available just like a variety of other security tools that CNCF projects use, from LFX Security (white labeled Snyk), Snyk, FOSSA, CodeQL, WhiteSource etc, lots of great options out there that we all support and encourage projects to check out. This tool is simply white labeled Snyk so it's nothing necessarily new and properly labeled here: https://github.com/cncf/servicedesk#tools - projects use what is best for them always. We will have it setup for Flux soon for you to experiment with both inside and outside of GitHub.To Liz's point, like any security tool, there's a ton of false positives to deal with and should be handled on a per project / maintainer basis. Almost by default, every project looks terrible based on the default scan. This is why things like GitHub's codescan tooling is built in by default to only show information to maintainers: first https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning
The LFX Security work is still in "beta" and a work in progress so keep that in mind.On Tue, Feb 16, 2021 at 1:10 PM Alexis Richardson <alexis@...> wrote:I strongly disagree Chris, this is a great resource that all should be aware of.Now that we don’t have FPs, can we just publish the data? Please do not assume that end users will not run their own scans tooOn Tue, 16 Feb 2021 at 18:49, Chris Aniszczyk <caniszczyk@...> wrote:+1 to what Liz said here, this should be opt-in for project maintainers like any toolCan we please just leave this as a per project decision as any other tool as we decided last time this came up, the TOC list is the wrong place for this discussionThanks!On Tue, Feb 16, 2021 at 12:47 PM Shubhra Kar <skar@...> wrote:The scan data from Snyk right now is fairly clean as they curate and weed out false positives proactively. In the tool, we do have flags on the bugs to dismiss it (in case it's still a false positive).We can definitely put a big Beta tag on the service. We are adding code secrets scanning from another vendor partnership in the next couple of months. We are planning to provide a "regex" filter to maintainers to eliminate FPs globally as well.ShubhraOn Tue, Feb 16, 2021, 10:36 AM Liz Rice <liz@...> wrote:I have an idea that there were concerns about making the data publicly available because of false positives, and the worry that if projects appear (incorrectly) to be unsafe that will impede adoption. Do we have progress on reducing those FPs e.g. being able to flag parts of a project as not relevant to scan? (I hope Kubernetes doesn't really have 261 high-severity vulnerabilities, as it currently appears).Can we also more clearly flag that this is a work in progress?Thanks,LizOn Tue, Feb 16, 2021 at 6:23 PM Shubhra Kar <skar@...> wrote:Essentially we want them to create LFIDs to grant access.ShubhraOn Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:Thanks Stephen.
We have granted access to given access to stefan@....
We are unable to find accounts for hidde@... and michael@... .
Regards,
Vasu
From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projectsAs I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.
For flux, specifically: https://github.com/fluxcd/flux/blob/master/MAINTAINERS
-- Stephen
On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:
I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).
Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?
Kind Regards,
Shubhra Kar
CTO and GM of Products and IT
tweet: @shubhrakar
On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:
thanks, how do I share these with the flux maintainers and community
On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:
Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
--Chris Aniszczyk (@cra)--Chris Aniszczyk (@cra)
I've realised that one reason the results look so damning for the projects is that they are the sum of vulnerabilities found over a period of time (and an arbitrary period of time at that). For example, here's the front page result for Kubernetes, which makes it look incredibly bad:
I understand this is BetaI believe all of the CNCF community should have equal access.On Tue, 16 Feb 2021 at 19:25, Chris Aniszczyk <caniszczyk@...> wrote:Alexis, the tool is freely available just like a variety of other security tools that CNCF projects use, from LFX Security (white labeled Snyk), Snyk, FOSSA, CodeQL, WhiteSource etc, lots of great options out there that we all support and encourage projects to check out. This tool is simply white labeled Snyk so it's nothing necessarily new and properly labeled here: https://github.com/cncf/servicedesk#tools - projects use what is best for them always. We will have it setup for Flux soon for you to experiment with both inside and outside of GitHub.To Liz's point, like any security tool, there's a ton of false positives to deal with and should be handled on a per project / maintainer basis. Almost by default, every project looks terrible based on the default scan. This is why things like GitHub's codescan tooling is built in by default to only show information to maintainers: first https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning
The LFX Security work is still in "beta" and a work in progress so keep that in mind.On Tue, Feb 16, 2021 at 1:10 PM Alexis Richardson <alexis@...> wrote:I strongly disagree Chris, this is a great resource that all should be aware of.Now that we don’t have FPs, can we just publish the data? Please do not assume that end users will not run their own scans tooOn Tue, 16 Feb 2021 at 18:49, Chris Aniszczyk <caniszczyk@...> wrote:+1 to what Liz said here, this should be opt-in for project maintainers like any toolCan we please just leave this as a per project decision as any other tool as we decided last time this came up, the TOC list is the wrong place for this discussionThanks!On Tue, Feb 16, 2021 at 12:47 PM Shubhra Kar <skar@...> wrote:The scan data from Snyk right now is fairly clean as they curate and weed out false positives proactively. In the tool, we do have flags on the bugs to dismiss it (in case it's still a false positive).We can definitely put a big Beta tag on the service. We are adding code secrets scanning from another vendor partnership in the next couple of months. We are planning to provide a "regex" filter to maintainers to eliminate FPs globally as well.ShubhraOn Tue, Feb 16, 2021, 10:36 AM Liz Rice <liz@...> wrote:I have an idea that there were concerns about making the data publicly available because of false positives, and the worry that if projects appear (incorrectly) to be unsafe that will impede adoption. Do we have progress on reducing those FPs e.g. being able to flag parts of a project as not relevant to scan? (I hope Kubernetes doesn't really have 261 high-severity vulnerabilities, as it currently appears).Can we also more clearly flag that this is a work in progress?Thanks,LizOn Tue, Feb 16, 2021 at 6:23 PM Shubhra Kar <skar@...> wrote:Essentially we want them to create LFIDs to grant access.ShubhraOn Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:Thanks Stephen.
We have granted access to given access to stefan@....
We are unable to find accounts for hidde@... and michael@... .
Regards,
Vasu
From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projectsAs I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.
For flux, specifically: https://github.com/fluxcd/flux/blob/master/MAINTAINERS
-- Stephen
On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:
I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).
Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?
Kind Regards,
Shubhra Kar
CTO and GM of Products and IT
tweet: @shubhrakar
On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:
thanks, how do I share these with the flux maintainers and community
On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:
Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
--Chris Aniszczyk (@cra)--Chris Aniszczyk (@cra)
Alexis, the tool is freely available just like a variety of other security tools that CNCF projects use, from LFX Security (white labeled Snyk), Snyk, FOSSA, CodeQL, WhiteSource etc, lots of great options out there that we all support and encourage projects to check out. This tool is simply white labeled Snyk so it's nothing necessarily new and properly labeled here: https://github.com/cncf/servicedesk#tools - projects use what is best for them always. We will have it setup for Flux soon for you to experiment with both inside and outside of GitHub.To Liz's point, like any security tool, there's a ton of false positives to deal with and should be handled on a per project / maintainer basis. Almost by default, every project looks terrible based on the default scan. This is why things like GitHub's codescan tooling is built in by default to only show information to maintainers: first https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning
The LFX Security work is still in "beta" and a work in progress so keep that in mind.On Tue, Feb 16, 2021 at 1:10 PM Alexis Richardson <alexis@...> wrote:I strongly disagree Chris, this is a great resource that all should be aware of.Now that we don’t have FPs, can we just publish the data? Please do not assume that end users will not run their own scans tooOn Tue, 16 Feb 2021 at 18:49, Chris Aniszczyk <caniszczyk@...> wrote:+1 to what Liz said here, this should be opt-in for project maintainers like any toolCan we please just leave this as a per project decision as any other tool as we decided last time this came up, the TOC list is the wrong place for this discussionThanks!On Tue, Feb 16, 2021 at 12:47 PM Shubhra Kar <skar@...> wrote:The scan data from Snyk right now is fairly clean as they curate and weed out false positives proactively. In the tool, we do have flags on the bugs to dismiss it (in case it's still a false positive).We can definitely put a big Beta tag on the service. We are adding code secrets scanning from another vendor partnership in the next couple of months. We are planning to provide a "regex" filter to maintainers to eliminate FPs globally as well.ShubhraOn Tue, Feb 16, 2021, 10:36 AM Liz Rice <liz@...> wrote:I have an idea that there were concerns about making the data publicly available because of false positives, and the worry that if projects appear (incorrectly) to be unsafe that will impede adoption. Do we have progress on reducing those FPs e.g. being able to flag parts of a project as not relevant to scan? (I hope Kubernetes doesn't really have 261 high-severity vulnerabilities, as it currently appears).Can we also more clearly flag that this is a work in progress?Thanks,LizOn Tue, Feb 16, 2021 at 6:23 PM Shubhra Kar <skar@...> wrote:Essentially we want them to create LFIDs to grant access.ShubhraOn Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:Thanks Stephen.
We have granted access to given access to stefan@....
We are unable to find accounts for hidde@... and michael@... .
Regards,
Vasu
From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projectsAs I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.
For flux, specifically: https://github.com/fluxcd/flux/blob/master/MAINTAINERS
-- Stephen
On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:
I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).
Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?
Kind Regards,
Shubhra Kar
CTO and GM of Products and IT
tweet: @shubhrakar
On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:
thanks, how do I share these with the flux maintainers and community
On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:
Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
--Chris Aniszczyk (@cra)--Chris Aniszczyk (@cra)
The LFX Security work is still in "beta" and a work in progress so keep that in mind.
I strongly disagree Chris, this is a great resource that all should be aware of.Now that we don’t have FPs, can we just publish the data? Please do not assume that end users will not run their own scans tooOn Tue, 16 Feb 2021 at 18:49, Chris Aniszczyk <caniszczyk@...> wrote:+1 to what Liz said here, this should be opt-in for project maintainers like any toolCan we please just leave this as a per project decision as any other tool as we decided last time this came up, the TOC list is the wrong place for this discussionThanks!On Tue, Feb 16, 2021 at 12:47 PM Shubhra Kar <skar@...> wrote:The scan data from Snyk right now is fairly clean as they curate and weed out false positives proactively. In the tool, we do have flags on the bugs to dismiss it (in case it's still a false positive).We can definitely put a big Beta tag on the service. We are adding code secrets scanning from another vendor partnership in the next couple of months. We are planning to provide a "regex" filter to maintainers to eliminate FPs globally as well.ShubhraOn Tue, Feb 16, 2021, 10:36 AM Liz Rice <liz@...> wrote:I have an idea that there were concerns about making the data publicly available because of false positives, and the worry that if projects appear (incorrectly) to be unsafe that will impede adoption. Do we have progress on reducing those FPs e.g. being able to flag parts of a project as not relevant to scan? (I hope Kubernetes doesn't really have 261 high-severity vulnerabilities, as it currently appears).Can we also more clearly flag that this is a work in progress?Thanks,LizOn Tue, Feb 16, 2021 at 6:23 PM Shubhra Kar <skar@...> wrote:Essentially we want them to create LFIDs to grant access.ShubhraOn Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:Thanks Stephen.
We have granted access to given access to stefan@....
We are unable to find accounts for hidde@... and michael@... .
Regards,
Vasu
From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projectsAs I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.
For flux, specifically: https://github.com/fluxcd/flux/blob/master/MAINTAINERS
-- Stephen
On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:
I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).
Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?
Kind Regards,
Shubhra Kar
CTO and GM of Products and IT
tweet: @shubhrakar
On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:
thanks, how do I share these with the flux maintainers and community
On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:
Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
--Chris Aniszczyk (@cra)
+1 to what Liz said here, this should be opt-in for project maintainers like any toolCan we please just leave this as a per project decision as any other tool as we decided last time this came up, the TOC list is the wrong place for this discussionThanks!On Tue, Feb 16, 2021 at 12:47 PM Shubhra Kar <skar@...> wrote:The scan data from Snyk right now is fairly clean as they curate and weed out false positives proactively. In the tool, we do have flags on the bugs to dismiss it (in case it's still a false positive).We can definitely put a big Beta tag on the service. We are adding code secrets scanning from another vendor partnership in the next couple of months. We are planning to provide a "regex" filter to maintainers to eliminate FPs globally as well.ShubhraOn Tue, Feb 16, 2021, 10:36 AM Liz Rice <liz@...> wrote:I have an idea that there were concerns about making the data publicly available because of false positives, and the worry that if projects appear (incorrectly) to be unsafe that will impede adoption. Do we have progress on reducing those FPs e.g. being able to flag parts of a project as not relevant to scan? (I hope Kubernetes doesn't really have 261 high-severity vulnerabilities, as it currently appears).Can we also more clearly flag that this is a work in progress?Thanks,LizOn Tue, Feb 16, 2021 at 6:23 PM Shubhra Kar <skar@...> wrote:Essentially we want them to create LFIDs to grant access.ShubhraOn Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:Thanks Stephen.
We have granted access to given access to stefan@....
We are unable to find accounts for hidde@... and michael@... .
Regards,
Vasu
From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projectsAs I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.
For flux, specifically: https://github.com/fluxcd/flux/blob/master/MAINTAINERS
-- Stephen
On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:
I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).
Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?
Kind Regards,
Shubhra Kar
CTO and GM of Products and IT
tweet: @shubhrakar
On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:
thanks, how do I share these with the flux maintainers and community
On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:
Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
--Chris Aniszczyk (@cra)
The scan data from Snyk right now is fairly clean as they curate and weed out false positives proactively. In the tool, we do have flags on the bugs to dismiss it (in case it's still a false positive).We can definitely put a big Beta tag on the service. We are adding code secrets scanning from another vendor partnership in the next couple of months. We are planning to provide a "regex" filter to maintainers to eliminate FPs globally as well.ShubhraOn Tue, Feb 16, 2021, 10:36 AM Liz Rice <liz@...> wrote:I have an idea that there were concerns about making the data publicly available because of false positives, and the worry that if projects appear (incorrectly) to be unsafe that will impede adoption. Do we have progress on reducing those FPs e.g. being able to flag parts of a project as not relevant to scan? (I hope Kubernetes doesn't really have 261 high-severity vulnerabilities, as it currently appears).Can we also more clearly flag that this is a work in progress?Thanks,LizOn Tue, Feb 16, 2021 at 6:23 PM Shubhra Kar <skar@...> wrote:Essentially we want them to create LFIDs to grant access.ShubhraOn Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:Thanks Stephen.
We have granted access to given access to stefan@....
We are unable to find accounts for hidde@... and michael@... .
Regards,
Vasu
From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projectsAs I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.
For flux, specifically: https://github.com/fluxcd/flux/blob/master/MAINTAINERS
-- Stephen
On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:
I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).
Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?
Kind Regards,
Shubhra Kar
CTO and GM of Products and IT
tweet: @shubhrakar
On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:
thanks, how do I share these with the flux maintainers and community
On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:
Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
I have an idea that there were concerns about making the data publicly available because of false positives, and the worry that if projects appear (incorrectly) to be unsafe that will impede adoption. Do we have progress on reducing those FPs e.g. being able to flag parts of a project as not relevant to scan? (I hope Kubernetes doesn't really have 261 high-severity vulnerabilities, as it currently appears).Can we also more clearly flag that this is a work in progress?Thanks,LizOn Tue, Feb 16, 2021 at 6:23 PM Shubhra Kar <skar@...> wrote:Essentially we want them to create LFIDs to grant access.ShubhraOn Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:Thanks Stephen.
We have granted access to given access to stefan@....
We are unable to find accounts for hidde@... and michael@... .
Regards,
Vasu
From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projectsAs I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.
For flux, specifically: https://github.com/fluxcd/flux/blob/master/MAINTAINERS
-- Stephen
On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:
I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).
Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?
Kind Regards,
Shubhra Kar
CTO and GM of Products and IT
tweet: @shubhrakar
On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:
thanks, how do I share these with the flux maintainers and community
On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:
Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
Essentially we want them to create LFIDs to grant access.ShubhraOn Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:Thanks Stephen.
We have granted access to given access to stefan@....
We are unable to find accounts for hidde@... and michael@... .
Regards,
Vasu
From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projectsAs I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.
For flux, specifically: https://github.com/fluxcd/flux/blob/master/MAINTAINERS
-- Stephen
On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:
I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).
Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?
Kind Regards,
Shubhra Kar
CTO and GM of Products and IT
tweet: @shubhrakar
On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:
thanks, how do I share these with the flux maintainers and community
On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:
Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
Essentially we want them to create LFIDs to grant access.ShubhraOn Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:Thanks Stephen.
We have granted access to given access to stefan@....
We are unable to find accounts for hidde@... and michael@... .
Regards,
Vasu
From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projectsAs I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.
For flux, specifically: https://github.com/fluxcd/flux/blob/master/MAINTAINERS
-- Stephen
On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:
I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).
Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?
Kind Regards,
Shubhra Kar
CTO and GM of Products and IT
tweet: @shubhrakar
On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:
thanks, how do I share these with the flux maintainers and community
On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:
Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
Thanks Stephen.
We have granted access to given access to stefan@....
We are unable to find accounts for hidde@... and michael@... .
Regards,
Vasu
From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projectsAs I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.
For flux, specifically: https://github.com/fluxcd/flux/blob/master/MAINTAINERS
-- Stephen
On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:
I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).
Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?
Kind Regards,
Shubhra Kar
CTO and GM of Products and IT
tweet: @shubhrakar
On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:
thanks, how do I share these with the flux maintainers and community
On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:
Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
Thanks Stephen.
We have granted access to given access to stefan@....
We are unable to find accounts for hidde@... and michael@... .
Regards,
Vasu
From:
Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>,
Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
As I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.
For flux, specifically: https://github.com/fluxcd/flux/blob/master/MAINTAINERS
-- Stephen
I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).
Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?
Kind Regards,
Shubhra Kar
CTO and GM of Products and IT
tweet: @shubhrakar
On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:
thanks, how do I share these with the flux maintainers and community
On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:
Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From:
St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects
+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?Kind Regards,Shubhra KarCTO and GM of Products and ITtweet: @shubhrakarOn Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:thanks, how do I share these with the flux maintainers and communityOn Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
thanks, how do I share these with the flux maintainers and communityOn Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
Hi Alexis,
You should have access to the security reports of the flux project. Please let me know if you have any questions.
https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details
Regards,
Vasu
From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
That depends on your viewpoint, the maintainers ideally should make that call per project based on whatever security process they have in place for the project. You can have a view that maintainers should know first before external attackers? Also a lot of thes security tools can have false positives and so on that may not reflect reality, so it's a bit of a nuanced topic.If your project wants access to these security tools or others, feel free to file a SD ticket! https://github.com/cncf/servicedesk#tools - in this case Alexis, I'll have someone on my team reach out and get flux squared away. However, most of these are already free for open source projects so you can readily just adopt them yourselves.On Tue, Feb 16, 2021 at 9:33 AM Alexis Richardson <alexis@...> wrote:I see. Well, I'm not.This info should be open to all, without any barriers whatsoeverOn Tue, 16 Feb 2021, 15:29 Matt Jarvis, <matt@...> wrote:I think what Chris means is that if you are already scanning with Snyk, then you won't see anything different in the LFX feed.On Tue, 16 Feb 2021 at 14:42, alexis richardson <alexis@...> wrote:Thanks ChrisIt would be great if this data was readily accessible. I don't think packing into GH actions provides that, however useful it may be for other purposesOn Tue, 16 Feb 2021, 14:13 Chris Aniszczyk, <caniszczyk@...> wrote:I'll follow up Alexis on the ticket but it's just white labeled https://snyk.ioIf you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:Hi allHas anyone looked at this?How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.Can we have something more open & useful please?a--Chris Aniszczyk (@cra)--Chris Aniszczyk (@cra)
Jim,
We are looking into, let me get back to you with an update.
From:
St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects
+ Pranab and Vasu (product/eng leads on LFX I believe.)
Jim
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io
If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).
On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all
Has anyone looked at this?
How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.
Can we have something more open & useful please?
a
--
Chris Aniszczyk (@cra)
I see. Well, I'm not.This info should be open to all, without any barriers whatsoeverOn Tue, 16 Feb 2021, 15:29 Matt Jarvis, <matt@...> wrote:I think what Chris means is that if you are already scanning with Snyk, then you won't see anything different in the LFX feed.On Tue, 16 Feb 2021 at 14:42, alexis richardson <alexis@...> wrote:Thanks ChrisIt would be great if this data was readily accessible. I don't think packing into GH actions provides that, however useful it may be for other purposesOn Tue, 16 Feb 2021, 14:13 Chris Aniszczyk, <caniszczyk@...> wrote:I'll follow up Alexis on the ticket but it's just white labeled https://snyk.ioIf you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:Hi allHas anyone looked at this?How do we see project data? I wanted to take a look at flux. I had to create a login. Then, I had to "request" a view, which turned out to mean filing a JIRA ticket. Since then, tumbleweed.Can we have something more open & useful please?a--Chris Aniszczyk (@cra)