Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CNCF Defender Tasks for devfile/alizer #1392

Closed
3 of 7 tasks
Tracked by #1297
Jdubrick opened this issue Dec 21, 2023 · 6 comments · Fixed by devfile/alizer#50 or devfile/alizer#52
Closed
3 of 7 tasks
Tracked by #1297

CNCF Defender Tasks for devfile/alizer #1392

Jdubrick opened this issue Dec 21, 2023 · 6 comments · Fixed by devfile/alizer#50 or devfile/alizer#52
Assignees
@thepetk
Labels
area/alizer Enhancement or issue related to the alizer repo

Comments

@Jdubrick
Copy link
Contributor

Jdubrick commented Dec 21, 2023
edited by thepetk
Loading

Which area/kind this issue is related to?

/area alizer

Issue Description

As part of our effort to maintain best practices we have added all of our repositories to the CLO Monitor. This issue aims to resolve the checks needed for our repositories to reach 100% on the monitor.

A list of the checks for each check set can be found here: https://clomonitor.io/docs/topics/checks/

Remaining Items

Security

  • Dependencies Policy
  • Dependency Update Tool
  • Software Bill of Materials (SBOM)
  • Security Insights
  • Security Policy
  • Signed Releases
  • Token Permissions
@openshift-ci openshift-ci bot added the area/alizer Enhancement or issue related to the alizer repo label Dec 21, 2023
@Jdubrick Jdubrick mentioned this issue Dec 21, 2023
Open
11 tasks
@Jdubrick
Copy link
Contributor Author

Jdubrick commented Jan 5, 2024

Defender tasks with the same checklist items were sized as Major with 5 story points. Assigning this the same and moving to backlog.

@thepetk thepetk self-assigned this Feb 27, 2024
@thepetk thepetk mentioned this issue Feb 29, 2024
Merged
2 tasks
@thepetk
Copy link
Contributor

thepetk commented Mar 1, 2024

As discussed the security policy will be covered after the completion of #1461. We might need to ignore for now the following checks:

@Jdubrick
Copy link
Contributor Author

Jdubrick commented Mar 1, 2024

As discussed the security policy will be covered after the completion of #1461. We might need to ignore for now the following checks:

Are these checks being ignored for now as in leaving unchecked or should a discussion be had for exemption them from the checks? Also, would that be relevant for all repos covered under #1297

@thepetk thepetk mentioned this issue Mar 1, 2024
Merged
2 tasks
@thepetk
Copy link
Contributor

thepetk commented Mar 1, 2024

As discussed the security policy will be covered after the completion of #1461. We might need to ignore for now the following checks:

Are these checks being ignored for now as in leaving unchecked or should a discussion be had for exemption them from the checks? Also, would that be relevant for all repos covered under #1297

I think we can revisit the topic in a future devtools week. So I'd say we can:

  • Close the parent epic and all the children issues when the Dependencies Policy, Dependency Update Tool & Security Insights are covered.
  • Create a new epic for future work around SBOMs, Signed Releases and Token Permissions.
  • The Security Policy Check is included here: Create Security Policy for the Devfiles Org #1461

WDYT?

@Jdubrick
Copy link
Contributor Author

Jdubrick commented Mar 1, 2024

As discussed the security policy will be covered after the completion of #1461. We might need to ignore for now the following checks:

  • Software Bill of Materials (SBOM)
  • Signed Releases
  • Token Permissions

Are these checks being ignored for now as in leaving unchecked or should a discussion be had for exemption them from the checks? Also, would that be relevant for all repos covered under #1297

I think we can revisit the topic in a future devtools week. So I'd say we can:

  • Close the parent epic and all the children issues when the Dependencies Policy, Dependency Update Tool & Security Insights are covered.
  • Create a new epic for future work around SBOMs, Signed Releases and Token Permissions.
  • The Security Policy Check is included here: Create Security Policy for the Devfiles Org #1461

WDYT?

I think that is a good idea. I will create an epic and initial investigation issue for SBOM, Signed Releases and Token Permissions that we can refer to.

@Jdubrick
Copy link
Contributor Author

Jdubrick commented Mar 1, 2024

Epic created here with initial spike: #1465

cc: @michael-valdron @thepetk

@thepetk thepetk mentioned this issue Mar 4, 2024
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thepetk thepetk

Labels
area/alizer Enhancement or issue related to the alizer repo
Projects
Devfile Project
Status: Done ✅
Milestone
No milestone
2 participants
@thepetk @Jdubrick