Spike: Investigate CNCF Security Slam

[maysunfaisal]

/kind user-story

Which area this user story is related to?

/area api
/area library
/area registry

User Story

This Spike story is used to investigate the estimated time required for the CNCF work on Security Slam.

Acceptance Criteria

• Estimate how much time CNCF Security Slam witll take for Mechanizer, Defender and Cleaner.

[maysunfaisal]

Defender Badge

Requirements - #1283

TODO

• Each project repo is accounted for within CLOMonitor (Need to update clomonitor repo for other repos in the devfile project)
• Ensure proper check set is assigned to each project repo (List of check here and current assignment here)
• Bring security score to 100% for the project (To see a list of the Security related check runs that are available for each checks - refer doc and what action they entail refer doc)

Estimated Time: Variable as there are a lot of checks, but for a best attempt before the deadline, 2-3 weeks

[maysunfaisal]

Cleaner Badge

Requirements - #1283

TODO

• Bring all CLOMonitor non-security scores to 100% for the project like Best Practices, Documentation, License, Legal (List of check here and current assignment here)

Estimated Time: Variable as there are a lot of checks, but for a best attempt before the deadline, 1-2 weeks

[kim-tsao]

The Mechanizer Badge

Requirements - #1283

To satisfy this requirement, we need to have an automated mechanism to publish our SBOMs upon every release. The problem is, our release process is on demand and because it's infrequent, we've been content with just running our scripts manually.

The webinar mentioned goreleaser which automates the release process and can generate sboms. This looks interesting and it is something we should look into since there is the potential it can be adopted by our other repos. We can refer to this example, which uses goreleaser.

TODO

• Investigate goreleaser as a replacement for our manual release process
• adopt goreleaser if it's a viable option

I've considered other alternatives like using one of the recommended sbom generator tools to generate and upload an artifact in our CI workflow but this is not tied to our release process. We may need to manually download the artifact and drop it whenever we cut a release so I don't think it will satisfy the badge requirements.

Estimated Time: ~3-4 weeks (assuming everything is straightforward with the investigation)

Edit: I just thought of another approach. We can consider keeping the existing release process and just integrate the sbom generation. Since we are using hub cli to create the release, we need to figure out if there's a command to upload the generated artifact. This could cut down the time to 1-2 weeks.

[maysunfaisal]

The EPIC #1299 along with its User Stories have been opened following the Spike investigation.

cc @kim-tsao