-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubernetes-Security-Slam-2023 #2274
Comments
/triage accepted |
I'd like to tackle Task 7! |
Please take a look at the CLOMonitor .yaml PR here: Thank you! |
Hey @mrueg @dgrisonnet @rexagod I want to know whether kube-state-metrics is generating SBOM as part of the release pipeline. Where to look for the release pipeline? |
I looked into adding the OpenSSF Best Practices badge to the README, but I think a maintainer would need to first request the badge at https://www.bestpractices.dev/ |
We're currently not generating it. The release process is documented here: https://github.com/kubernetes/kube-state-metrics/blob/main/RELEASE.md If this is something that can be attached to a github release, it should be triggered by a release creating and execute a github action ideally that attaches the sbom |
I think https://github.com/advanced-security/gh-sbom (SBOM generation) coupled with https://github.com/anchore/sbom-action (SBOM pushes) should help accomplish the SBOM workflow. |
FYI Appended some open questions to the issue description. |
I think the following tasks are already done:
I think the following tasks are still missing something:
What do you think about publishing the OpenVEX data with the remaining release artifacts? @SD-13 do you mind if I assign Ensure SBOMs are generated by Kubernetes BOM (task 3) to me? |
@ricardoapl Please feel free to assign it to you! |
Closing this as it's almost a year since the security slam happened. |
Open tasks for the Kubernetes Security Slam 2023
@puerco
Open questions
The text was updated successfully, but these errors were encountered: