Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kubernetes-Security-Slam-2023 #2274

Closed
5 of 14 tasks
SD-13 opened this issue Dec 15, 2023 · 11 comments
Closed
5 of 14 tasks

Kubernetes-Security-Slam-2023 #2274

SD-13 opened this issue Dec 15, 2023 · 11 comments
Assignees
Labels
triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@SD-13
Copy link

SD-13 commented Dec 15, 2023

Open tasks for the Kubernetes Security Slam 2023

@puerco


Open questions

@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Dec 15, 2023
@mrueg
Copy link
Member

mrueg commented Dec 15, 2023

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Dec 15, 2023
@jescalada
Copy link

I'd like to tackle Task 7!

@jescalada
Copy link

Please take a look at the CLOMonitor .yaml PR here:
cncf/clomonitor#1380

Thank you!

@SD-13
Copy link
Author

SD-13 commented Dec 15, 2023

Hey @mrueg @dgrisonnet @rexagod I want to know whether kube-state-metrics is generating SBOM as part of the release pipeline. Where to look for the release pipeline?

@dalehenries
Copy link
Contributor

I looked into adding the OpenSSF Best Practices badge to the README, but I think a maintainer would need to first request the badge at https://www.bestpractices.dev/

@mrueg
Copy link
Member

mrueg commented Dec 15, 2023

Hey @mrueg @dgrisonnet @rexagod I want to know whether kube-state-metrics is generating SBOM as part of the release pipeline. Where to look for the release pipeline?

We're currently not generating it. The release process is documented here: https://github.com/kubernetes/kube-state-metrics/blob/main/RELEASE.md If this is something that can be attached to a github release, it should be triggered by a release creating and execute a github action ideally that attaches the sbom

@rexagod
Copy link
Member

rexagod commented Dec 16, 2023

I think https://github.com/advanced-security/gh-sbom (SBOM generation) coupled with https://github.com/anchore/sbom-action (SBOM pushes) should help accomplish the SBOM workflow.

@rexagod
Copy link
Member

rexagod commented Dec 16, 2023

FYI Appended some open questions to the issue description.

@ricardoapl
Copy link
Member

I think the following tasks are already done:

  • Check for Binary Artifacts (task 8) (no binaries found in the repo)
  • Review the code review (task 9) (all changesets reviewed)
  • Dangerous Workflow (task 10) (no dangerous workflow patterns detected)
  • Dependency update tool (task 13) (update tool detected, dependabot)

I think the following tasks are still missing something:

  • Token Permissions (task 16)

Screenshot 2024-04-24 at 09-41-32 Kube State Metrics

What do you think about publishing the OpenVEX data with the remaining release artifacts?

@SD-13 do you mind if I assign Ensure SBOMs are generated by Kubernetes BOM (task 3) to me?

@SD-13
Copy link
Author

SD-13 commented Apr 24, 2024

@ricardoapl Please feel free to assign it to you!

@mrueg
Copy link
Member

mrueg commented Nov 8, 2024

Closing this as it's almost a year since the security slam happened.

@mrueg mrueg closed this as completed Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Development

No branches or pull requests

8 participants