Add new checks to support the 2023 Security Slam #1290
Comments
|
Thanks @eddie-knight! We could translate this into the following new security checks:
Regarding a new SBOM check: given that CLOMonitor already has a very similar check, instead of creating a new one, we could enrich the existing one and make it possible to pass it with the information available in the security insights manifest. It would be like an alternative, standardized way for projects to pass this check. And we could highlight how the SBOM is created when this information is available in the manifest. This would be an example of what I mentioned before about being able to use the security insights information to improve and enrich existing checks. If this sounds good I think we can have it ready by the end of the week 🙂 |
|
Yes, this sounds fantastic- thanks @tegioz! |
Closes #1290 Signed-off-by: Sergio Castaño Arteaga <[email protected]>
Closes #1290 Signed-off-by: Sergio Castaño Arteaga <[email protected]>
Closes #1290 Signed-off-by: Sergio Castaño Arteaga <[email protected]>
- OpenSSF Security Insights manifest check - Security Self-Assessment check - Dependencies Policy check Closes #1290 Signed-off-by: Sergio Castaño Arteaga <[email protected]>
|
I think this is ready @eddie-knight 🙂 As a consequence of adding the new checks, all projects security scores will get a bit worse over the next day (as repositories are processed again). (screenshot taken from Artifact Hub) 
|
|
@tegioz This is amazing! How do you feel about moving some of this to the "Documentation" section, considering that they are indirect rather than direct security improvements? |
|
Awesome, glad you like it! 🙂 Regarding moving some of them to the |
Considering the great statistics we see when comparing Slam participants to the greater ecosystem over the past year, the Slam organizers solicited input from a temporary committee to determine goals for this year's effort.
The goals created by that committee include the same metric from last year (CLOMonitor Security to 100%) and 4 more goals for projects to optionally pursue in the upcoming Slam event (which begins on 10/10/2023).
To ensure that the new goals can be at least partially evaluated through CLOMonitor, we collaborated with the OpenSSF Security Insights Specification to incorporate several changes into the spec's latest major release.
With these changes, we will be able to use the Security Insights Specification v1.0.0 to automate a fair portion of the new metrics.
Here are all 5 metrics, with added notes regarding how the SI spec will be helpful with each (the last two are just for reference):
security-artifacts.self-assessmentallows for an evidence URL that can be evaluated if provideddependencies.env-dependencies-policyallows for a URL to the project's dependency consumption/update policydependencies.sbom.sbom-creationallows users to log a process explanation that can be reviewed manuallyEach of the first three metrics above could become a new check under the Documentation category of CLOMonitor checks, and would be executed only for
coderepos. The checks would confirm the presence of the SECURITY-INSIGHTS.yml file, then look for valid contents in the specified values.This issue is being logged at a short notice due to the need for extensive collaboration with the Security Insights community to ensure compatibility with the Slam goals— we only finally got the necessary changes implemented in today's release.
Because of this, I have blocked off time this week to contribute to CLOMonitor to help incorporate the necessary changes if it's something the project maintainers are happy with adding.
Please let me know here or reach out to me on the CNCF Slack to discuss this more.
The text was updated successfully, but these errors were encountered: