-
Notifications
You must be signed in to change notification settings - Fork 534
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Proposal] Guidance for projects on evaluation and tracking security dependencies #155
Comments
Taking a cue from Ash's OPA write up he mentions the CII badge framework so I posted a "worksheet" in #153 (comment) They don't explicitly talk of dependencies until the "beyond basics" level: I added it - and the other Silver level items - to the worksheet. |
This issue has been automatically marked as inactive because it has not had recent activity. |
FYI this is an issue we are planning on putting a considerable amount of effort into within Envoy. See envoyproxy/envoy#10471 for more information and discussion. From my perspective there is a lot of overlap between what we need to do for Envoy and what other projects also need, so it would be a shame to duplicate effort. Is this worth a chat in one of the SIG meetings? cc @htuch @justincormack |
Yes I think it would be a good discussion topic, with the aim of trying to set up a useful outcome for projects eg guidelines, working group, amendments for CII or whatever seems most useful. |
Please count me in on any meeting here. We are likely to formulate an Envoy-side policy as a starting point, but would like to ensure it has alignment with best practices across CNCF. Our main focus is in the C++ dependency space and establishing a consistent set of guidelines for when it is reasonable to add an additional dependency to Envoy. We are also interested in tooling that can allow us to propagate dependency information to determine the security posture of Envoy components such as extensions. |
@mlieberman85 is currently reevaluating this proposal as part of the supply chain security workgroup |
Will write something a bit more extensive up later but the gist of what some folks have been asking for is:
|
The scope of this proposal has been subsumed by the charter of the TAG's Supply Chain working group, and it's captured as an active effort that they are driving towards to. We'll close this proposal as this is now acted upon the workgroup's active efforts. |
This has come up in discussions in meetings about whether we might help projects through the assessment process by recommending best practices or common techniques for projects to consider, evaluate and track security of their dependencies
@lumjjb comment
The text was updated successfully, but these errors were encountered: