-
To provide better security guarantees and to able to meet the industry standards on containerized application security, we have to implement a continuous docker image vulnerability scanning.
## Mot…
-
Hello!
I am wondering if you can commit a working package-lock.json to the repo. Committing lockfiles to git is a [best practice](https://stackoverflow.com/a/76058921/802138) and the fact that ther…
-
Over in #33 the suggestion was to add a principle:
> * All software must be developed with security in mind to avoid introducing vulnerabilities across the open source ecosystem.
There I did comme…
-
Welcome to CNCF Project Onboarding!
This is an issue created to help onboard your project into the CNCF after the TOC has voted to accept your project.
We would like to complete onboarding within o…
-
TL;DR: We need faster image building for images if we like to use them in testing process.
We need unique names and frozen/immutable content for images.
Post opens the discussion to the community t…
-
### `npm audit` is broken for front-end tooling by design
Bad news, but it's true. See [here](https://overreacted.io/npm-audit-broken-by-design/) for a longer explanation.
### If you think you f…
-
The go directive specified here is fouling enterprise Snyk scans on dependent projects.
https://github.com/kubernetes/kubernetes/blob/60c4c2b2521fb454ce69dee737e3eb91a25e0535/staging/src/k8s.io/api…
-
Suggesting a plugin to display a CycloneDX Software Bill of Materials (SBOM) Composition Report. [CycloneDX](https://cyclonedx.org/use-cases/) is a commonly used standard across a number of [too…
-
checks:
- stars > 10
- not archived
- has `package.json`
- has `package-lock.json`
- hasn't `yarn.lock`
- hasn't `pnpm-lock.yaml`
- `package-lock.json` was updated less than 6 months ago
- is …
-
We need to decide what we want to do wrt. licenses for data.
See https://cve.mitre.org/about/termsofuse.html for instance for the CVE/NVD.
There are a few ways to think about this:
1. we are storin…