Security Dashboard for hosted applications

[NickCorcoran]

As security tooling becomes more highly integrated into OCP projects, there is a desire to centralize this information to make it more accessible to interested parties.

From the Platform Registry, each application should have a Security Section that includes the following:

• Link(s) to associated github repo(s) with last update status
• Check manifests for static code analysis (i.e. codeQL, SonarX)
• Check manifests for dynamic code analysis (i.e. OWASP Zap)
• Check to see if scanned by Aqua and link for scan results
• Letter score for app security based on having tools in place and results for each project

[NickCorcoran]

Example only - not actual application security posture

[NickCorcoran]

[NickCorcoran]

^ mock-ups above are just an idea

[patricksimonian]

I believe this should be its own microservice not directly coupled to the registry. Also probably built in GO, the registry can represent the front end but queries the security dashboard api -> which in itself is just an aggregator

[ShovelHand]

Just adding for the record that Nick and I have had a meeting about this. Some points: There is a mockup above. Some of these issues may be dependent on the re-write, but I think it makes sense to start looking into them sooner rather than later. There's lots I need to learn about. Some questions at this point are what is user definable, like should the client be configuring the URL to the repo, and what do we do programatically.

[mitovskaol]

@ShovelHand Can you please create tickets for next steps for actually building the Security Dashboard that are independent of the Registtry re-write and can be started without waiting for the re-write work to be completed.

[ShovelHand]

@mitovskaol I sure can! I will make a note to do this first on Monday.