Closed salaxander closed 11 months ago
@salaxander it would be great if you could present Copa at a TAG Security meeting before the next sandbox vote on Sept 12.
cc @PushkarJ
Thanks @nikhita! I'll add it to an upcoming meeting agenda for TAG Security
@salaxander please open a [Presentation]
type issue from here: https://github.com/cncf/tag-security/issues/new/choose to request a slot in upcoming meetings.
Hello @nikhita and @PushkarJ ! Just wanted to check in with both of you. We completed the presentation to SIG Security on 08/16, and I was hoping to verify that we're all set for the TOC vote on 09/12.
Thanks!
Recording is here: https://youtu.be/Du7StQBCbbE?si=lwXlOqeINFliwjR8 (starts at 37:40)
@nikhita Please let us know if you are looking for anything else from STAG on this.
/vote-sandbox
@amye has called for a vote on [Sandbox] Copacetic
(#41).
The members of the following teams have binding votes: | Team |
---|---|
@cncf/cncf-toc |
Non-binding votes are also appreciated as a sign of support!
You can cast your vote by reacting to this
comment. The following reactions are supported:
In favor | Against | Abstain |
---|---|---|
๐ | ๐ | ๐ |
Please note that voting for multiple options is not allowed and those votes won't be counted.
The vote will be open for 7days
. It will pass if at least 66%
of the users with binding votes vote In favor ๐
. Once it's closed, results will be published here as a new comment.
/check-vote
So far 36.36%
of the users with binding vote are in favor (passing threshold: 66%
).
In favor | Against | Abstain | Not voted |
---|---|---|---|
4 | 0 | 0 | 7 |
User | Vote | Timestamp |
---|---|---|
TheFoxAtWork | In favor | 2023-09-12 15:59:15.0 +00:00:00 |
RichiH | In favor | 2023-09-12 23:39:53.0 +00:00:00 |
rochaporto | In favor | 2023-09-13 6:41:06.0 +00:00:00 |
kgamanji | In favor | 2023-09-12 16:39:48.0 +00:00:00 |
@mattfarina | Pending | |
@justincormack | Pending | |
@mauilion | Pending | |
@dzolotusky | Pending | |
@cathyhongzhang | Pending | |
@nikhita | Pending | |
@erinaboyd | Pending |
Votes can only be checked once a day.
/check-vote
So far 63.64%
of the users with binding vote are in favor (passing threshold: 66%
).
In favor | Against | Abstain | Not voted |
---|---|---|---|
7 | 0 | 0 | 4 |
User | Vote | Timestamp |
---|---|---|
RichiH | In favor | 2023-09-12 23:39:53.0 +00:00:00 |
justincormack | In favor | 2023-09-13 16:03:04.0 +00:00:00 |
kgamanji | In favor | 2023-09-12 16:39:48.0 +00:00:00 |
rochaporto | In favor | 2023-09-13 6:41:06.0 +00:00:00 |
TheFoxAtWork | In favor | 2023-09-12 15:59:15.0 +00:00:00 |
mauilion | In favor | 2023-09-13 20:24:12.0 +00:00:00 |
nikhita | In favor | 2023-09-14 7:55:39.0 +00:00:00 |
@mattfarina | Pending | |
@dzolotusky | Pending | |
@cathyhongzhang | Pending | |
@erinaboyd | Pending |
Votes can only be checked once a day.
/check-vote
So far 72.73%
of the users with binding vote are in favor (passing threshold: 66%
).
In favor | Against | Abstain | Not voted |
---|---|---|---|
8 | 0 | 0 | 3 |
User | Vote | Timestamp |
---|---|---|
TheFoxAtWork | In favor | 2023-09-12 15:59:15.0 +00:00:00 |
justincormack | In favor | 2023-09-13 16:03:04.0 +00:00:00 |
nikhita | In favor | 2023-09-14 7:55:39.0 +00:00:00 |
rochaporto | In favor | 2023-09-13 6:41:06.0 +00:00:00 |
mauilion | In favor | 2023-09-13 20:24:12.0 +00:00:00 |
dzolotusky | In favor | 2023-09-15 14:03:45.0 +00:00:00 |
RichiH | In favor | 2023-09-12 23:39:53.0 +00:00:00 |
kgamanji | In favor | 2023-09-12 16:39:48.0 +00:00:00 |
@mattfarina | Pending | |
@cathyhongzhang | Pending | |
@erinaboyd | Pending |
The vote passed! ๐
72.73%
of the users with binding vote were in favor (passing threshold: 66%
).
In favor | Against | Abstain | Not voted |
---|---|---|---|
8 | 0 | 0 | 3 |
User | Vote | Timestamp |
---|---|---|
@mauilion | In favor | 2023-09-13 20:24:12.0 +00:00:00 |
@rochaporto | In favor | 2023-09-13 6:41:06.0 +00:00:00 |
@dzolotusky | In favor | 2023-09-15 14:03:45.0 +00:00:00 |
@kgamanji | In favor | 2023-09-12 16:39:48.0 +00:00:00 |
@TheFoxAtWork | In favor | 2023-09-12 15:59:15.0 +00:00:00 |
@justincormack | In favor | 2023-09-13 16:03:04.0 +00:00:00 |
@nikhita | In favor | 2023-09-14 7:55:39.0 +00:00:00 |
@RichiH | In favor | 2023-09-12 23:39:53.0 +00:00:00 |
Hi @salaxander !
Welcome aboard! We're very excited to get you onboarded as a CNCF sandbox project! Here's the link to your onboarding checklist: https://github.com/cncf/toc/issues/1170
Here you can communicate any questions or concerns you might have. Please don't hesitate to reach out, I am always happy to help!
Application contact emails
xandergrzyw@gmail.com seozerca@microsoft.com laevenso@microsoft.com
Project Summary
Copacetic (copa) is a tool for patching security vulnerabilities in containers
Project Description
Copa is a CLI tool written in Go and based on buildkit that can be used to directly patch container images given the vulnerability scanning results from popular tools like Trivy.
Copa provides the ability to patch containers quickly without going upstream for a full rebuild. As the window between vulnerability disclosure and active exploitation continues to narrow, there is a growing operational need to patch critical security vulnerabilities in container images so they can be quickly redeployed into production.
Org repo URL
https://github.com/project-copacetic
Project repo URL
https://github.com/project-copacetic/copacetic
Additional repos
No response
Website URL
https://project-copacetic.github.io/copacetic/website/
Roadmap
https://github.com/project-copacetic/copacetic/issues
Roadmap context
Full roadmap is currently in development, and will be hosted on a GitHub project roadmap board. At the moment we've linked the repo's issues, as that's what we're working off of until the roadmap is finished.
Contributing Guide
https://github.com/project-copacetic/copacetic/blob/main/CONTRIBUTING.md
Code of Conduct (CoC)
https://github.com/project-copacetic/copacetic/blob/main/CODE_OF_CONDUCT.md
Adopters
No response
Contributing or Sponsoring Org
Microsoft
Maintainers file
https://github.com/project-copacetic/copacetic/blob/main/CODEOWNERS
IP Policy
Trademark and accounts
Why CNCF?
The main reason we are pursuing CNCF membership is the community. The first thing is we think that copa could add value for members of the cloud native community. Aside from that, having a strong user group can help the future success of copa through the development of third party integrations.
Benefit to the Landscape
We believe the core benefit to the landscape is helping users more quickly address security vulnerabilities that show up in their images. There isn't anything quite like Copa in the CNCF landscape today, and as the window between vulnerability disclosure and exploitation closes we think a tool like this could really help users.
Cloud Native 'Fit'
Copa best fits in under the 'Security & Compliance' section in the 'Provisioning' area of the landscape as it's primary purpose is addressing security vulnerabilities in container images.
Cloud Native 'Integration'
Copa compliments other tools in the container security space by nature of them all targeting different stages of the full lifecycle. While some tools focus on runtime, copa aims to shift security concerns left and integrate into CI/CD pipelines and find and patch vulnerabilities before deployment. Combining this with other tools in the ecosystem could lead to a good holistic vulnerability strategy.
Cloud Native Overlap
We don't think there's any strong overlap with any existing CNCF projects. The closest would be any project incorporating vulnerability scanning, but I don't know of any specific projects targeting patching.
Similar projects
N/A
Product or Service to Project separation
N/A
Project presentations
The project has been presented to the Kubernetes SIG Security Tooling subproject. There is no recording available at the moment, but I will work on getting that and add it to the open issue.
Project champions
Lachie Evenson
Additional information
No response