FeynmanZhou
commented
5 months ago Here is the slide deck of Ratify project that we presented in the CNCF TAG Security review meeting on Apr 24: CNCF TAG Security Presentation - Ratify.pdf
Closed FeynmanZhou closed 2 months ago
FeynmanZhou
commented
5 months ago Here is the slide deck of Ratify project that we presented in the CNCF TAG Security review meeting on Apr 24: CNCF TAG Security Presentation - Ratify.pdf
dims
commented
4 months ago Looks like there's a new github org https://github.com/ratify-project/ratify (spun out from deislabs!)
dims
commented
4 months ago FeynmanZhou
commented
4 months ago Looks like there's a new github org https://github.com/ratify-project/ratify (spun out from deislabs!)
@dims Yes. Ratify has been transferred from Microsoft-owned GitHub organization to a neutral org recently. The GitHub repo can be automatically redirected to the new URL.
FeynmanZhou
commented
4 months ago
- Is gatekeeper a mandatory dependency or an optional one? I ask because of the comparison drawn with Connaisseur and Kyverno.
Currently, Gatekeeper is a core dependency in Kubernetes admission control scenario only. Ratify does not rely on Gatekeeper in other scenarios, such as CLI mode for CI/CD and verification at container runtime (containerd, docker).
- Do all 3 of the folks that seem to do the majority of the commits work for MSFT? (wasn't sure about BinBin Li), Are there upcoming members of the community who could do more? (poking at mentoring aspects!)
The majority of commits and contributors are from MSFT so far. AWS, Venafi, and Alibaba adopt Ratify as a part of their solutions so we would expect more members and contributors come from these organizations in the future. This is the motivation and reason for Ratify's donation to CNCF in order to build a vendor-neutral community.
mnm678
commented
3 months ago Ratify has seen engagement with open source projects including ORAS, Notary, and Sigstore. In addition, there has been adoption by vendors such as AWS Signer, Azure Kubernetes Service Image Integrity, and Venafi CodeSign Protect.
N/A (Sandbox)
N/A: We recommend performing a TAG Security Self Assessment.
N/A
Ratify achieves 8.4 in OpenSSF Scorecards, which is a great score for a project at this maturity level.
Ratify has implemented conformance testing.
N/A
Ratify provides a verification framework that integrates with a number of open source projects, with opportunities to integrate with more projects in the supply chain space to provide a single tool for verification. TAG Security would recommend that the TOC move forward with accepting the project into sandbox, with a few recommendations for the project to consider as they mature and move through future CNCF levels:
FeynmanZhou
commented
3 months ago TAG Security recommendation to TOC
Project Overview
Ecosystem Adoption
Ratify has seen engagement with open source projects including ORAS, Notary, and Sigstore. In addition, there has been adoption by vendors such as AWS Signer, Azure Kubernetes Service Image Integrity, and Venafi CodeSign Protect.
Past TOC Reviews
N/A (Sandbox)
Security Reviews
TAG Security Assessments
N/A: We recommend performing a TAG Security Self Assessment.
Security Audit
N/A
Best Practices
Metrics
Ratify achieves 8.4 in OpenSSF Scorecards, which is a great score for a project at this maturity level.
Static Analysis
Ratify has implemented conformance testing.
Sub-project Considerations
N/A
TAG Recommendation to the TOC
Ratify provides a verification framework that integrates with a number of open source projects, with opportunities to integrate with more projects in the supply chain space to provide a single tool for verification. TAG Security would recommend that the TOC move forward with accepting the project into sandbox, with a few recommendations for the project to consider as they mature and move through future CNCF levels:
Performing a TAG Security self assessment as the project moves toward incubation.
Moving vulnerability reporting to a maintainers mailing list or using the Github reporting capabilities rather than going through the Microsoft Security Response Center
Adding the OpenSSF Best Practices badge as another metric to track maturity of security posture (https://www.bestpractices.dev/en).
Thanks for the support and recommendations from TAG security!
Ratify now uses GitHub security advisory reporting process and working on the OSSF Best Practices badge.
In addition, we made some progress for Ratify supply chain security enhancements after the TAG Security review meeting. @akashsinghal will be able to share some details.
akashsinghal
commented
3 months ago Since Ratify's presentation to the TAG Security in May, the Ratify community has been working on addressing TAG Security's feedback on vulnerability management, versioning, and supply chain metadata for release/dev assets:
We appreciate the TAG Security's recommendations!
jberkus
commented
3 months ago TAG Contributor strategy has reviewed this project and found the following:
This review is for the TOCβs information only. Sandbox projects are not required to have full governance or contributor documentation.
yizha1
commented
3 months ago Hi @jberkus, thanks for your review comments.
Regarding the following comment:
Ratify has no written governance, yet.This repo https://github.com/ratify-project/.github under ratify project listed more documents including https://github.com/ratify-project/.github/blob/main/GOVERNANCE.md. Would you mind checking whether it meets your expectations? Thanks.
jberkus
commented
3 months ago Update per above:
Might I suggest adding links to those documents to your main README? Like me, new contributors aren't going to look in .github for a governance doc.
yizha1
commented
3 months ago Thanks @jberkus. I've submitted a PR https://github.com/ratify-project/ratify/pull/1713 to implement the changes you suggested.
mrbobbytables
commented
3 months ago /vote
git-vote[bot]
commented
3 months ago @mrbobbytables has called for a vote on [Sandbox] Ratify (#96).
| The members of the following teams have binding votes: | Team |
|---|---|
| @cncf/cncf-toc |
Non-binding votes are also appreciated as a sign of support!
You can cast your vote by reacting to this comment. The following reactions are supported:
| In favor | Against | Abstain |
|---|---|---|
| π | π | π |
Please note that voting for multiple options is not allowed and those votes won't be counted.
The vote will be open for 2months 30days 2h 52m 48s. It will pass if at least 66% of the users with binding votes vote In favor π. Once it's closed, results will be published here as a new comment.
mrbobbytables
commented
3 months ago /check-vote
git-vote[bot]
commented
3 months ago So far 36.36% of the users with binding vote are in favor (passing threshold: 66%).
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 4 | 0 | 0 | 7 |
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | In favor | 2024-08-20 15:24:20.0 +00:00:00 |
| cathyhongzhang | In favor | 2024-08-20 15:24:37.0 +00:00:00 |
| angellk | In favor | 2024-08-20 21:47:19.0 +00:00:00 |
| kevin-wangzefeng | In favor | 2024-08-20 19:22:09.0 +00:00:00 |
| @dims | Pending | |
| @rochaporto | Pending | |
| @mauilion | Pending | |
| @linsun | Pending | |
| @dzolotusky | Pending | |
| @nikhita | Pending | |
| @kgamanji | Pending |
mrbobbytables
commented
3 months ago /check-vote
git-vote[bot]
commented
3 months ago So far 63.64% of the users with binding vote are in favor (passing threshold: 66%).
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 7 | 0 | 0 | 4 |
| User | Vote | Timestamp |
|---|---|---|
| cathyhongzhang | In favor | 2024-08-20 15:24:37.0 +00:00:00 |
| kevin-wangzefeng | In favor | 2024-08-20 19:22:09.0 +00:00:00 |
| TheFoxAtWork | In favor | 2024-08-20 15:24:20.0 +00:00:00 |
| angellk | In favor | 2024-08-20 21:47:19.0 +00:00:00 |
| rochaporto | In favor | 2024-08-21 7:28:02.0 +00:00:00 |
| dzolotusky | In favor | 2024-08-21 13:40:25.0 +00:00:00 |
| linsun | In favor | 2024-08-21 13:43:33.0 +00:00:00 |
| @dims | Pending | |
| @mauilion | Pending | |
| @nikhita | Pending | |
| @kgamanji | Pending |
git-vote[bot]
commented
3 months ago The vote passed! π
72.73% of the users with binding vote were in favor (passing threshold: 66%).
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 8 | 0 | 0 | 3 |
| User | Vote | Timestamp |
|---|---|---|
| @linsun | In favor | 2024-08-21 13:43:33.0 +00:00:00 |
| @angellk | In favor | 2024-08-20 21:47:19.0 +00:00:00 |
| @rochaporto | In favor | 2024-08-21 7:28:02.0 +00:00:00 |
| @dzolotusky | In favor | 2024-08-21 13:40:25.0 +00:00:00 |
| @TheFoxAtWork | In favor | 2024-08-20 15:24:20.0 +00:00:00 |
| @nikhita | In favor | 2024-08-23 10:43:37.0 +00:00:00 |
| @cathyhongzhang | In favor | 2024-08-20 15:24:37.0 +00:00:00 |
| @kevin-wangzefeng | In favor | 2024-08-20 19:22:09.0 +00:00:00 |
FeynmanZhou
commented
3 months ago The vote is passed and closed. May I know what the next step is? Should we start to transfer project trademarks and website hosting (Netlify) to CNCF?
bridgetkromhout
commented
3 months ago The vote is passed and closed. May I know what the next step is? Should we start to transfer project trademarks and website hosting (Netlify) to CNCF?
The next step is that CNCF staff will open a project onboarding issue for Ratify (based on this template: https://github.com/cncf/toc/blob/main/.github/ISSUE_TEMPLATE/project-onboarding.md) - this may take a few days due to summer vacations. If you would like to start looking at the items on that list now, then you will be ready when the issue is opened. Thanks!
Cmierly
commented
3 months ago Welcome and congrats on getting accepted as a CNCF Sandbox project!
You can get started on your on-boarding checklist here: https://github.com/cncf/sandbox/issues/133
and if you have any questions, please don't hesitate to reach out!
mrbobbytables
commented
2 months ago With https://github.com/cncf/sandbox/issues/133 created we can go ahead and close this out :)
Congrats again!
Application contact emails
feynmanzhou@microsoft.com, yizha1@microsoft.com, luisdlp@microsoft.com, sajaya@microsoft.com
Project Summary
A verification engine on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies you create.
Project Description
Ratify is a workflow engine that coordinates the verification of different supply chain objects for an image as per a given policy. It is a verification framework that can use and coordinate any number of custom verifiers for things like signatures, SBoMs, vulnerability scan results, attestations, and so on. Ratify aggregates the results of these independent verifiers using a policy. This aggregated result can be used to make decisions in the admission controllers.
Org repo URL (provide if all repos under the org are in scope of the application)
https://github.com/deislabs (We are transferring Ratify to a new org https://github.com/ratify-project)
Project repo URL in scope of application
https://github.com/deislabs/ratify
Additional repos in scope of the application
https://github.com/deislabs/ratify-web
Website URL
https://ratify.dev/
Roadmap
https://github.com/deislabs/ratify/blob/staging/ROADMAP.md
Roadmap context
No response
Contributing Guide
https://github.com/deislabs/ratify/blob/staging/CONTRIBUTING.md
Code of Conduct (CoC)
https://github.com/deislabs/ratify/blob/staging/CODE_OF_CONDUCT.md
Adopters
https://github.com/deislabs/ratify/blob/staging/ADOPTERS.md
Contributing or Sponsoring Org
Microsoft
Maintainers file
https://github.com/deislabs/ratify/blob/staging/MAINTAINERS
IP Policy
Trademark and accounts
Why CNCF?
Ratify is an open and extensible verification framework for container images and other artifacts that can examine and use custom policies that users create to approve deployments in Kubernetes. We believe CNCF is a neutral home for Ratify because it has a flourish and active community can help the future success of Ratify through the development of third-party integrations.
Benefit to the Landscape
Ratify's mission is to safeguard the container supply chain by ratifying trustworthy and compliant container images and other software artifacts. As a open framework in CNCF security & compliance area, Ratify is designed with different interface models to allow for its integration at different stages of the containers secure supply chain. Ratify has already collaborated and integrated with some CNCF projects and provide joint solutions to CNCF ecosystem users.
Cloud Native 'Fit'
Ratify enables users to verify artifact security metadata (signatures and attestations including vulnerability reports, SBOM, provenance data, and VEX documents) prior to deployment in Kubernetes clusters and admit for deployment only those that comply with an admission policy that users create.
With Ratify, cloud-native workloads can be verifiable on deployment, eventually increase the security posture of cloud-native ecosystem users.
Cloud Native 'Integration'
Notary Project, OPA Gatekeeper, Trivy (non-CNCF), ORAS, Sigstore Cosign (OpenSSF)
Cloud Native Overlap
To our knowledge, there isn't any direct overlap with other CNCF projects today.
Similar projects
Connaisseur, Kyverno
Landscape
We will create a PR to add Ratify to the CNCF Landscape in April.
Business Product or Service to Project separation
Azure Kubernetes Service has developed a managed addon based on the Ratify project for customers. The development and roadmap of the open-source project and the managed addon have always remained entirely separate, and that will continue to be true going forward.
In addition, Venafi CodeSigning and AWS Signer have related managed services that support Ratify as a verification engine.
Project presentations
We finished a presentation in TAG Security on Apr 24. Here is the Ratify slide deck that we used for CNCF TAG Security Presentation - Ratify.pdf
Project champions
@lachie83
Additional information
No response