Operator Framework Security Self-Assessment

[Brandonpinos]

Created and added first draft for Operator Framework Security Self-Assessment.

[netlify[bot]]

✅ Deploy Preview for tag-security canceled.

Name	Link
🔨 Latest commit	b25eef649643109154ca6a533f7f8858833561a1
🔍 Latest deploy log	https://app.netlify.com/sites/tag-security/deploys/659cb9e82e18db0008f8ec19

[eddie-knight]

Hi there! I'm just getting started looking at your pull request, and I noticed the DCO check is failing.

You can look at the checks section of the PR (I believe it should always be below the last comment) and look for a red X highlighting the failed check. In this case, you can click Details for more information about how to get that check passing.

[eddie-knight]

I noticed that you included an SBOM along with the self assessment. There are two reasons that jump to the front of my mind for why this isn't needed...

1. SBOMs should be associated with releases, as the bill of materials is only accurate and useful if it is created at build time and associated to a particular point in the code history.
2. If you need to link to an SBOM for some reason in the self-assessment, you can just provide a link out to the latest build artifacts that contain an SBOM.

We still have plenty more to review, but as a starter— could you please remove the SBOM from this PR?

[eddie-knight]

To match the naming convention of this repository, please rename your project directory to use all lowercase, and replace spaces with hyphens.

[JustinCappos]

I think the content captured here is useful, but perhaps best for use in a top level readme that summarizes the overall project, and assessments can live in subdirectories for each subproject.

I'm not opposed to this. This is fairly similar to how we handled the Flux project.