[Presentation] OpenFGA Project Status

[aaguiarz]

Title: OpenFGA Project Status

Speakers: Who will be presenting this? aaguiarz

Description: Give a brief introduction to the OpenFGA project, talk about the progress we made in the last 2 years, and share different adoption use cases. Slides are here.

Time: How long will the presentation take? 20 mins

Availability: August 7th 1pm ET, August 14th 1pm ET

Slides TO DO

• [x] TAG Representative @eddie-knight
• [x] Schedule date: August 14th, NA Community Meeting
• [X] By opening this issue, I, @aaguiarz acknowledge that the presentation topic and speaker will follow the presentation guidelines
• [x] If this is a presentation for a project moving levels, the TAG Representative should complete the Moving Levels Recommendation

[eddie-knight]

Hi @aaguiarz :wave:

I've added you to the NA meeting schedule for August 14th.

I'll add a comment after this one with the recommendation template, which we'll fill out during the call.

[eddie-knight]

Template for TAG recommendation to TOC

Project Overview

Ecosystem Adoption

What ecosystem adoption has the project seen?

Widespread. Current adoption by okta, zuplo, stacklock, fianu, openobserve, moss, readAI, and more.

Past TOC Reviews

How has the project addressed comments from previous reviews (incubation if graduation, sandbox if incubating, etc)?

No requests are known to the presenter, and non are readily apparent in the TOC GitHub issues.

https://github.com/search?q=repo%3Acncf%2Ftoc+openfga&type=issues

Security Reviews

TAG Security Assessments

Has the project completed a TAG Security Self-Assessment and/or Joint Assessment? If yes, please add a link and discuss how this has impacted their security posture.

Yes, both.

https://tag-security.cncf.io/community/assessments/projects/openfga/joint-assessment/

Security Audit

Has the project completed an external security audit? If yes, how have they addressed the findings?

Not beyond the threat landscape provided in the STAG joint assessment.

Best Practices

Metrics

Which security best practices does the project follow (for example CNCF best practices badge, OpenSSF Best Practices, CLO monitor), and how does it rate by these metrics?

• 100% on CLOMonitor at time of writing
• Scorecard badge is on the README, 9.3 at time of writing
• OpenSSF Best Practices Badge: Passing

Static Analysis

Does the project perform static analysis?

Snyk, Semgrep, Dependabot

Sub-project Considerations

If the project has sub-projects, how does their security posture compare to the base project?

SDKs and Helm charts are core dependencies, not standalone subprojects. The SDK receives a security review from Okta when new features are proposed.

TAG Recommendation to the TOC

No security concerns were raised by the STAG during the presentation. The project's security hygiene appears to meet or exceed the requirements of an Incubating project.

The community has been invited to comment on this issue with additional feedback or recommendations.

[mnm678]

Thank you for the presentation!