[Commons WG] Develop Baseline Security Probes

[eddie-knight]

As part of our collaboration with OpenSSF, TAG Security members have been aiding in the design of the Open Source Project Security Baseline.

As the Baseline definitions are nearing completion, the next step will be to create Scorecard probes that will allow for automated integration into the OpenSSF Best Practices Badge and LFX Insights.

Currently, all three of the aforementioned tools are widely adopted in CNCF, and we anticipate that the TAG will be able to support the security of CNCF Projects by aiding in the development of the automated checks. Additionally, we may have the opportunity to use the 2024 Security Slam to encourage rapid adoption of the OSPS Baseline.

To accomplish the Level 1 milestone, we need to write approximately 15 probes.

Volunteers Needed

We need your help if you are a programmer willing to work in golang (it's not too difficult to pick up if you are well versed in another language).

Please comment on this issue or #tag-security-commons-wg on Slack if you are available to help with this effort!

[daemon1024]

I have considerable experience in Go and I am happy to help out.

The next step will be to create Scorecard probes that will allow fc automated integration into the OpenSSF Best Practices Badge and LFX Insights.

What's a probe and any references to sample implementation. Are probes the same as "checks" documented in OpenSSF Scorecard repo?

[baiyungao]

I am interested in contributing to this issue.

[eddie-knight]

Thanks @baiyungao and @daemon1024!

What's a probe and any references to sample implementation. Are probes the same as "checks" documented in OpenSSF Scorecard repo?

My understanding is that checks are comprised of multiple probes. The Scorecard maintainers have requested that we build in probes first, so that we can have fewer up-front requirements when contributing.

I'm going to get up to speed this week so that I can help onboard others as needed.

If you're available to join the next Baseline WG meeting, we will be discussing this in-depth then. If you're not available, please tag me here or on Slack so that we can coordinate

[eddie-knight]

I will have example code to share on today's WG call for folks who want to join in this effort

[huberts90]

@eddie-knight Could you please provide more details about this effort, especially the example you mentioned?

[baiyungao]

I couldn't join the call yesterday, but I am still very interested and would like to get more details. thanks -Ben

On Thu, Oct 24, 2024 at 6:33 AM Hubert Siwik @.***> wrote:

@eddie-knight https://github.com/eddie-knight Could you please provide more details about this effort, especially the example you mentioned?

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/1386#issuecomment-2434906156, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABB572KZ52N34543MCOZ24DZ5DEHFAVCNFSM6AAAAABPVUYKYKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMZUHEYDMMJVGY . You are receiving this because you were mentioned.Message ID: @.***>

[eddie-knight]

There is a small bit of onboarding needed to get up to speed- could you reach out via slack so that we can share notes and such?

[vpavankalyan]

Hey @eddie-knight, I’m excited about the chance to work on the baseline security probes for the OpenSSF Scorecard and would love to contribute to this initiative. Pls let me know if there are any open slots available? Thank you!

[eddie-knight]

Hey absolutely @vpavankalyan! A few of us are going to have a quick intro call on Monday at 1700ET. More info is on Slack if you are able to join the discussion over there!

[eddie-knight]

As we've had difficulty contributing probes to OpenSSF Scorecard, we are currently exploring automation automation with OpenSSF Minder (@puerco) or directly into OpenSSF Best Practices Badge (@david-a-wheeler)