search

cncf / tag-security

🔐CNCF Security Technical Advisory Group -- secure access, policy control, privacy, auditing, explainability and more!
https://tag-security.cncf.io
Other
2.05k stars 514 forks source link

[Commons WG] Develop Baseline Security Probes in OpenSSF Scorecard #1386

Open eddie-knight opened 2 weeks ago

eddie-knight commented 2 weeks ago

As part of our collaboration with OpenSSF, TAG Security members have been aiding in the design of the Open Source Project Security Baseline.

As the Baseline definitions are nearing completion, the next step will be to create Scorecard probes that will allow for automated integration into the OpenSSF Best Practices Badge and LFX Insights.

Currently, all three of the aforementioned tools are widely adopted in CNCF, and we anticipate that the TAG will be able to support the security of CNCF Projects by aiding in the development of the automated checks. Additionally, we may have the opportunity to use the 2024 Security Slam to encourage rapid adoption of the OSPS Baseline.

To accomplish the Level 1 milestone, we need to write approximately 15 probes.

Volunteers Needed

We need your help if you are a programmer willing to work in golang (it's not too difficult to pick up if you are well versed in another language).

Please comment on this issue or #tag-security-commons-wg on Slack if you are available to help with this effort!

daemon1024 commented 2 weeks ago

I have considerable experience in Go and I am happy to help out.

The next step will be to create Scorecard probes that will allow fc automated integration into the OpenSSF Best Practices Badge and LFX Insights.

What's a probe and any references to sample implementation. Are probes the same as "checks" documented in OpenSSF Scorecard repo?

baiyungao commented 2 weeks ago

I am interested in contributing to this issue.

eddie-knight commented 1 week ago

Thanks @baiyungao and @daemon1024!

What's a probe and any references to sample implementation. Are probes the same as "checks" documented in OpenSSF Scorecard repo?

My understanding is that checks are comprised of multiple probes. The Scorecard maintainers have requested that we build in probes first, so that we can have fewer up-front requirements when contributing.

I'm going to get up to speed this week so that I can help onboard others as needed.

If you're available to join the next Baseline WG meeting, we will be discussing this in-depth then. If you're not available, please tag me here or on Slack so that we can coordinate

eddie-knight commented 2 days ago

I will have example code to share on today's WG call for folks who want to join in this effort

huberts90 commented 1 day ago

@eddie-knight Could you please provide more details about this effort, especially the example you mentioned?

baiyungao commented 1 day ago

I couldn't join the call yesterday, but I am still very interested and would like to get more details. thanks -Ben

On Thu, Oct 24, 2024 at 6:33 AM Hubert Siwik @.***> wrote:

@eddie-knight https://github.com/eddie-knight Could you please provide more details about this effort, especially the example you mentioned?

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/1386#issuecomment-2434906156, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABB572KZ52N34543MCOZ24DZ5DEHFAVCNFSM6AAAAABPVUYKYKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMZUHEYDMMJVGY . You are receiving this because you were mentioned.Message ID: @.***>

eddie-knight commented 1 day ago

There is a small bit of onboarding needed to get up to speed- could you reach out via slack so that we can share notes and such?