Create project for global metadata reference and store

finos / devops-automation

Provide a continuous compliance and assurance approach to DevOps that mutually benefits banks, auditors and regulators whilst accelerating DevOps adoption in engineering and fintech IT departments.

http://devops.finos.org

Apache License 2.0

59 stars 17 forks source link

Create project for global metadata reference and store #167

Open johnmark opened 9 months ago

johnmark commented 9 months ago

### Tasks
- [ ] Investigate requirements for FINOS Guac instance for most critical dependencies

johnmark commented 9 months ago

Provide taxonomy specific to highly regulated industries that will help with supply chain management

johnmark commented 9 months ago

Metadata - inclusive of community health metadata, risk-based rubrics

Also includes data on drift and provenance, and change over time
when and where was it created externally, when was it introduced internally
state of the systems when software is used - OS, runtimes, etc - see eg. solarwinds
signatures
"build profiles" part of SPDX 3.0 (now in RC2)
Can we standardize metadata gathering sources and methodologies
Metadata: static or dynamic? Should not be "just" a snapshot
"deployment BOMs"? Defining data interchanges?
"hardware BOM" - also part of working groups

johnmark commented 9 months ago

See also: package management ecosystem, registries, and protections

ericchapman80 commented 6 months ago

@johnmark during todays working call the focus was for ingesting vendor products into financial organization. Most of our experience is helping organizations build automated governance / policy as code for their own in house development. We are happy to share our experience and some reference architecture. I can't imagine there would be a chasm of difference as to what would be expected from product companies providing binaries or SaaS offerings. cc: @alexashley

Here is our perspective: