Operator CLO Monitor Tracking

[jaronoff97]

Describe the issue you're reporting

As part of the project infra SIG, we're working on some CLO monitoring improvements, and these are the issues the CLOMonitor found for the operator. We don't need to solve everything here, but it would be great to work on this towards improvement repo conformance.

opentelemetry-operator

clomonitor link project link

License

• [ ] License scanning
  • License scanning software scans and automatically identifies, manages and addresses open source licensing issues.
  • AFOSSAorSnyklink is found in the repository'sREADMEfile.

Security

• [ ] Software bill of materials (SBOM)
  • List of components in a piece of software, including licenses, versions, etc.
  • The latest release on Github includes an asset which name containssbom.
• [ ] Signed releases (from OpenSSF Scorecard)
  • This check tries to determine if the project cryptographically signs release artifacts.
• [ ] Security insights
  • Projects should provide an OpenSSF Security Insights manifest file.
  • A valid OpenSSF Security Insightsmanifest file(SECURITY-INSIGHTS.yml) is found at the root of the repository.
• [ ] Token permissions (from OpenSSF Scorecard)
  • This check determines whether the project's automated workflows tokens are set to read-only by default.
• [ ] Dependencies policy
  • Project should provide a dependencies policy that describes how dependencies are consumed and updated.
  • The url of the dependencies policy is available in thedependencies > env-dependencies-policysection of theOpenSSF Security Insightsmanifest file(SECURITY-INSIGHTS.yml) that should be located at the root of the repository.

Best Practices

• [ ] OpenSSF best practices badge
  • The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices.
  • AnOpenSSFbest practices badge is found in the repository'sREADMEfile.
• [ ] Artifact Hub badge
  • Projects can list their content on Artifact Hub to improve their discoverability.
  • AnArtifact Hubbadge is found in the repository'sREADMEfile.
• [ ] OpenSSF Scorecard badge
  • Scorecard assesses open source projects for security risks through a series of automated checks. For more information about the Scorecard badge, please see https://github.com/marketplace/actions/ossf-scorecard-action#scorecard-badge.
  • AnOpenSSFScorecard badge is found in the repository'sREADMEfile.

[frzifus]

@led0nk something for you too? :)

[led0nk]

sure, i will have a look into this (maybe some assistance needed)