As part of the project infra SIG, we're working on some CLO monitoring improvements, and these are the issues the CLOMonitor found for the operator. We don't need to solve everything here, but it would be great to work on this towards improvement repo conformance.
License scanning software scans and automatically identifies, manages and addresses open source licensing issues.
AFOSSAorSnyklink is found in the repository'sREADMEfile.
Security
[ ] Software bill of materials (SBOM)
List of components in a piece of software, including licenses, versions, etc.
The latest release on Github includes an asset which name containssbom.
[ ] Signed releases (from OpenSSF Scorecard)
This check tries to determine if the project cryptographically signs release artifacts.
[ ] Security insights
Projects should provide an OpenSSF Security Insights manifest file.
A valid OpenSSF Security Insightsmanifest file(SECURITY-INSIGHTS.yml) is found at the root of the repository.
[ ] Token permissions (from OpenSSF Scorecard)
This check determines whether the project's automated workflows tokens are set to read-only by default.
[ ] Dependencies policy
Project should provide a dependencies policy that describes how dependencies are consumed and updated.
The url of the dependencies policy is available in thedependencies > env-dependencies-policysection of theOpenSSF Security Insightsmanifest file(SECURITY-INSIGHTS.yml) that should be located at the root of the repository.
Best Practices
[ ] OpenSSF best practices badge
The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices.
AnOpenSSFbest practices badge is found in the repository'sREADMEfile.
[ ] Artifact Hub badge
Projects can list their content on Artifact Hub to improve their discoverability.
AnArtifact Hubbadge is found in the repository'sREADMEfile.
Describe the issue you're reporting
As part of the project infra SIG, we're working on some CLO monitoring improvements, and these are the issues the CLOMonitor found for the operator. We don't need to solve everything here, but it would be great to work on this towards improvement repo conformance.
opentelemetry-operator
clomonitor link project link
License
Security
Best Practices