laurentsimon
commented
1 year ago Hey, we've been thinking of creating a config file as well. Thanks for the link, I was not aware of CLOMonitor. Is it a CNCF project?
Open lizrice opened 1 year ago
laurentsimon
commented
1 year ago Hey, we've been thinking of creating a config file as well. Thanks for the link, I was not aware of CLOMonitor. Is it a CNCF project?
lizrice
commented
1 year ago lizrice
commented
1 year ago Seems that CLOmonitor pulls in the tests from Scorecards, so maybe that's where the exemptions should live too. Would be great if the schema for documenting those exemptions could be reused though to save reinventing the wheel
github-actions[bot]
commented
9 months ago Stale issue message - this issue will be closed in 7 days
lizrice
commented
9 months ago Can I reopen this to get comment from the team?
spencerschrock
commented
9 months ago Hmm, thought we had disabled the auto close in #3493
spencerschrock
commented
9 months ago @gabibguti something to consider with the maintainer annotation work
github-actions[bot]
commented
7 months ago This issue is stale because it has been open for 60 days with no activity.
sandipanpanda
commented
5 months ago Hi, have there been any updates on this issue? I am working on adding the OpenSSF Scorecard badge to Cilium README, and fixing this would help address the issues mentioned here.
cc @spencerschrock
spencerschrock
commented
5 months ago Hi, have there been any updates on this issue? I am working on adding the OpenSSF Scorecard badge to Cilium README, and fixing this would help address the issues mentioned here.
It's on our roadmap for this quarter. We haven't entirely decided how this will display in terms of the badge.
github-actions[bot]
commented
3 months ago This issue has been marked stale because it has been open for 60 days with no activity.
justaugustus
commented
3 months ago FYI @caniszczyk
caniszczyk
commented
3 months ago justaugustus
commented
3 months ago For those tracking this issue, we're getting conversations on the books with the CLOMonitor maintainers to decide on the best integration path for folks leveraging either or both tools.
Stay tuned!
github-actions[bot]
commented
1 month ago This issue has been marked stale because it has been open for 60 days with no activity.
As a CNCF project we've been encouraged to add both CLOMonitor and OpenSSF Scorecard badges, and there's quite a lot of overlap between the security-related checks that CLOMonitor runs, and the Scorecard checks. We reviewed the results from CLOMonitor and found some false positives, for which we've been able to document exemptions so that they don't appear as failed tests. (We really don't want to display a badge that portrays the project as a lot less secure than it really is!)
It would be great if those same exemptions could be pulled in by Scorecard as well. Ideally there would be just one exemptions file per repo acting as the source of truth (i.e. scorecard could re-use the checks that it finds in a .clomonitor file).