search

repository-service-tuf / repository-service-tuf-cli

Repository Service for TUF: Command Line Interface
https://pypi.org/project/repository-service-tuf/
MIT License
9 stars 19 forks source link

Question: where can I help to add the dependency management policy? #655

Closed Danajoyluck closed 3 months ago

Danajoyluck commented 3 months ago

What do you want to share with us?

Talked to Kairo about this as part of the security baseline pilot adoption.

For a project at incubating stage, it's expected that a project needs to explicitly call out the dependency management policy. I'm happy to add the policy if I know where I can add it. I'll develop a standard policy most likely so that it can be applied to all the projects.

Recommendations from the security baseline: Follow Concise Guide for Evaluating Open Source Software to evaluate the dependencies before using them in the project.

Publish a dependencies policy to guide contributors on dependency management, using a stand-alone file or CONTRIBUTING.md.

Example dependency policy: CNCF: Kubescape, Argo Helm

The policy SHALL be added to SECURITY_INSIGHTS.yml section “dependencies” > “env-dependencies-policy”.

Example SECURITY_INSIGHTS.yml with dependencies policy: CNCF: Kubescape, capsule.

References

https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---to-become-incubating

Code of Conduct

kairoaraujo commented 3 months ago

Hi @Danajoyluck, Thank you for opening the issue. I'm moving to the Umbrella as we control all governance and issues that apply to multiple components there. https://github.com/repository-service-tuf/repository-service-tuf/issues/790