search

stackabletech / issues

This repository is only for issues that concern multiple repositories or don't fit into any specific repository
2 stars 0 forks source link

Supply Chain Security Initiative #345

Open lfrancke opened 1 year ago

lfrancke commented 1 year ago

We'd like to take on various projects to strengthen our security posture and make our (and our customer's) supply chain secure.

There are some related tasks in here that are not strictly about security

# Do
- [ ] https://github.com/stackabletech/issues/issues/168
- [ ] https://github.com/stackabletech/issues/issues/496
- [ ] https://github.com/stackabletech/issues/issues/423
- [ ] https://github.com/stackabletech/infrastructure/issues/145
- [ ] https://github.com/stackabletech/infrastructure/issues/149
- [ ] https://github.com/stackabletech/docker-images/issues/44
- [ ] https://github.com/stackabletech/docker-images/issues/550
- [ ] https://github.com/stackabletech/infrastructure/issues/155
- [ ] https://github.com/stackabletech/docker-images/issues/627
- [ ] https://github.com/stackabletech/issues/issues/580
- [ ] https://github.com/stackabletech/issues/issues/583
- [ ] https://github.com/stackabletech/docker-images/issues/816
# Done
- [ ] https://github.com/stackabletech/infrastructure/issues/115
- [ ] https://github.com/stackabletech/issues/issues/400
- [ ] https://github.com/stackabletech/issues/issues/381
- [ ] https://github.com/stackabletech/issues/issues/370
- [x] Enable cargo-auditable for all our builds
- [x] Signing Helm charts
# Maybe (Ideas / Scratchpad / Investigate)
- [ ] https://github.com/stackabletech/issues/issues/408
- [ ] Scan our artifacts against security vulnerabilities at build time and regularly thereafter (e.g. Dependencytrack)
- [ ] Update our base images regularly and rebuild product images
- [ ] Publish signature hashes for releases on our homepage/in the release notes
- [ ] Evaluate how/if we can get notified on changes to the git history
- [ ] Evaluate whether we want to rename docker.stackable.tech to hub.stackable.tech or similar
- [ ] https://github.com/stackabletech/issues/issues/347
- [ ] Look at Github Security Scanning / Dependabot etc.
- [ ] Reproducible Builds
- [ ] SLSA Level
- [ ] Use FSFE REUSE
- [ ] OpenSSF Badge: https://bestpractices.coreinfrastructure.org/en/projects/7197
- [ ] in-toto Attestations for Security scans, builds etc
- [ ] See if we can ingest https://www.first.org/epss/data_stats and display that / use for prioritization
- [ ] https://github.com/stackabletech/issues/issues/422
- [ ] Add EoL information as an annotation to each Pod
- [ ] Add some GUAC and TACOS to our SLSA: https://github.com/tacosframework / https://github.com/guacsec/guac
- [ ] https://github.com/stackabletech/infrastructure/issues/143
- [ ] https://github.com/stackabletech/infrastructure/issues/142
- [ ] https://github.com/stackabletech/issues/issues/515
- [ ] https://reproducible-builds.org/

See also https://app.nuclino.com/Stackable/Stackable/Supply-Chain-Security-ce7f8653-fc4b-4b8f-934f-d1ba6772e308 (internal only)

### Vulnerability Management
- [ ] ISO 29147
- [ ] ISO 30111
### Interesting Links
- [ ] https://securityscorecards.dev/
- [ ] https://github.com/marketplace/actions/openssf-scorecard-monitor
- [ ] https://slsa.dev/ & https://github.com/slsa-framework/slsa-github-generator
- [ ] https://www.docker.com/blog/capturing-build-information-buildkit/
- [ ] https://www.openchainproject.org/
- [ ] https://www.iso.org/standard/81039.html
- [ ] https://www.iso.org/standard/86450.html
- [ ] https://best.openssf.org/SCM-BestPractices/
- [ ] https://openeox.org/
- [ ] https://owasp.org/www-project-kubernetes-top-ten/
- [ ] https://github.com/kubescape/kubescape
- [ ] https://drive.google.com/file/d/14SrYl1HyfjVUTnj5uu2vjrmv5YcOjXLP/view
- [ ] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- [ ] https://github.com/xeol-io/xeol
- [ ] https://github.com/google/clusterfuzz / https://github.com/google/clusterfuzzlite
- [ ] https://github.com/oracle/macaron
- [ ] https://openssf.org/blog/2023/10/11/openssf-introduces-the-specification-security-insights-1-0/
- [ ] https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
- [ ] https://github.com/gittuf/gittuf
- [ ] https://www.cvedetails.com/
- [ ] https://mvsp.dev/
- [ ] https://www.thorsten-hans.com/read-only-filesystems-in-docker-and-kubernetes/
- [ ] https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file
- [ ] https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF
- [ ] https://github.com/github/issue-metrics
- [ ] https://github.com/stacklok/minder
- [ ] https://gcore.com/docs/dns/dns-records/what-is-an-https-record-and-how-is-it-configured
- [ ] https://github.com/chainloop-dev/chainloop
- [ ] https://github.com/aquasecurity/vexhub
- [ ] https://tag-security.cncf.io/community/working-groups/supply-chain-security/supply-chain-security-paper-v2/sscbpv2/
- [ ] https://github.com/theupdateframework/tuf-on-ci
- [ ] https://github.com/in-toto/witness
- [ ] https://github.com/in-toto/archivista
soenkeliebau commented 1 year ago

Meeting on friday (29.9.2023) about the current state of implementation, afterwards we'll probably have a bit more clarity on this and can refine it further.

fhennig commented 11 months ago

I found this ticket which I think should be linked here: https://github.com/stackabletech/docker-images/issues/44 (or maybe just close it, linking to a different one)