Knative Project Security Self-Assessment - Security Pals #1196
Conversation
✅ Deploy Preview for tag-security canceled.
|
github-actions
bot
requested review from
PushkarJ,
sublimino and
TheFoxAtWork
|
Hi there! I'm just getting started looking at your pull request, and I noticed the DCO check is failing. You can look at the checks section of the PR (I believe it should always be below the last comment) and look for a red X highlighting the failed check. In this case, you can click |
|
I noticed that you included an SBOM along with the self assessment. There are two reasons that jump to the front of my mind for why this isn't needed...
We still have plenty more to review, but as a starter— could you please remove the SBOM from this PR? |
mayhumst
force-pushed
the
main
branch
2 times, most recently
from
ebf8bab to
c1982a0
Compare
|
Thank you @eddie-knight for the initial feedback! I have removed the SBOM from the project folder, and I hope the go.mod files are enough for the SBOM section in the metadata. I squashed the commits and signed them off, so the DCO check should be good now. |
There was a problem hiding this comment.
Thanks for the PR @mayhumst and team, appreciate the efforts.
I have completed first pass of review and left several comments on section that needs your attention. Please feel free to reach out here or on slack for any questions and clarifications.
Along with addressing the comments, kindly update the PR branch with the latest content in the repo as this branch is out-of-date with the base branch.
|
@ragashreeshekar Thank you for detailed feedback! We've merged our branch to the parent repository, thank you for pointing that out. We've made a few initial changes based on your review and will fix the remaining issues quickly. |
mayhumst
force-pushed
the
main
branch
4 times, most recently
from
5e6e73d to
f42cdd2
Compare
|
Hi @ragashreeshekar Thank you again for the feedback. My teammate has updated the actors and actions sections as of this morning. I hope it's a better representation of this project. We welcome additional feedback and look forward to hearing back about next steps. |
mayhumst
changed the title
mayhumst
force-pushed
the
main
branch
12 times, most recently
from
711928e to
e02f1e7
Compare
difficulty crediting coauthors Signed-off-by: mayhumst <mayahumston@gmail.com> Co-authored-by: ShambhaviSeth <85444250+ShambhaviSeth@users.noreply.github.com> Co-authored-by: mushr00m-blue <eav8168@nyu.edu> Co-authored-by: Ethan <eav8168@nyu.edu> Co-authored-by: Zhikang Xu(Jacob) <jacob4782241@gmail.com>
| @@ -0,0 +1,218 @@ | |||
|
|
|||
There was a problem hiding this comment.
This is the SPDX for one of the Knative multi-arch images, but I'm not sure that it's especially helpful on its own -- this is simply a pointer to architecture-specific SBOMs for this container (and Knative probably publishes at least 60 containers per release).
With that said, I'm not sure what the goal of checking this in is, so it might still be useful to the TAG.
There was a problem hiding this comment.
Oops, this was an earlier comment that hadn't been sent. Ignore!
|
|
||
| ### Software Bill of Materials | ||
|
|
||
| - The go.mod files for each component can be found in the root directory of each repo, linked below. Knative-automation automatically updates the go.mod file with each deployment. |
There was a problem hiding this comment.
It's also worth noting that each component has an extension model, and users will typically install one or more extensions in addition to the core components.
Co-authored-by: torinvdb <65670557+torinvdb@users.noreply.github.com> Signed-off-by: Raga <ragashreeshekar@gmail.com>
Co-authored-by: torinvdb <65670557+torinvdb@users.noreply.github.com> Signed-off-by: Raga <ragashreeshekar@gmail.com>
Signed-off-by: Raga <ragashreeshekar@gmail.com>
What?
We are a team of four students at New York University. We have created an assessment for the knative project based on cncf's Security Self-Assessment Template and would like to put it forward for review. We are in contact with the security team at knative and are continuing to make edits to the assessment. (Team members: @Jabberwockiii @mushr00m-blue @ShambhaviSeth )
Why?
This assessment was the product of an assignment for a class with professor Justin Cappos, but we noticed that knative had no current assessment in the tag-security repository and would like to help fill this gap and make some security recommendations.
How?
This includes a current SBOM, a description of the product and its components/features, security goals and features, the deployment process, and recommendations for the documentation, among other sections.
Anything Else?
As previously mentioned, this assessment is a work in progress and all feedback is appreciated. We also hope to examine your threat model further and offer a few suggestions for revision in the next few days.
Additionally, I am cc'ing @evankanderson , with whom our team has been in contact with and has provided excellent initial feedback.