Merge branch 'main' into dependabot/npm_and_yarn/website/micromatch-4…

….0.8
cncf · Nov 6, 2024 · 09d815f · 09d815f
2 parents 4603944 + 75b01d3
commit 09d815f
Show file tree

Hide file tree

Showing 18 changed files with 49 additions and 29 deletions.
diff --git a/README.md b/README.md
@@ -6,7 +6,6 @@
 
 - [Meeting Information](#meeting-information)
 - [Slack Information](#communications)
-- [Members](#members)
 - [Working Groups](#working-groups)
 
 ## About Us
@@ -56,7 +55,7 @@ Join our open discussions and share news:
 
 - **Americas**: Weekly on Wednesdays at 10 am (UTC-7). [Zoom link](https://zoom-lfx.platform.linuxfoundation.org/meeting/92340369657?password=76e24ffd-69f2-41a8-8aed-13796805225d), Meeting ID: 923 4036 9657.
 - **EMEA**: Bi-weekly on Wednesdays at 1 pm UTC+0 (adjusts for daylight saving). [Zoom link](https://zoom-lfx.platform.linuxfoundation.org/meeting/98348738138?password=70e6a945-563a-491f-8485-ecf7394ec13a), Meeting ID: 983 4873 8138.
-- **APAC**: Bi-weekly on Wednesdays at 12pm AEST( UTC +10) (adjusts for daylight saving). [Zoom link](https://zoom-lfx.platform.linuxfoundation.org/meeting/94315508827?password=0d7eaab8-a217-4c1b-b0a5-27ceded5743f), Meeting ID: 943 1550 8827.
+- **APAC**: Bi-weekly on Wednesdays at 11 am (UTC+9). [Zoom link](https://zoom-lfx.platform.linuxfoundation.org/meeting/94315508827?password=0d7eaab8-a217-4c1b-b0a5-27ceded5743f), Meeting ID: 943 1550 8827.
 
 Check your local timezone [here](https://time.is/). Meetings are listed on the [CNCF calendar](https://www.cncf.io/calendar/) and the [TAG Security Calendar](https://calendar.google.com/calendar/u/0?cid=MGI4dTVlbDh0YTRzOTN0MmNtNzJ0dXZoaGtAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ).
 
@@ -85,14 +84,15 @@ The TAG's working groups focus on specific areas and organize most community act
 These groups facilitate discussions, engagement, and publications with key stakeholders, operating differently based on their needs.
 Each group, led by a responsible leader, reaches consensus on issues and manages logistics. All materials, such as reports, white papers, documents, and reference architectures, are in the repository's /community directory.
 
-| Project | Leads |
-|---------------------------------|---------------------------------------------|
-| [Automated Governance](/community/working-groups/automated-governance/README.md) | Matthew Flannery, Brandt Keller |
-| [Catalog of Supply Chain Compromises](/community/catalog/README.md) | Santiago Arias Torres |
-| [Compliance](/community/working-groups/compliance/README.md) | Anca Sailer, Robert Ficcaglia |
-| [Controls](/community/working-groups/controls/README.md) | Jon Zeolla |
-| [Security Reviews](/community/assessments/README.md) | Justin Cappos, Eddie Knight|
-| [Software Supply Chain](/community/working-groups/supply-chain-security/README.md) | Marina Moore, Michael Liebermann, John Kjell |
+| Project | Leads | STAG Rep |
+|---------------------------------|---------------------------------------------|---------------------------------|
+| [Automated Governance](/community/working-groups/automated-governance/README.md) | Brandt Keller | Matthew Flannery |
+| [Catalog of Supply Chain Compromises](/community/catalog/README.md) | Santiago Arias Torres | Marina Moore |
+| [Commons](/community/working-groups/commons/README.md) | Eddie Knight | Marco De Benedictis |
+| [Compliance](/community/working-groups/compliance/README.md) | Anca Sailer, Robert Ficcaglia | Brandt Keller |
+| [Controls](/community/working-groups/controls/README.md) | Jon Zeolla | Brandt Keller |
+| [Security Reviews](/community/assessments/README.md) | Justin Cappos | Eddie Knight |
+| [Software Supply Chain](/community/working-groups/supply-chain-security/README.md) | Michael Lieberman, John Kjell | Marina Moore |
 
 ## Additional information
 

diff --git a/ci/lint-config.json b/ci/lint-config.json
@@ -4,5 +4,8 @@
         "code_blocks": false,
         "tables": false,
         "line_length": 512
+    },
+    "MD024": {
+        "siblings_only": true
     }
 }
diff --git a/ci/spelling-config.json b/ci/spelling-config.json
@@ -8,6 +8,8 @@
     "words": [
         "ABAC",
         "addfetnetgrent",
+        "AEST",
+        "Anca",
         "Aniszczyk",
         "antifragile",
         "APAC",
@@ -55,7 +57,9 @@
         "exploitability",
         "Expressibility",
         "Fianu",
+        "Ficcaglia",
         "FIPS",
+        "Flannery",
         "Flibble",
         "frontmatter",
         "Gamal",
@@ -65,8 +69,8 @@
         "GUAC",
         "helm",
         "HIPAA",
-        "HITRUST",
         "Hirschberg",
+        "HITRUST",
         "hotspots",
         "hyperconverged",
         "Inclusivity",
@@ -79,6 +83,7 @@
         "kata",
         "KETRMAX",
         "keycloak",
+        "Kjell",
         "Kube",
         "kubecon",
         "Kubernetes",
@@ -174,6 +179,7 @@
         "Virtool",
         "Wolt",
         "Yubi",
-        "Zalman"
+        "Zalman",
+        "Zeolla"
     ]
 }
diff --git a/community/assessments/projects/flatcar/joint-assessment.md b/community/assessments/projects/flatcar/joint-assessment.md
@@ -44,7 +44,7 @@ Compromising the update server would allow an attacker to “un-publish” a new
     <br/>2. Maintainers: That's a good catch, I've added 1.c. to discuss repository settings.
 11. SSH credential password enforcement
 12. 2FA for code repositories, build infrastructure, and VPN access
-13. Usage of soft/hard tokens as opposed to SMS 2FA as per [CNCF_SSCP_v1.pdf](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
+13. Usage of soft/hard tokens as opposed to SMS 2FA as per [CNCF_SSCP_v1.pdf](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
 14. Consider preventing any outbound internet access to the build infrastructure, to avoid command and control for hostile actors
 
 

diff --git a/community/assessments/projects/fluentd/fluentd/self-assessment.md b/community/assessments/projects/fluentd/fluentd/self-assessment.md
@@ -172,7 +172,7 @@ Fluentd is the default standard to solve Logging in containerized environments,
   - Security vulnerabilites are to be reported at https://github.com/fluent/fluentd/security/advisories, as stated in their [security policy](https://github.com/fluent/fluentd/blob/master/SECURITY.md)
 * Incident Response.  
   -  Fluentd is trying to follow supply chain security using [DCO](https://probot.github.io/apps/dco/)  
-    [(Supply chain security)](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)  
+    [(Supply chain security)](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
   - Because Fluentd is built on top of the Ruby Ecosystems, they must also check the licenses of dependent gems.
 
 ## Appendix

diff --git a/community/events/cloud_native_security.md → community/events/cloud-native-security.md b/community/events/cloud_native_security.md → community/events/cloud-native-security.md
@@ -108,3 +108,10 @@ project, architecture, and enhance team awareness on security.
 
 - Seattle, WA
 - February 1-2, 2023
+
+### 2024
+
+[CloudNativeSecurityCon North America](https://cloudnativesecurityconna24.sched.com/)
+
+- Seattle, WA
+- June 26-27, 2024
diff --git a/community/publications/paper-process.md b/community/publications/paper-process.md
@@ -90,7 +90,7 @@ The paper lead creates a README.md with:
 - Original design decisions
 - Links to files in the repo
 
-### Blog Publishing and Coordination
+#### Blog Publishing and Coordination
 
 Coordinate with TAG leadership and CNCF for a blog post to increase visibility. Consider presenting at community events.
 

diff --git a/community/resources/security-whitepaper/v1/secure-software-factory.md b/community/resources/security-whitepaper/v1/secure-software-factory.md
@@ -1,6 +1,6 @@
 ## Introduction 
 
-A software supply chain is the series of steps performed when writing, testing, packaging, and distributing application software to end consumers. Given the increased prominence of software supply chain exploits and attacks, the [Cloud Native Computing Foundation (CNCF) Technical Advisory Group for Security](https://github.com/cncf/tag-security) published a whitepaper titled [“Software Supply Chain Best Practices”](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)[^1], which captures over 50 recommended practices to secure the software supply chain. That document is considered a prerequisite for the content described in this reference architecture.
+A software supply chain is the series of steps performed when writing, testing, packaging, and distributing application software to end consumers. Given the increased prominence of software supply chain exploits and attacks, the [Cloud Native Computing Foundation (CNCF) Technical Advisory Group for Security](https://github.com/cncf/tag-security) published a whitepaper titled [“Software Supply Chain Best Practices”](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)[^1], which captures over 50 recommended practices to secure the software supply chain. That document is considered a prerequisite for the content described in this reference architecture.
 
 This publication is a follow-up to that paper, targeted at system architects, developers, operators, and engineers in the areas of software development, security, and compliance. This reference architecture adopts the “Software Factory” model[^2] for designing a secure software supply chain.
 
@@ -1554,7 +1554,7 @@ Software Factory: [https://en.wikipedia.org/wiki/Software_factory](https://en.wi
 
 CNCF TAG-Security: [https://github.com/cncf/tag-security](https://github.com/cncf/tag-security)
 
-CNCF Supply Chain Security Paper: [https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
+CNCF Supply Chain Security Paper: [https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
 
 CNCF Cloud Native Security Whitepaper: [https://github.com/cncf/tag-security/blob/main/security-whitepaper/CNCF_cloud-native-security-whitepaper-Nov2020.pdf](https://github.com/cncf/tag-security/blob/main/security-whitepaper/CNCF_cloud-native-security-whitepaper-Nov2020.pdf)
 

diff --git a/...resources/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-cn-Sept2023-v2.pdf b/...resources/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-cn-Sept2023-v2.pdf
diff --git a/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-it.md b/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-it.md
@@ -686,7 +686,7 @@ Gli amministratori e i team di sicurezza dovrebbero archiviare tutte le informaz
 
 Un programma SBOM, CVE e VEX maturo e automatizzato può fornire informazioni rilevanti ad altri controlli di sicurezza e conformità. Ad esempio, l'infrastruttura può segnalare automaticamente i sistemi non conformi a una piattaforma di osservabilità o negare di fornire l'identità crittografica di un workload, mettendola effettivamente in quarantena da sistemi conformi in ambienti Zero-Trust.
 
-La CNCF ha pubblicato il [Whitepaper sulle Best Practice nella Supply Chain](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) per fornire un supporto nella progettazione di un processo sicuro all’interno della supply chain. Questo whitepaper fornisce maggiori dettagli sulla protezione della supply chain del software e discute i progetti CNCF rilevanti che sviluppatori e operatori possono utilizzare per proteggerne le varie fasi.
+La CNCF ha pubblicato il [Whitepaper sulle Best Practice nella Supply Chain](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) per fornire un supporto nella progettazione di un processo sicuro all’interno della supply chain. Questo whitepaper fornisce maggiori dettagli sulla protezione della supply chain del software e discute i progetti CNCF rilevanti che sviluppatori e operatori possono utilizzare per proteggerne le varie fasi.
 
 ##### GitOps <sup>(novità nella v2)</sup>
 
@@ -1106,7 +1106,7 @@ Runtime
 
 26. [Secure Defaults: Cloud Native 8](https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md)
 
-27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
+27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
 
 28. Cloud Native Security Map - [https://cnsmap.netlify.app](https://cnsmap.netlify.app)
 

diff --git a/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-ja.md b/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-ja.md
@@ -653,7 +653,7 @@ SBOMには何千もの依存関係が含まれていることがあり、それ
 
 成熟し自動化されたSBOMやCVEおよびVEXプログラムは、他のセキュリティおよびコンプライアンス管理に関連情報を提供する可能性があります。例えば、インフラストラクチャは、非準拠のシステムを観測可能性プラットフォームに自動的に報告したり、必要な暗号化ワークロードのID提供を拒否したりして、ゼロトラスト環境において準拠システムから効果的に隔離することができます。
 
-CNCFは、安全なサプライチェーンプロセスの設計を支援するために、[ソフトウェアサプライチェーンのベストプラクティス白書](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)を作成しました。この白書は、ソフトウェアサプライチェーンのセキュリティ確保に関する詳細を提供し、開発者とオペレータがサプライチェーンの様々な段階でのセキュリティ確保に利用できるCNCFの関連プロジェクトについて説明しています。
+CNCFは、安全なサプライチェーンプロセスの設計を支援するために、[ソフトウェアサプライチェーンのベストプラクティス白書](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)を作成しました。この白書は、ソフトウェアサプライチェーンのセキュリティ確保に関する詳細を提供し、開発者とオペレータがサプライチェーンの様々な段階でのセキュリティ確保に利用できるCNCFの関連プロジェクトについて説明しています。
 
 ##### GitOps<sup>(v2で追記)</sup>
 
@@ -1037,7 +1037,7 @@ RV.3.2
 24. [ATT&CK’s Threat matrix for containers](https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1)
 25. [NIST Incident Response Guide](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf)
 26. [Secure Defaults: Cloud Native 8](https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md)
-27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
+27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
 28. Cloud Native Security Map - [https://cnsmap.netlify.app](https://cnsmap.netlify.app)
 29. [Center for Internet Security (CIS)](https://www.cisecurity.org/)
 30. [OpenSCAP](https://www.open-scap.org/)

diff --git a/...s/security-whitepaper/v2/cloud-native-security-whitepaper-simplified-chinese.md b/...s/security-whitepaper/v2/cloud-native-security-whitepaper-simplified-chinese.md
@@ -638,7 +638,7 @@ ATT&CK 的威胁矩阵由行和列组成，行表示技术，列表示战术。
 
 成熟和自动化的 SBOM、CVE 和 VEX 程序可为其他安全和合规控制提供相关信息。例如，基础设施可能会自动向可观察平台报告不符合要求的系统，或拒绝提供必要的加密工作负载身份，从而在零信任环境中有效地将其与符合要求的系统隔离开来。
 
-CNCF 制作了[软件供应链最佳实践白皮书](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)，以帮助您设计安全的供应链流程。本白皮书提供了有关保护软件供应链的更多详细信息，并讨论了开发人员和运营商可用于保护供应链各个阶段的相关 CNCF 项目。
+CNCF 制作了[软件供应链最佳实践白皮书](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)，以帮助您设计安全的供应链流程。本白皮书提供了有关保护软件供应链的更多详细信息，并讨论了开发人员和运营商可用于保护供应链各个阶段的相关 CNCF 项目。
 
 ##### GitOps<sup>（v2 新增）</sup>
 
@@ -898,7 +898,7 @@ GitOps 流程负责向生产环境提供更改，如果该流程受到危害，
 24. [ATT&CK’s Threat matrix for containers](https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1)
 25. [NIST Incident Response Guide](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf)
 26. [Secure Defaults: Cloud Native 8](https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md)
-27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
+27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
 28. Cloud Native Security Map - [https://cnsmap.netlify.app](https://cnsmap.netlify.app)
 29. [Center for Internet Security (CIS)](https://www.cisecurity.org/)
 30. [OpenSCAP](https://www.open-scap.org/)

diff --git a/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md b/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md
@@ -1306,7 +1306,7 @@ deny providing a necessary cryptographic workload identity, effectively quaranti
 Zero-Trust environments.
 
 The CNCF has produced
-the [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
+the [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
 to assist you with designing a secure supply chain process. This whitepaper provides more details about securing the
 software supply chain and discusses relevant CNCF projects that developers and operators can use to secure various
 stages of the supply chain.
@@ -1815,7 +1815,7 @@ Runtime
 24. [ATT&CK’s Threat matrix for containers](https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1)
 25. [NIST Incident Response Guide](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf)
 26. [Secure Defaults: Cloud Native 8](https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md)
-27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
+27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
 28. Cloud Native Security Map - [https://cnsmap.netlify.app](https://cnsmap.netlify.app)
 29. [Center for Internet Security (CIS)](https://www.cisecurity.org/)
 30. [OpenSCAP](https://www.open-scap.org/)

diff --git a/community/working-groups/automated-governance/README.md b/community/working-groups/automated-governance/README.md
@@ -17,6 +17,10 @@ The scope of this project includes:
 - Creation of best practice guidelines and documentation.
 - Potential development of tooling or integration patterns for common CI/CD platforms.
 
+## WIP Documentation
+
+- **Working Draft:** [Google Docs](https://docs.google.com/document/d/14pV0ooE40yuo0u_CH-OeWS8lZgMBfxo8F38QRIaKUXY)
+
 ## Meeting Information
 
 - **Meeting:** Every 2 weeks on Tuesday at 2:00 PM Pacific Time (US and Canada) ([Calendar Invite](https://zoom.us/meeting/tJUtduGoqz4qGddkUvgs3jVjzUEY6Y8MEcT6/ics?icsToken=98tyKuCprjoiGtGQsBqERowcAoj4WfTwmCVfjadZlyrzBDMAaDX8LNdnC-RGSPX1))

diff --git a/community/working-groups/compliance/README.md b/community/working-groups/compliance/README.md
@@ -26,7 +26,7 @@ Reviewing industry and governmental standards (e.g., NIST, PCI, HIPAA) from a cl
 ## Meeting Information
 
 - **Weekly Meetings:** 10:00 AM Eastern Time (US and Canada)
-- **Meeting Link:** [Zoom Meeting](https://zoom.us/j/92729235315?pwd=ZFIxU3RSanlVODh4a1g2SFdJOGpoZz09)
+- **Meeting Link:** [Zoom Meeting](https://zoom-lfx.platform.linuxfoundation.org/meeting/94852354733?password=c99601ab-0a5a-4ea9-98e3-af9d12c59547)
 - **Meeting Notes:** [Meeting Notes Link](https://docs.google.com/document/d/1z9xvt-Z97j4CtEH1-nR9sMWul7jQkUi_fNY7BdMPgxM/edit#heading=h.88owgl3gm8w4)
 - **Calendar Invite:** See [CNCF calendar](https://calendar.google.com/calendar/u/0/[email protected]&ctz=America/Los_Angeles) for invite
 

diff --git a/...oups/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf b/...oups/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf