Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Commons WG] Develop Baseline Security Probes #1386

Open
eddie-knight opened this issue Oct 10, 2024 · 10 comments
Open

[Commons WG] Develop Baseline Security Probes #1386

eddie-knight opened this issue Oct 10, 2024 · 10 comments
Assignees

Comments

@eddie-knight
Copy link
Collaborator

eddie-knight commented Oct 10, 2024

As part of our collaboration with OpenSSF, TAG Security members have been aiding in the design of the Open Source Project Security Baseline.

As the Baseline definitions are nearing completion, the next step will be to create Scorecard probes that will allow for automated integration into the OpenSSF Best Practices Badge and LFX Insights.

Currently, all three of the aforementioned tools are widely adopted in CNCF, and we anticipate that the TAG will be able to support the security of CNCF Projects by aiding in the development of the automated checks. Additionally, we may have the opportunity to use the 2024 Security Slam to encourage rapid adoption of the OSPS Baseline.

To accomplish the Level 1 milestone, we need to write approximately 15 probes.

Volunteers Needed

We need your help if you are a programmer willing to work in golang (it's not too difficult to pick up if you are well versed in another language).

Please comment on this issue or #tag-security-commons-wg on Slack if you are available to help with this effort!

@eddie-knight eddie-knight added good first issue Good for newcomers help wanted Extra attention is needed labels Oct 10, 2024
@eddie-knight eddie-knight self-assigned this Oct 10, 2024
@daemon1024
Copy link

I have considerable experience in Go and I am happy to help out.

The next step will be to create Scorecard probes that will allow fc
automated integration into the OpenSSF Best Practices Badge and LFX Insights.

What's a probe and any references to sample implementation.
Are probes the same as "checks" documented in OpenSSF Scorecard repo?

@baiyungao
Copy link

I am interested in contributing to this issue.

@eddie-knight
Copy link
Collaborator Author

eddie-knight commented Oct 16, 2024

Thanks @baiyungao and @daemon1024!

What's a probe and any references to sample implementation.
Are probes the same as "checks" documented in OpenSSF Scorecard repo?

My understanding is that checks are comprised of multiple probes. The Scorecard maintainers have requested that we build in probes first, so that we can have fewer up-front requirements when contributing.

I'm going to get up to speed this week so that I can help onboard others as needed.

If you're available to join the next Baseline WG meeting, we will be discussing this in-depth then. If you're not available, please tag me here or on Slack so that we can coordinate

@eddie-knight
Copy link
Collaborator Author

I will have example code to share on today's WG call for folks who want to join in this effort

@eddie-knight eddie-knight changed the title [Baseline WG] Develop Baseline Security Probes in OpenSSF Scorecard [Commons WG] Develop Baseline Security Probes in OpenSSF Scorecard Oct 23, 2024
@huberts90
Copy link

@eddie-knight Could you please provide more details about this effort, especially the example you mentioned?

@baiyungao
Copy link

baiyungao commented Oct 24, 2024 via email

@eddie-knight
Copy link
Collaborator Author

eddie-knight commented Oct 24, 2024

There is a small bit of onboarding needed to get up to speed- could you reach out via slack so that we can share notes and such?

@vpavankalyan
Copy link

Hey @eddie-knight,
I’m excited about the chance to work on the baseline security probes for the OpenSSF Scorecard and would love to contribute to this initiative. Pls let me know if there are any open slots available?
Thank you!

@eddie-knight
Copy link
Collaborator Author

Hey absolutely @vpavankalyan! A few of us are going to have a quick intro call on Monday at 1700ET. More info is on Slack if you are able to join the discussion over there!

@jkjell jkjell added in-progress and removed help wanted Extra attention is needed good first issue Good for newcomers labels Oct 30, 2024
@eddie-knight eddie-knight changed the title [Commons WG] Develop Baseline Security Probes in OpenSSF Scorecard [Commons WG] Develop Baseline Security Probes Nov 24, 2024
@eddie-knight
Copy link
Collaborator Author

eddie-knight commented Nov 24, 2024

As we've had difficulty contributing probes to OpenSSF Scorecard, we are currently exploring automation automation with OpenSSF Minder (@puerco) or directly into OpenSSF Best Practices Badge (@david-a-wheeler)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants