-
Notifications
You must be signed in to change notification settings - Fork 521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Commons WG] Develop Baseline Security Probes #1386
Comments
I have considerable experience in Go and I am happy to help out.
What's a probe and any references to sample implementation. |
I am interested in contributing to this issue. |
Thanks @baiyungao and @daemon1024!
My understanding is that checks are comprised of multiple probes. The Scorecard maintainers have requested that we build in probes first, so that we can have fewer up-front requirements when contributing. I'm going to get up to speed this week so that I can help onboard others as needed. If you're available to join the next Baseline WG meeting, we will be discussing this in-depth then. If you're not available, please tag me here or on Slack so that we can coordinate |
I will have example code to share on today's WG call for folks who want to join in this effort |
@eddie-knight Could you please provide more details about this effort, especially the example you mentioned? |
I couldn't join the call yesterday, but I am still very interested and
would like to get more details. thanks -Ben
…On Thu, Oct 24, 2024 at 6:33 AM Hubert Siwik ***@***.***> wrote:
@eddie-knight <https://github.com/eddie-knight> Could you please provide
more details about this effort, especially the example you mentioned?
—
Reply to this email directly, view it on GitHub
<#1386 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABB572KZ52N34543MCOZ24DZ5DEHFAVCNFSM6AAAAABPVUYKYKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMZUHEYDMMJVGY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
There is a small bit of onboarding needed to get up to speed- could you reach out via slack so that we can share notes and such? |
Hey @eddie-knight, |
Hey absolutely @vpavankalyan! A few of us are going to have a quick intro call on Monday at 1700ET. More info is on Slack if you are able to join the discussion over there! |
As we've had difficulty contributing probes to OpenSSF Scorecard, we are currently exploring automation automation with OpenSSF Minder (@puerco) or directly into OpenSSF Best Practices Badge (@david-a-wheeler) |
As part of our collaboration with OpenSSF, TAG Security members have been aiding in the design of the Open Source Project Security Baseline.
As the Baseline definitions are nearing completion, the next step will be to create Scorecard probes that will allow for automated integration into the OpenSSF Best Practices Badge and LFX Insights.
Currently, all three of the aforementioned tools are widely adopted in CNCF, and we anticipate that the TAG will be able to support the security of CNCF Projects by aiding in the development of the automated checks. Additionally, we may have the opportunity to use the 2024 Security Slam to encourage rapid adoption of the OSPS Baseline.
To accomplish the Level 1 milestone, we need to write approximately 15 probes.
Volunteers Needed
We need your help if you are a programmer willing to work in golang (it's not too difficult to pick up if you are well versed in another language).
Please comment on this issue or #tag-security-commons-wg on Slack if you are available to help with this effort!
The text was updated successfully, but these errors were encountered: