tag-security icon indicating copy to clipboard operation
tag-security copied to clipboard

Published 20 hours ago verified publisher icon cncf

Supply Chain Security Policy Writeup

Open mnm678 opened this issue 1 year ago • 3 comments
trafficstars

Description:

There has been a lot of guidance created by the tag around applying software supply chain security to cloud native applications. This proposal builds on that guidance by focusing specifically on the area of policy: policy at different levels of the application, how to incrementally adopt this policy, and how policy can be distributed to users.

Impact: This short writeup will provide readers with insights into software supply chain policy, and make it clear how implementing this policy can start today, without waiting for a 'perfect' solution.

Scope: 1-2 months

Intent to lead:

  • [x] I volunteer to be a project lead on this proposal if the community is interested in pursing this work. This statement of intent does not preclude others from co-leading or becoming lead in my stead.

Proposal to Project:

  • [] Added to the planned meeting template for mm dd
  • [x] Raised in a Security TAG meeting to determine interest - Supply Chain WG meeting 11 02
  • [x] Collaborators comment on issue for determine interest and nominate project lead
  • [ ] Scope determined via meeting 11 02 and/or shared document add link with call for participation in #tag-security slack channel thread add link and mailing list email add link
  • [x] Scope presented to Security TAG leadership and Sponsor is assigned

TO DO

  • [x] Security TAG Leadership Representative: @mnm678
  • [x] Project leader(s): @mnm678
  • [x] Issue is assigned to project leaders and Security TAG Leadership Representative
  • [ ] Project Members:
  • [ ] Fill in addition TODO items here so the project team and community can see progress!
  • [ ] Scope
  • [ ] Deliverable(s): blog post
  • [ ] Project Schedule
  • [ ] Slack Channel (as needed)
  • [ ] Meeting Time & Day:
  • [ ] Meeting Notes (link)
  • [ ] Meeting Details (zoom or hangouts link)
  • [ ] Retrospective

mnm678 avatar Nov 30 '23 21:11 mnm678

I am interested in collaborating on this effort, how do I proceed or sign up?

topsingh avatar Dec 23 '23 13:12 topsingh

We have a draft of the document available here:https://docs.google.com/document/d/1oqljWdGCXfXSwOZsU4jjOQv0qz0Gdp0Xq1jOzAiqeBw/edit. Any feedback is welcome

mnm678 avatar Jan 18 '24 16:01 mnm678

We have a draft of the document available here:https://docs.google.com/document/d/1oqljWdGCXfXSwOZsU4jjOQv0qz0Gdp0Xq1jOzAiqeBw/edit. Any feedback is welcome

I've made suggested edits for readability and phrasing, the content reads very well :tada:

sublimino avatar Feb 01 '24 18:02 sublimino

Blog post was published: https://www.cncf.io/blog/2024/02/14/policy-as-code-in-the-software-supply-chain/

mnm678 avatar Mar 05 '24 14:03 mnm678

Great work Supply Chain Security Group!

PushkarJ avatar Apr 24 '24 15:04 PushkarJ