[Security Review] Keptn

[thisthat]

trafficstars

Project Name: Keptn

Github URL: https://github.com/keptn/keptn

CNCF project stage and issue: https://github.com/cncf/toc/pull/670 (incubation)

Security Provider: no

• [ ] Identify team
  • [ ] Project security lead: @thisthat
  • [ ] Lead security reviewer
  • [ ] 1 or more additional reviewer(s)
  • [ ] Every reviewer has read security reviewer guidelines and stated declaration of conflict
  • [ ] Sign off by 2 chairs on reviewer conflicts
• [ ] Create slack channel (e.g. #sec-assess-projectname)
• [ ] Project lead provides draft document - see outline
• [ ] "Naive question phase" Lead Security Reviewer asks clarifying questions
• [ ] Assign issue to security reviewers
• [ ] Initial review
• [ ] Presentation & discussion
• [ ] Share draft findings with project
• [ ] Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
• [ ] CNCF TOC presentation (if requested by TOC)

[TheFoxAtWork]

@IAXES CC: @ashutosh-narkar

[lumjjb]

ping @IAXES CC: @ashutosh-narkar

[jetzlstorfer]

Is there any ETA when the review will be done for Keptn? (cc @thisthat)

[TheFoxAtWork]

👋🏻 Our current pipeline shows a wrap up of Cloud Custodian (very nearly complete) then we begin Argo, Keptn would be next. CC: @IAXES @lumjjb @ashutosh-narkar

Provided we can have volunteers for Argo and get it started soon, i would anticipate this (Keptn) beginning in Dec/Jan

[IAXES]

👋🏻 Our current pipeline shows a wrap up of Cloud Custodian (very nearly complete) then we begin Argo, Keptn would be next. CC: @IAXES @lumjjb @ashutosh-narkar

Provided we can have volunteers for Argo and get it started soon, i would anticipate this (Keptn) beginning in Dec/Jan

Sounds about right to me. Looks like we'll have volunteers ready for Argo (it's just being pushed back a few weeks due to Kubecon).

[jetzlstorfer]

thanks for the updates. Can we plan to have our security review in Dec/Jan? Are there any more resources needed from our end to start the process? CC: @thisthat @oleg-nenashev

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[jetzlstorfer]

Is there any update on this? cc @thisthat @oleg-nenashev

[IAXES]

Good day,

We're currently going through the Argo assessment, and then will be re-visiting this review.

[oleg-nenashev]

Hi all. Please let us know if any additional info is needed from our side. IIUC the review ETA in Feb 2022 needs top be pushed for later months, right @IAXES @TheFoxAtWork ?

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[oleg-nenashev]

Not stale but stuck

[oleg-nenashev]

FTR ongoing discussion with @TheFoxAtWork and @lumjjb : https://cloud-native.slack.com/archives/CDJ7MLT8S/p1650549287843639

[lumjjb]

we had a chat yesterday, the current plan is to get the self-assessment PR in, we will review it and give a DD recommendation based on that if no red flags.

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[oleg-nenashev]

Hi! Quick update on Keptn security review. The previous self-assessment doc needs some updates based on the roadmap changes we had in the project (Keptn 1.0 discussions, etc.). I plan top provide the new version by Wednesday. I have not touched this topic since May due to other discussions, my apologies for that. At least we can now schedule the security review for the real scope.

[lumjjb]

@IAXES fyi - just assigned the issue

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[JustinCappos]

I'm picking up stale items in the security assessment queue to try to push them forward. Apologies for the delay on your assessment!

Is an updated self-assessment available? I don't see it in the repo, etc. Once this happens, we can get a team together to do an assessment. Once it reaches the front of our queue, this will require back and forth with your team.

If a security assessment isn't desired anymore, please let us know and this issue can be closed.

[anvega]

Found in the slack thread there is a google docs version of the assessment although the last update is 5 days before the comment above stating the document needs updating.

https://docs.google.com/document/d/14qFAc6kxhWX_JLMUKddgELcymaRw6jmhsq0OYxrHtc0/edit#bookmark=id.19yjmziudbxj

[thisthat]

Thanks for picking up this item :) As a Keptn Community, we decided to move the project's effort to a new repo, the lifecycle toolkit. You can see the decision here: https://github.com/keptn/enhancement-proposals/pull/100 I've updated the original message pointing to the new repo. The document definitely needs to be updated to reflect the latest changes.

[JustinCappos]

Okay, sounds good! Please ping us once you have your self assessment ready.

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[JustinCappos]

Let us know if you decide to move ahead with this again. I'll close this issue for now, but feel free to reopen it / open a fresh one when you have the time to do the self assessment.