sig-security icon indicating copy to clipboard operation
sig-security copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Kubernetes Third-Party Security Audit for 2024 (tracking issue)

Open reylejano opened this issue 2 years ago • 6 comments

Tracking issue for the Kubernetes third-party security audit for 2024:

  • [ ] Define audit scope
  • [ ] Create RFP
    • [ ] Finalize dates: RFP opening and closing dates, question period, vendor selection
    • [ ] Complete question period and publish questions & replies to RFP
  • [ ] Vendor assessment
    • [ ] Assemble vendor assessment group
    • [ ] Create private Google group
  • [ ] Release vendor selection
  • [ ] Coordinate SME as contacts for vendor
  • [ ] Vendor conducts audit
  • [ ] Send findings to SRC
  • [ ] Findings review with SIG Security
  • [ ] Publish findings

/sig security

reylejano avatar Nov 03 '23 03:11 reylejano

@reylejano: The label(s) /label external-audit cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

Tracking issue for the Kubernetes third-party security audit for 2023-2024:

  • [ ] Create RFP
  • [ ] Audit scope
  • [ ] Finalize dates: RFP opening and closing dates, question period, vendor selection
  • [ ] Complete question period and publish questions & replies to RFP
  • [ ] Vendor assessment
  • [ ] Assemble vendor assessment group
  • [ ] Create private Google group
  • [ ] Release vendor selection
  • [ ] Coordinate SME as contacts for vendor
  • [ ] Vendor conducts audit
  • [ ] Send findings to SRC
  • [ ] Findings review with SIG Security
  • [ ] Publish findings

/sig security /label external-audit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Nov 03 '23 03:11 k8s-ci-robot

xref: https://github.com/kubernetes/sig-security/pull/105 add windows to scope

ritazh avatar Nov 07 '23 22:11 ritazh

also include the new threat model refresh @raesene

sunstonesecure-robert avatar Nov 08 '23 23:11 sunstonesecure-robert

Aside: how about adding /area audit (label and associated Prow command)?

sftim avatar Mar 07 '24 13:03 sftim

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jun 05 '24 14:06 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Jul 05 '24 14:07 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-triage-robot avatar Aug 04 '24 14:08 k8s-triage-robot

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar Aug 04 '24 14:08 k8s-ci-robot