sig-security

sig-security copied to clipboard

Update audit roadmap with topics suggested from KubeCon EU 2024

1

This PR updates the audit roadmap with topics suggested from KubeCon EU 2024 and also updates the audit year of several focus areas as the last audit was published in...

reylejano

Kubernetes Hardening Guide

41

**What would you like to be added** As part of SIG-Security-Docs, we've been discussing the creation of a hardening guide for Kubernetes. We've got an initial document for the guide's...

raesene

Security Checklist for Applications from a developer perespective

4

We already have a checklist for admins. In this task we would like to create one that focusses on the applications and developers. cc: @AnshumanTripathi

savitharaghunathan

Scan `kubernetes/kubernetes` with `govulncheck`

10

**Background**: Today we have scanning implemented using [`snyk`](https://github.com/kubernetes/sig-security/blob/main/sig-security-tooling/vulnerability-mgmt/build-time-dependencies.md). It has worked quite well with addition of some smart optimization to reduce false positives. Go team recently released https://go.dev/blog/govulncheck v1.0.0. It...

PushkarJ

[govulncheck] Periodic Prow Job for `govulncheck`

5

## Description Run `govulncheck` periodically in default mode `symbol` level on https://github.com/kubernetes/kubernetes for: - `master` branch i.e. HEAD - release-1.`stable-version` - release-1.`prev-stable-minor-version` - release-1.`oldest-stable-minor-version` This will allow to get a...

PushkarJ

REQUEST: Request a Learning session for Tetragon

13

**Please tell us a bit more about the topic** I would love to present [Tetragon](https://github.com/cilium/tetragon) to people at SIG security tooling! It's an eBPF-based Security Observability and Runtime Enforcement software....

mtardy

[Umbrella] Artifact Vulnerability Scanning and Triage Policy

28

**Goal**: Implement automated scanning capabilities that are tool agnostic for identifying vulnerabilities in Kubernetes related artifacts, followed by a documented private triage process to resolve the identified vulnerability, with a...

PushkarJ

Move Snyk Scripts from k/test-infra to k/sig-security/sig-security-tooling

7

As we learnt from https://github.com/kubernetes/test-infra/pull/26896#discussion_r932628360 it is possible for prow to pick up shell scripts outside of `k/test-infra`. Moving the script that is present here: https://github.com/kubernetes/test-infra/blob/master/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml#L29-L87 into a dedicated shell...

PushkarJ

[Draft] POC of CVE publication auto-generated artifacts

4

PushkarJ

Kubernetes Third-Party Security Audit for 2024 (tracking issue)

6

Tracking issue for the Kubernetes third-party security audit for 2024: - [ ] Define audit scope - [ ] Create RFP - [ ] Finalize dates: RFP opening and closing...

reylejano