compliantkubernetes-apps
compliantkubernetes-apps copied to clipboard
elastisys
Add SBOM
[!warning] This is a public repository, ensure not to disclose:
- [x] personal data beyond what is necessary for interacting with this pull request, nor
- [x] business confidential information, such as customer names.
What kind of PR is this?
Required: Mark one of the following that is applicable:
- [ ] kind/feature
- [ ] kind/improvement
- [ ] kind/deprecation
- [x] kind/documentation
- [ ] kind/clean-up
- [ ] kind/bug
- [ ] kind/other
Optional: Mark one or more of the following that are applicable:
[!important] Breaking changes should be marked
kind/admin-changeorkind/dev-changedepending on type Critical security fixes should be marked withkind/security
- [ ] kind/admin-change
- [ ] kind/dev-change
- [ ] kind/security
- [ ] kind/adr
What does this PR do / why do we need this PR?
Add an initial SBOM based on v0.37.0
Information to reviewers
Checklist
- [ ] Proper commit message prefix on all commits
- Change checks:
- [ ] The change is transparent
- [ ] The change is disruptive
- [ ] The change requires no migration steps
- [ ] The change requires migration steps
- [ ] The change upgrades CRDs
- Metrics checks:
- [ ] The metrics are still exposed and present in Grafana after the change
- [ ] The metrics names didn't change (Grafana dashboards and Prometheus alerts are not affected)
- [ ] The metrics names did change (Grafana dashboards and Prometheus alerts were fixed)
- Logs checks:
- [ ] The logs do not show any errors after the change
- Pod Security Policy checks:
- [ ] Any changed pod is covered by Pod Security Admission
- [ ] Any changed pod is covered by Gatekeeper Pod Security Policies
- [ ] The change does not cause any pods to be blocked by Pod Security Admission or Policies
- Network Policy checks:
- [ ] Any changed pod is covered by Network Policies
- [ ] The change does not cause any dropped packets in the
NetworkPolicy Dashboard
- Audit checks:
- [ ] The change does not cause any unnecessary Kubernetes audit events
- [ ] The change requires changes to Kubernetes audit policy
- Falco checks:
- [ ] The change does not cause any alerts to be generated by Falco
- Bug checks:
- [ ] The bug fix is covered by regression tests
- Config checks:
- [ ] The schema was updated
Is there a reason why we want to keep multiple versions of this at all times?
Else we could move it to
docs/sbom.mdand state in the document for which version it has been validated for.Please add a top level heading "Compliant Kubernetes Apps - SBOM" or something.
I was thinking the same, that the SBOM would reflect the current repository, so if you checked out an old tag the SBOM would reflect that version. Although if it wasn't automatically updated when the repository changed that could become confusing so maybe it's something we could add later on.
LGTM! Just wondering why it isn't in the docs folder?
Sure, I don't see any problem moving it under docs/sbom
Also do we want to write a comment in the document for which commit of the repository it was generated for with date?
I'm fine with adding a note in the document saying that it was based of off v0.37.0.
I'll merge this now. It's not perfect and there are things that need to be sorted out (like how to properly handle multiple helm charts with the same name etc) and there's probably some error(s) in this one, but this is a start and it can only get better from here :)