kube-state-metrics icon indicating copy to clipboard operation
kube-state-metrics copied to clipboard
verified publisher icon kubernetes

Kubernetes-Security-Slam-2023

Open SD-13 opened this issue 2 years ago • 10 comments

Open tasks for the Kubernetes Security Slam 2023

  • [ ] Ensure SBOMs are generated by Kubernetes BOM (task 3) @SD-13
  • [ ] Ensure SLSA Attestations are generated when possible (task 4) @shafeeqes
  • [ ] Ensure the project has a VEX Feed (task 5) @shafeeqes https://github.com/kubernetes/kube-state-metrics/pull/2275 https://github.com/kubernetes/kube-state-metrics/pull/2276
  • [x] Add project to CLOMonitor / Run tests for Clomonitor (task 7) @jescalada https://github.com/cncf/clomonitor/pull/1380
  • [ ] Check for Binary Artifacts (task 8)
  • [ ] Review the code review (task 9)
  • [ ] Dangerous Workflow (task 10)
  • [x] Security Insights (task 11) @dalehenries https://github.com/kubernetes/kube-state-metrics/pull/2278
  • [ ] Dependencies policy (task 12)
  • [ ] Dependency update tool (task 13)
  • [x] Token Permissions (task 16) @dalehenries https://github.com/kubernetes/kube-state-metrics/pull/2279

@puerco

Open questions

  • [ ] https://github.com/kubernetes/kube-state-metrics/pull/2275#pullrequestreview-1785147109
  • [ ] https://github.com/kubernetes/kube-state-metrics/pull/2277#issuecomment-1858759316
  • [ ] https://github.com/cncf/clomonitor/pull/1380#pullrequestreview-1785143476

SD-13 avatar Dec 15 '23 16:12 SD-13

/triage accepted

mrueg avatar Dec 15 '23 16:12 mrueg

I'd like to tackle Task 7!

jescalada avatar Dec 15 '23 17:12 jescalada

Please take a look at the CLOMonitor .yaml PR here: https://github.com/cncf/clomonitor/pull/1380

Thank you!

jescalada avatar Dec 15 '23 17:12 jescalada

Hey @mrueg @dgrisonnet @rexagod I want to know whether kube-state-metrics is generating SBOM as part of the release pipeline. Where to look for the release pipeline?

SD-13 avatar Dec 15 '23 20:12 SD-13

I looked into adding the OpenSSF Best Practices badge to the README, but I think a maintainer would need to first request the badge at https://www.bestpractices.dev/

dalehenries avatar Dec 15 '23 21:12 dalehenries

Hey @mrueg @dgrisonnet @rexagod I want to know whether kube-state-metrics is generating SBOM as part of the release pipeline. Where to look for the release pipeline?

We're currently not generating it. The release process is documented here: https://github.com/kubernetes/kube-state-metrics/blob/main/RELEASE.md If this is something that can be attached to a github release, it should be triggered by a release creating and execute a github action ideally that attaches the sbom

mrueg avatar Dec 15 '23 21:12 mrueg

I think https://github.com/advanced-security/gh-sbom (SBOM generation) coupled with https://github.com/anchore/sbom-action (SBOM pushes) should help accomplish the SBOM workflow.

rexagod avatar Dec 16 '23 08:12 rexagod

FYI Appended some open questions to the issue description.

rexagod avatar Dec 16 '23 08:12 rexagod

I think the following tasks are already done:

  • Check for Binary Artifacts (task 8) (no binaries found in the repo)
  • Review the code review (task 9) (all changesets reviewed)
  • Dangerous Workflow (task 10) (no dangerous workflow patterns detected)
  • Dependency update tool (task 13) (update tool detected, dependabot)

I think the following tasks are still missing something:

  • Token Permissions (task 16)

Screenshot 2024-04-24 at 09-41-32 Kube State Metrics

What do you think about publishing the OpenVEX data with the remaining release artifacts?

@SD-13 do you mind if I assign Ensure SBOMs are generated by Kubernetes BOM (task 3) to me?

ricardoapl avatar Apr 24 '24 08:04 ricardoapl

@ricardoapl Please feel free to assign it to you!

SD-13 avatar Apr 24 '24 09:04 SD-13