minder
minder copied to clipboard
stacklok
Software Supply Chain Security Platform
Some packages have CVEs that will never be fixed. This might mean that updates bumping that package as a dep would perpetually be marked as changes requested by minder. We...
This issue is about Minder processing all opened pull requests when a new repository is registered. The idea is that when we register a repository to list all opened PRs...
This issue is a placeholder for fixing the missing items for supporting all user management features in sub-projects. Currently this is partially supported, i.e. one user can invite another user...
Minder should be able to, at least, check for a published SBOM in the GitHub release assets and/or other well-known locations or by following the breadcrumbs in SECURITY_INSIGHTS.yaml.
Minder can look for attestation only from a small number of sources. We should expand the discovery methods of attestations to accommodate a wider section of the diversity of release...
We should augment Minder's capabilities to recognize more signing schemes in addition to Sigstore-signed images. Perhaps we could do a short survey of popular OSS projects and jot down the...
Minder should check pull requests and recurrently on the repo for dangerous workflows. For example those that execute code at the pull request target. At PR time we could block,...
We should create a rule/remediation that updates the release part of SECURITY_INSIGHTS.yaml with data from the last release cut from the repo.
Minder has visibility into athe repository data, we could create a remediation that keeps [SECURITY_INSIGHTS.md](https://github.com/ossf/security-insights-spec) up to date.
The `EntityInfoWrapper.GetEntityDBIDs()` function returns UUIDs for three specific entity types: repo, artifact, and pull request: https://github.com/stacklok/minder/blob/e77e1427679fc3b18111cfc565559dc661ab789f/internal/engine/entities/entity_event.go#L252-L255 To expand Minder in the future to handle other entity types we should replace...