-
Notifications
You must be signed in to change notification settings - Fork 695
[Initiative]: CI Dependency Recipe Card #2028
Copy link
Copy link
Open
Labels
kind/initiativeAn initiative or an item related to imitative processesAn initiative or an item related to imitative processesneeds-groupIndicates an issue or PR that has not been assigned a group (toc or tag/foo label applied)Indicates an issue or PR that has not been assigned a group (toc or tag/foo label applied)needs-triageIndicates an issue or PR that has not been triaged yet (has a 'triage/foo' label applied)Indicates an issue or PR that has not been triaged yet (has a 'triage/foo' label applied)tag/security-and-complianceTAG Security and ComplianceTAG Security and Compliance
Description
Metadata
Metadata
Assignees
Labels
kind/initiativeAn initiative or an item related to imitative processesAn initiative or an item related to imitative processesneeds-groupIndicates an issue or PR that has not been assigned a group (toc or tag/foo label applied)Indicates an issue or PR that has not been assigned a group (toc or tag/foo label applied)needs-triageIndicates an issue or PR that has not been triaged yet (has a 'triage/foo' label applied)Indicates an issue or PR that has not been triaged yet (has a 'triage/foo' label applied)tag/security-and-complianceTAG Security and ComplianceTAG Security and Compliance
Type
Projects
Status
New
Status
status/in-progress
Status
No status
Status
No status
Status
No status
Name
CI Dependency Recipe Card
Short description
Create a short "recipe card" that provides guidance for project maintainers about CI dependencies.
Responsible group
TAG Security and Compliance
Does the initiative belong to a subproject?
No
Subproject name
No response
Primary contact
Marina Moore (@mnm678)
Additional contacts
No response
Initiative description
This initiative from the Software Supply Chain Security TCG will create a short "recipe card" with practical guidance about securing CI dependencies. This guidance will be narrowly scoped to CI dependencies, and will discuss how to choose these dependencies and how to respond to vulnerabilities in them. The goal is to focus on concrete steps and advice for project maintainers, including specific tooling and processes. The recipe card will link to other, more in depth documents like the TAG Security and Compliance Software Supply Chain Security Best Practices Guide where needed for those looking to learn more. The recipe itself will focus on guidance and action.
If this is successful, we hope to create several other short "recipe cards" for software supply chain security to break down this complex topic into small, actionable steps.
Deliverable(s) or exit criteria
A 3-4 page recipe card, with an accompanying blog post on the CNCF blog
Tracking document for meeting and progress
https://notes.cncf.io/AJENlss7T3ScPjG7_UYuXA